search
HomeManagement Center

LDAP (UID/Software OATH)

hashtag
Scenario

In this use case, you will add authenticate using Username and one-time passcode. The example will use an OATH software token created by Fortified ID Enrollment. The SQL database used is the same as the one Fortified ID Enrollment used to create tokens.

The user ID in this use case will be one from Active Directory. This use case assumes that another use case has already been done which is to log in with an Active Directory account and password. In this use case we will replace the vault to verify password with a valve to verify oath software token.

hashtag
Prerequisite

  • Microsoft SQL Server or Microsoft SQL Server Express configured with a database called fortifiedid_enrollment with some tokens already added. Check out this use case for more information, Software OATH tokenarrow-up-right

  • Fortified ID Access installed and configured with an authenticator to login Active Directory users using sAMAccountName and password as specified in use case, LDAP (UID/PWD) using MCarrow-up-right

hashtag
Overview of the components to add and configure

  1. Add LDAPClient to communicate with your Active Directory

  2. Add OathValidation to communicate with your SQL server where the OATH software tokens are stored.

  3. User Username & Password credential validator to prompt user for username and password

    1. Add to default Selector object on the SAML default IdP

    2. Configure pipe to verify username and OATH token with your LDAPClient and OathValidation module

  4. Add EnrichIdentity to fetch user data about user

    1. Add to Default SAML IdP

  5. Configure SAML SP assertion (Portal SP) object to return correct data using data from the EnrichIdentity authenticator

hashtag
1. Add a LDAPClient module

  1. Login to Management Center for Access

  2. Click Configuration tab

  3. Expand Modules and click + to add new module

  4. Click add LDAPClient

    1. Click JSON button for the LDAPClient module

    2. Copy data below and overwrite all existing data. NOTE! Make sure you do not already have an LdapClient with id: ldapclient_1. If you have that make sure to change to something else and makt a note of the id.

  5. Only change the three properties below to map your environment:

    1. host

    2. bind_dn

    3. bind_password

    We assume that your domain controller has a server certificate to use LDAPS.

    1. Click Update and Deploy

You have now added an LDAP module that can be used by one or several objects like valves. To address this LDAP module you use the value my_active_directory_module.

hashtag
2. Add a OathValidation module

  1. Login to Management Center for Access

  2. Click Configuration tab

  3. Expand Modules and click + to add new module

  4. Click add OathValidation

    1. Click JSON button for the OathValidation module

    2. Copy data below and overwrite all existing data NOTE! Make sure you do not already have an OathValidation with id: oathvalidation_1. If you have that make sure to change to something else and makt a note of the id.

  5. Only change the three properties below to map your environment:

    1. url

    2. username

    3. password

    4. encryption_key (verify with the settings in Fortified ID Enrollment)

    5. Click Update and Deploy

You have now added an OATH database module that can be used by one or several objects like valves. To address this LDAP module you use the value sqlexpress.

hashtag
3. Add a "Username & password" credential validator

  1. Click Configuration tab

  2. Click + to the right of label Authentication Methods

  3. Expand Credential Validators

  4. Scroll down and click Add for validator Username & password

  5. Copy data below and overwrite all existing data. IMPORTANT! Make sure you do not already have an UserNameAndPassword with id: usernameandpassword_1. If you have that make sure to change to something else for both id and pipe_id.

  6. Click on the associated Pipe and update id usernameandpassword_1_pipe before you click update

  7. Click Update and Deploy

hashtag
3.1 Add a Credential validator to the default Selector

  1. Expand SAML -> Default IdP -> Selector

  2. On selector object, click CREDENTIAL VALIDATOR tab

  3. Click ADD and select the validator you just added, e.g. My Active Directory (UID/OATH SW) (usernameandpassword_1)

    1. In Display Label type Active Directory (UID/OATH SW)

    2. In Logo URL, type assets/svg/microsoft.svg

  4. Click Update and Deploy changes

hashtag
3.2 Update pipe for credential validator

  1. Click Configuration tab

  2. Expand SAML -> Default IdP -> Selector -> My Active Directory (UID/OATH SW)

  3. Click associated pipe, usernameandpassword_1_pipe

  4. Click the JSON button in upper right corner

    1. Copy and overwrite all existing data with the JSON data below. IMPORTANT. Verify the id of the pipe if you changed it, then you need to update accordingly.

  5. Click Update

  6. Deploy changes

hashtag
4. Add an EnrichIdentity flow control

Add an EnrichIdentity to fetch user data from Active Directory for the user about to login

  1. Click Configuration tab

  2. Click + to the right of label Authentication Methods

  3. Expand Flow Control

  4. Scroll down and click Add for EnrichIdentity

  5. Change display_name to EnrichIdentity from Active Directory

  6. Click the Pipe object for the EnrichIdentity flow control

  7. Copy data below and overwrite all existing data in the pipe Note! We assume that the pipe id is "enrichidentity_99_pipe", if not, verify the EnrichIdentity object and replace id below.

  8. Note! All data received by the LDAP search will be added to Exports, that means it will be available for the SAML Assertion objected.

  9. Click Update

hashtag
4.1 Add EnrichIdentity to your SAML IdP

  1. Click Configuration tab

  2. Expand SAML and click Default IdP

  3. Click AUTHENTICATION

  4. Click ADD AUTHENTICATOR

  5. Select EnrichIdentity from Active Directory and click Add

  6. Click Update

  7. Deploy changes

hashtag
5. Configure SAML SP assertion

The SAML SP object on the SAML IdP needs to be configured what nameid and data to return. We use Fortified ID Portal and we will configure nameid tp be sAMAccountName in this scenario and also return display_name used for the avatar in Fortified ID Portal.

  1. Click Application tab

  2. Click to edit the Fortified ID Enrollment SAML SP object

  3. Click NAMEID SETTINGS tab and select

    1. NameID Format - urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

    2. From parameter - sAMAccountName

  4. Click ATTRIBUTE SETTINGS tab

    1. Click Add attribut and type

    2. Name* - display_name

    3. Name Format - displayName

  5. Click Update

  6. Deploy changes

hashtag
Test the configuration

  1. If you browse to Fortified ID Portal you will be redirected to Fortified ID Access. It should look like screenshot below.

  2. If you login using one of your Active Directory test account is should look like the screenshot below

PreviousLDAP (UID/PWD) using MCNextLDAP (UID/PWD) + OTP (SMTP)

Last updated