LDAP (Username/Password)

Scenario

Note. This use case uses default configuration of Management Center, Fortified ID Portal is already added as an SAML SP to Access acting as the SAML IdP.

Below are two links if above text is not fulfilled:

• Install Management Center

• Add Portal as SAML SP to Access SAML IdP

In this use case Fortified ID Portal will act as an SAML SP and Fortified ID Access as SAML IdP. On the SAML IdP their will be one authentication method which is username and password. Username and password will be authenticated against an LDAP directory, in this use case we use an Active Directory.

Prerequisite

• See above prerequisite in Scenario

• Windows server

  • At least 16 GB of RAM

  • A server certificate so LDAPS is supported for Active Directory

• Active Directory (e.g. installed in the same machine)

  • A number of user created.

  • Make sure all of them a mail attribute populated with an mail address.

  • Have some of the user being manager for others.

  • A number of groups created with some user added

Note. All configuration and testing is done on the scenario server.

Verify environment

Before you move on, verify that you can login to Fortified ID Portal using one of the (e.g. Peter Bishop) default user that comes with Fortified ID Access default configuration.

Add LDAP as authentication source

Add LDAP client modul

1. Login to Management Center for Access

2. Click Configuration tab

3. Expand Modules and click + to add new module

4. Click add LDAPClient

5. For values you can either add them directly in the LDAP module or the can use globals and have the values in Misc settings -> Globals. In this use case I add them directly in the module as below. Replace the values below to map your environment. Note. Do not change id and instance. For name you can use whatever you like but this is what you refer to later on in this use case so might want to leave it alone.

   Copy

   {
     "id": "ldapclient_0",
     "name": "LdapClient",
     "enabled": true,
     "instances": 1,
     "config": {
       "name": "ldapclient_1",
       "connection": {
         "host": "127.0.0.1",
         "port": 636,
         "bind_dn": "CN=admin,CN=Users,DC=company,DC=local",
         "bind_password": "admin_password",
         "use_ssl": true,
         "ssl_trust_all": true
       }
     },
     "display_name": "LdapClient 1"
   }

6. Deploy changes

7. Move on to next step

Add Username/Password authentication method

1. Click Configuration tab

2. Click Authentication Methods and +

3. Expand Credential Validators

4. Scroll down and click Add for validator User name & password

5. For values you can either add them directly in the LDAP module or the can use globals and have the values in Misc settings -> Globals. In this use case I add them directly in the module as below. Leave all values as they are.

   Copy

   {
     "id": "usernameandpassword_1",
     "type": "UserNameAndPassword",
     "description": "Used to verify user credentials against one or more user stores.",
     "config": {
       "base_path": "${globals.default_login_suffix}",
       "pipe_id": "usernameandpassword_1_pipe"
     },
     "display_name": "UserNameAndPassword 1"
   }

6. Deploy changes

7. Move on to next step

Add Credential validator to IdP default selector

1. Click Configuration tab

2. Expand SAML -> Default IdP -> Selector

3. On selector object, click OPTIONS tab

4. Click ADD OPTION and select the validator you just added, e.g. UserNameAndPassword1

   1. In Display Label type Active Directory

   2. In Logo URL, type assets/svg/microsoft.svg

5. Click Update

6. Deploy changes

7. Move on to next step

Update pipe for credential validator

1. Click Configuration tab

2. Expand SAML -> Default IdP -> Selector -> UserNameAndPassword1

3. Click associated pipe, usernameandpassword_1_pipe

4. Remove all default valves

5. Click + Add new valve

6. Add valve LDAPSearch

7. For values you can either add them directly in the LDAPSearch valve or you can use globals and have the values in Misc settings -> Globals. In this use case I add them directly in the module as below. Note! ldapclient value comes from the ldap module.

   Copy

   {
     "name": "LDAPSearch",
     "config": {
       "destination": "ldapclient",
       "filter": "mail=${request.identifier}"
       "base_dn": "dn_to_your_users",
       "scope": "SUB",
       "attributes": [
         {
           "name": "cn",
           "multivalue": false
         },
         {
           "name": "mail",
           "multivalue": true
         }
       ],
       "expected_item_count": 1
     }
   }

8. Deploy changes

9. Move on to next step

10. Click Update

11. Deploy changes

12. Move on to next step