All Products
Search
Document Center

Identity as a Service:Connect IDaaS to AD

Last Updated:Jan 21, 2025

This topic describes how to connect Identity as a Service (IDaaS) to Active Directory (AD) and the common operations that you can perform.

About AD

Overview

AD is a directory service that runs on Microsoft Windows Server. AD allows administrators to centrally manage computers, user services, network resources, and permissions within domains in medium and large network environments.

Note

The network endpoint feature allows you to synchronize data from AD and delegate authentication to AD without the need to open public ports.

Procedure

Log on to the IDaaS console. On the EIAM page, click the required instance. In the left-side navigation pane, click Quick Start or IdPs. On the page that appears, click Bind AD.绑定AD

Step 1: Configure parameters in the Connect to AD step

Configure the following parameters in IDaaS:

image.png

  • Nickname: the name that is displayed to a user when the user logs on to and uses IDaaS.

  • Network Access Endpoint: the network endpoint of the IDaaS instance. If you want to allow only IDaaS to access the AD server, add the network endpoint to the IP address whitelist of the AD server. If an IDaaS instance uses a shared endpoint, the IDaaS instance is provided with a shared and fixed public outbound IP address. If an IDaaS instance uses a dedicated endpoint, the IDaaS instance is provided with a dedicated and custom private outbound IP address and a public outbound IP address. An IDaaS instance that is configured with a dedicated endpoint can access an Alibaba Cloud virtual private cloud (VPC) by using the dedicated endpoint. This way, you can allow the IDaaS instance to access your AD without the need to open public ports. For more information, see Endpoints.

  • Server Address: the address of the server where AD resides. Example: 127.0.0.1:389. By default, port 389 is used for AD. If LDAPS or StartTLS is enabled, port 636 is used.

  • Enable StartTLS: specifies whether to enable StartTLS. We recommend that you enable LDAPS or StartTLS to improve the security of the connection. For more information about how to enable LDAPS or StartTLS, see the AD security configuration section of this topic.

  • Administrator Account: the AD administrator account used by IDaaS to read AD information for data synchronization or delegated authentication. The account must have read permissions at a minimum. Enter the value in the User Principal Name (UPN) format such as example@example.com or Distinguished Name (DN) format such as cn=admin, ou=technical department, dc=example, dc=com.

  • Administrator Password: the logon password of the administrator account.

Step 2: Configure parameters in the Select Scenario step

In this step, configure the features that you want to use.

image.png

Features

  • Synchronization Direction: The data of the AD user or organization selected as the source code is imported to the IDaaS destination node. Enter the DN of the AD node as the source node. The DN of the AD root node is dc=example, dc=com (your domain).

Note

Only synchronization from AD to IDaaS is supported. Synchronization from IDaaS to AD is not supported.

  • Incremental Synchronization: IDaaS listens to the data of AD users or organizations, and synchronizes the changed data from AD to IDaaS every 10 minutes. If a large amount of data is involved in a single synchronization, latency may occur. We recommend that you perform full data synchronization on a regular basis to ensure data consistency between AD and IDaaS.

    • You can configure mapping identifiers in the Field Mapping step of an IDaaS account to a field of an AD user. For example, you can match the Mobile Phone Number field of an IDaaS account against the Mobile Phone Number field of an AD user. If the matching is successful and the AD user is updated, the IDaaS account is also updated from the AD user. If the matching fails, an IDaaS account is created by using the information about the AD user.

    • When incremental synchronization is performed for the first time, full data synchronization is automatically performed.

    • Failure to import a single data entry does not affect the import of other data entries.

    • You can view the failure information in synchronization logs.

    • You must enable AD Recycle Bin to receive messages about deletion events in AD. For more information about how to enable this feature, see the Incremental synchronization section of this topic.

  • Delegated Authentication: If this feature is enabled, a user can log on to IDaaS by using an AD username and password.

  • Automatic Password Update: When a user attempts to log on to IDaaS by using AD delegated authentication, if the password of the IDaaS account is empty, the password is automatically updated as the password of the AD user. The AD password must meet the requirements specified in the password policies of IDaaS. Otherwise, the IDaaS password cannot be automatically updated to the AD password.

Advanced Settings

  • User/Organization ObjectClass: You can use ObjectClass to define a type of object as a user or organization. For example, the object whose ObjectClass is user in the query result is considered a user. In most cases, no modification is required.

  • User Sign-in ID: When a user attempts to log on to IDaaS by using AD delegated authentication, IDaaS uses the attributes to query the user in AD and matches the password. If the password is correct, the user is allowed to log on to IDaaS. You can separate multiple attributes with commas (,). In this case, these attributes have an OR relationship. This means that you can use one of them to log on to IDaaS. Make sure that multiple attributes correspond to the same AD user. Otherwise, the user cannot log on to IDaaS.

  • FILTER Statement for Filtering Users: If you want to synchronize specific users from different organizations to IDaaS, you can use a custom filter statement to filter users. Only users that meet the filter conditions can be synchronized to IDaaS. By default, the filter statement contains ObjectClass conditions in the AND relationship. You can click View Details to view the complete statement. For more information, see the Filter section of this topic.

image

Step 3: Configure parameters in the Field Mapping step

If you already have accounts or organizations in IDaaS and you want to map them to the AD users or organizations, or if you want to use specific fields of an IDaaS account as the fields of an AD user, you must configure field mappings. For example, if you want to use the name of an IDaaS account as the mobile phone number of an AD user, you must configure a field mapping.

image.png

For more information, see Field mappings.

AD security configuration

By default, data is transmitted in plaintext without encryption or protection in AD. This may cause data theft. You can use LDAPS or StartTLS to improve the security of data transmission. After you configure a certificate in AD, you can use LDAPS or StartTLS in IDaaS. We recommend that you enable LDAPS or StartTLS.

In Server Manager, install roles, upgrade the server to a domain server, add the certificate (use SHA256 as the signature algorithm), and then configure the certificate.

After you configure the certificate, you can obtain the certificate fingerprint in IDaaS to build the trust of IDaaS for the AD certificate. This reduces the risk of fake certificates.

image.png

Note

If you need to quickly check whether the certificate fingerprint displayed in AD is the same as that obtained from IDaaS, run the following script:

openssl s_client -connect server_host:port | openssl x509 -noout -pubkey | openssl pkey -pubin -outform DER | openssl dgst -sha256

AD custom configuration

ObjectClass

ObjectClass in AD is a set of attributes. Each object must have an ObjectClass. You can use ObjectClass to define an object as a user, organization, or computer. For example, as shown in the following figure, the system can find the user by using the objectclass=person or objectclass=user statement. You can view ObjectClass in the attributes of the AD object.查看objectClass

User Sign-in ID

When a user attempts to log on to IDaaS by using AD delegated authentication, IDaaS uses the attributes to query the user in AD and matches the password. If the password is correct, the user is allowed to log on to IDaaS.

You can use one of the attributes such as userPrincipalName, sAMAccountName, mobile phone number, email address, and employee number to log on to IDaaS. You can define the attributes when you create identity providers (IdPs) or on the Delegated Authentication page. If you use multiple attributes, make sure that the attributes are unique and correspond to the same AD user. Otherwise, the user cannot use delegated authentication.

Filter

Important

The modifications of the ObjectClass conditions and the filter statement affect the filter conditions of the AD node. During full data synchronization, IDaaS accounts and organizations that do not meet the filter conditions are deleted. We recommend that you adjust the synchronization protection settings and fully test whether the filtered results meet your expectations before you modify the ObjectClass conditions and the filter statement. For example, you can use another IDaaS instance to perform a test.

Overview

If you want to synchronize specific users from different organizations to IDaaS, you can use a custom filter statement to filter users. Only users that meet the filter conditions can be synchronized to IDaaS. By default, the filter statement contains ObjectClass conditions in the AND relationship. You can click View Details to view the complete statement.

image.png

The following sections describe the common operators and filter statements for AD.

Common operators

Operator

Description

Example

=

Equal to

(cn=Alice)

>=

Greater than or equal to

(pwdLastSet>=1319563845000000000)

<=

Less than or equal

(sAMAccountName<=a)

&

AND relationship, which indicates that all conditions must be met

(&(cn=CN*)(memberOf=cn=Test,ou=HQ,dc=Domain,dc=com))

|

OR relationship, which indicates that at least one condition must be met

(|(cn=Test*)(cn=Admin*))

!

NOT relationship, which indicates that all conditions must not be met

(!(memberOf=cn=Test,ou=HQ,dc=Domain,dc=com))

Common statements

Scenario

Example

Select users whose usernames start with CN

(cn=CN*)

Select the user with the specified email address

(|(proxyAddresses=*:alice@example.com)(mail=alice@example.com))

Select users in the specified group

(memberOf=cn=Test,ou=HQ,dc=Domain,dc=com)

AD synchronization configuration

Obtain Base DN

Base DN is the path identifier of a node in AD. IDaaS performs operations such as queries and data synchronization only within this node. You can configure the Base DN of the source node in Synchronization Direction.

The format of DN is ou=organization, dc=example, dc=com. The DN of the root node is dc=example, dc=com (your domain). You can also view the DN of the node in AD Administrative Center, as shown in the following figure.同步配置

If the path of a node changes, the Base DN of the node also changes. To prevent AD data synchronization errors caused by node path changes, IDaaS uses the ObjectGuid of the node as the node fingerprint when you configure the Base DN of the source node in IDaaS. If the changed Base DN of the node does not match the node fingerprint, data synchronization is stopped. You can synchronize data after you reconfigure the source node.

Incremental synchronization

IDaaS listens to the data of AD users or organizations, and synchronizes the changed data from AD to IDaaS every 10 minutes. If a large amount of data is involved in a single synchronization, latency may occur. We recommend that you perform full data synchronization on a regular basis to ensure data consistency between AD and IDaaS.

Because of the limits of AD incremental synchronization, IDaaS must use AD Recycle Bin to obtain messages about deletion events. Enable the Recycle Bin feature in AD Administrative Center. This feature is supported on Windows Server 2012 and later.回收站