All Products
Search

This Product

    Identity as a Service:Bind IDaaS to AD- outbound

    Document Center

    Identity as a Service:Bind IDaaS to AD- outbound

    Last Updated:Dec 03, 2025

    This topic describes how to bind an outbound corporate Active Directory (AD) to an identity provider. This lets you synchronize IDaaS organizations and accounts to AD and use AD identities to log on to IDaaS or applications.

    About AD

    Active Directory is a core directory service in the Microsoft Windows Server operating system. It provides centralized identity authentication, authorization, and directory management for enterprise network environments. Using the network endpoint feature, you can achieve AD data synchronization and delegated authentication without opening ports to the public internet.

    Bind an AD

    Step 1: Connect to the AD

    1. Log on to the IDaaS console. Select your IDaaS instance and, in the Actions column, click Manage.

    2. Click IdPs > Outbound > Add Outbound. Then, find AD in the list and click Add.

      image

    3. In the Bind AD panel, enter the following information.

      image

      • Display Name: Users might see this name when they log on to or use IDaaS.

      • Network Access Endpoint: If you want only IDaaS to be able to request this AD, you can configure an IP address whitelist on the server. Shared endpoints use shared, fixed public egress IP addresses. Dedicated endpoints use dedicated, custom private and public egress IP addresses. Using a dedicated endpoint, IDaaS can access your Alibaba Cloud VPC over a private network. This lets you access your AD without opening public ports. For more information, see Network endpoints.

      • Server address: The address of the server where AD is located. AD typically uses port 389. If LDAPS or StartTLS is enabled, it typically uses port 636. An example address is 127.0.0.1:389.

      • Enable StartTLS: Enabling this feature greatly improves connection security. We recommend that you enable this feature. To learn how to enable it, see AD security configuration.

      • Administrator Account: IDaaS uses this AD administrator account to read AD information for data synchronization or delegated authentication. This account must have at least read permissions. It supports the User Principal Name (UPN) format, such as example@example.com, and the Distinguished Name (DN) format, such as cn=admin,ou=Technical Department,dc=example,dc=com.

      • Administrator Password: The logon password for the administrator account.

    4. After you confirm the information, click Next.

    Step 2: Select Scenario

    On the Select Scenario page, configure the desired AD capabilities.

    image

    Basic settings

    • Synchronization Direction:

      Data from the selected source node in IDaaS is synchronized to the users or organizations in AD. For Source Node, specify the IDaaS node. For the target node, enter the DN of the AD node. The DN of the AD root node is typically dc=example,dc=com, which corresponds to your domain.

    • Incremental Synchronization:

      Exports data changes from IDaaS in real time.

    • Scheduled Verification:

      A scheduled full synchronization that helps keep IDaaS data and AD data consistent.

    • Delegated Authentication:

      Allows users to use their AD accounts to log on to IDaaS.

    • Auto Sync Password:

      To synchronize passwords to AD, you must enable StartTLS or LDAPS. The IDaaS password must also meet the requirements of the AD password policy. Otherwise, the password cannot be automatically synchronized.

    Advanced settings

    • User ObjectClass and Organization ObjectClass:

      You can use ObjectClass to define whether an object is a user or an organization. For example, objects where ObjectClass=user in the query results are treated as users. You do not usually need to change this setting.

    • User RDN and Organization RDN:

      If you have customized the Relative Distinguished Name (RDN) of objects in AD, you can configure the write identity here. For example, when IDaaS synchronizes an account to AD, it uses `ou` as the RDN for the organization.

    • User Sign-in ID:

      When a user logs on to IDaaS using AD delegated authentication, IDaaS queries AD for the user based on these properties and matches the password. If the password is correct, the user is allowed to log on to IDaaS. You can separate multiple properties with a comma (,). This creates an OR relationship, which means a user can log on using any of the specified properties. Make sure that the properties correspond to the same AD user. Otherwise, the logon fails.

    Step 3: Field Mapping

    If you have historical data for users or organizations in AD, you must attach the AD accounts to the IDaaS accounts. Alternatively, if you want to use data from certain fields of an IDaaS account as data for an AD account, such as using the mobile number from an IDaaS account as the username for an AD user, you must configure Field Mapping. To use the Mapping Identifier feature, you must manually enable it, as shown for the Mobile Phone field in the following figure.

    image.png

    After you complete the configuration, click Save and Push to trigger data synchronization. This action imports all data from the IDaaS source node and places it under the AD target node. To save only the configuration, click Save Only.

    Note

    For more information about field mapping, see the Field mapping document.

    AD security configuration

    By default, LDAP does not encrypt data during transmission. This leaves the data unprotected and at risk of being stolen in plaintext. Using LDAPS or StartTLS can effectively improve the security of data transmission. After you configure a certificate in AD, you can use LDAPS or StartTLS in IDaaS. We recommend that you enable this feature.

    In Server Configuration, install the role, upgrade to a domain server, and add a certificate. For the signature algorithm, use SHA256. This completes the certificate configuration.

    After you configure the certificate, you can retrieve the certificate fingerprint in IDaaS with a single click. This establishes a trust relationship between IDaaS and the AD certificate and reduces the threat of forged certificates.

    image

    Note

    To quickly check whether the certificate fingerprint you see in the AD interface is the same as the one retrieved from IDaaS, you can run the following script:

    openssl s_client -connect server_host:port | openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256

    AD customization

    ObjectClass

    In AD, ObjectClass is a collection of attributes. Every object must have an ObjectClass. You can use ObjectClass to define an object as a user, organization, or computer. For example, you can find the user shown in the following figure with the filter statements objectclass=person or objectclass=user. You can view the ObjectClass in the Properties of an AD object.查看objectClass

    Logon identity

    When a user logs on to IDaaS using AD delegated authentication, IDaaS uses these properties to query the user in AD and match the password. If the password is correct, the user is allowed to log on to IDaaS.

    You can typically use properties such as userPrincipalName, sAMAccountName, phone number, mailbox, or employee ID for logon. If required, you can define these properties when you create the identity provider or in the Delegated Authentication settings. If you use multiple properties, make sure they are unique and correspond to the same AD user. Otherwise, the user cannot use delegated authentication.

    AD synchronization configuration

    Get the Base DN

    The Base DN is the path identity of a node in AD. IDaaS performs operations, such as queries and data synchronization, only under this node. You can set the Base DN of the target node in the Synchronization Direction settings.

    The DN format is ou=Sample-OU,dc=example,dc=com. The DN of the root node is typically dc=example,dc=com, which corresponds to your domain. You can also view the DN of a node directly in the AD Management Center, as shown in the following figure:同步配置

    When the path of a node changes, its Base DN also changes. To prevent AD data synchronization errors caused by node path adjustments, IDaaS uses the node's ObjectGuid as a node fingerprint when you configure the Base DN of the target synchronization node. If the Base DN changes and no longer matches the node fingerprint, data synchronization is blocked. After you reconfigure the target node, synchronization can proceed normally.

    Incremental synchronization

    When user or organization data in IDaaS changes, and the changed data is within the scope of the configured target synchronization node, IDaaS pushes the changed data to AD.