Secure Access Service Edge:Use SASE to ensure secure access of LDAP users

Scenario

SASE helps manage private access permissions and Internet access permissions for your enterprise and protect your office data. If you use LDAP to manage the user information of your enterprise, you can connect your LDAP IdP to SASE to allow users to log on to the SASE client by using LDAP accounts. This way, you do not need to maintain another identity management system for SASE, which reduces the costs for maintaining user information.

Assume that Enterprise A creates the organizational structure of Department 1 and Department 2 and a security group in Microsoft Active Directory (AD). Users of Department 1 are user1, user2, and user3, and user2 is the administrator. Users of Department 2 are user4 and user5, and users in the security group are user2 and user4. In this topic, the organizational structure of the security group in LDAP is synchronized to SASE to describe how to connect an LDAP IdP to SASE.

Assume that the base distinguished name (DN) of the security group is CN=Organizational-Unit,CN=Schema,CN=Configuration,DC=sasetest,DC=com, the base DN of the administrator user2 is CN=Person,CN=Schema,CN=Configuration,DC=sasetest,DC=com, and the password of the administrator is 123456****.

In this topic, the default attributes in LDAP are used. If you have changed the attributes, you must use the actual attributes.

Process

Step 1: Connect your LDAP IdP to SASE

Connect your LDAP IdP to SASE to synchronize the organizational structure of the security group in LDAP to SASE.

1. Log on to the SASE console. In the left-side navigation pane, choose Identity Authentication and Management > Identity Access.

2. On the IdP Management tab, click Add IdP.

3. In the Add panel, set the Authentication Type parameter to Single IdP and the Enterprise IdP parameter to LDAP. Then, perform the following operations to configure other parameters.

   1. Configure the basic information about the LDAP IdP and click Next. The following table describes the related parameters.

      Parameter	Description	Example
      IdP Configuration Status	Specifies whether to enable the IdP. Valid values: Enabled: If no IdP is enabled, you can enable the created IdP. If an IdP or IdP combination is enabled, you must disable the IdP or IdP combination on the IdP Management page before you can enable another IdP or IdP combination. Disabled: You can disable the created IdP and enable it later.	Enabled
      Type	The type of the directory service. Valid values: Windows AD OpenLDAP	Windows AD
      Configuration Name	The name of the AD or OpenLDAP IdP. The name must be 2 to 100 characters in length, and can contain letters, digits, hyphens (-), and underscores (_).	test_001
      Description	The description of the IdP. The description is displayed on the SASE client as the logon title. This provides users with the IdP information when they log on to the SASE client.	LDAP
      Server Address	The address of the AD or OpenLDAP server.	10.10.XX.XX
      Server Port Number	The port number of the AD or OpenLDAP server.	389 Note If you are not sure of the actual port number, contact the administrator.
      SSL Connection	Specifies whether to enable SSL connections on the AD or OpenLDAP server. Valid values: Yes: enables SSL connections. After you enable SSL connections, data on the AD or OpenLDAP server is encrypted for transmission to ensure data security. No: disables SSL connections.	No
      Base DN	The base DN of the user to be authenticated. If you configure this parameter, SASE authenticates all accounts of the user node. The authenticated accounts can be used to log on to the SASE client. The value of this parameter must be 2 to 100 characters in length. Important If the user and the group to be authenticated do not belong to the same node, you must configure the User Base DN and Group Base DN parameters in the Advanced Settings section.	CN=Organizational-Unit,CN=Schema
      Organizational Structure Synchronization	The DN and password of the administrator that are used to obtain the organizational structure from the IdP. Important After the configuration is complete, you can apply security policies in batches based on the organizational structure. During this process, the system does not read your user information.	DN of the administrator user1: CN=user1,OU=Security Group,DC=sasetest,DC=com Password of the administrator: 123456****

   2. In the Attribute Configuration step, configure the parameters and click Next.

      You can configure attributes and filters to manage the access permissions of enterprise users in different groups.

      Parameter	Description	Example
      Logon Username Attribute	Configure the logon username attribute to specify the format of the usernames of your enterprise users. You must define this attribute in your enterprise. You can select one of the following default username attributes: cn, name, givenName, displayName, userPrincipalName, and sAMAccountName. You can also enter another LDAP-defined attribute for the Logon Username Attribute parameter. Important userPrincipalName is a domain suffix. If you select userPrincipalName for the Logon Username Attribute parameter, an enterprise user must enter its domain suffix during logon. Example: user***@aliyundoc.com.	cn
      Display User Name Attribute	Configure the display username attribute to specify the format of the usernames of your enterprise users that are displayed on the SASE client. You must define this attribute in your enterprise. The display username is the account username. You can select one of the following default username attributes: cn, name, givenName, displayName, userPrincipalName, and sAMAccountName. You can also enter another LDAP-defined attribute for the Display User Name Attribute parameter.	cn
      Group Name Attribute	Configure the group name attribute to specify the format of the group names in your enterprise. You must define this attribute in your enterprise. You can select one of the following default username attributes: cn, name, and sAMAccountName. You can also enter another LDAP-defined attribute for the Group Name Attribute parameter.	cn
      Group Mapping Attribute	Configure the group mapping attribute to define the group to which the enterprise users belong. Default value: memberOf. Important This parameter is optional. If you want to configure this parameter, make sure that this parameter matches the value specified for the group mapping attribute in LDAP.	memberOf
      Group Filter	Specify a group filter to filter enterprise users in different groups so that you can manage the access permissions of the enterprise users by group. Examples of common LDAP filters: (&(objectClass=organizationalUnit)(objectClass=organization)): searches for groups whose objectClass attribute matches organizationalUnit and organization. (|(objectClass=organizationalUnit)(objectClass=organization)): searches for groups whose objectClass attribute matches organizationalUnit or organization. (!(objectClass=organizationalUnit)): searches for groups whose objectClass attribute does not match organizationalUnit. For more information about LDAP matching rules, see LDAP Filters.	(objectClass=organizationalUnit)
      User Filter	Specify a user filter to search for one user or a type of users. Examples of common LDAP filters: (&(objectClass=person)(objectClass=user)): searches for users whose objectClass attribute matches person and user. (|(objectClass=person)(objectClass=user)): searches for users whose objectClass attribute matches person or user. (!(objectClass=person)): searches for users whose objectClass attribute does not match person. For more information about LDAP matching rules, see LDAP Filters.	(objectClass=person)
      Email Attribute	Specify an email address attribute. Important The default attribute that is used to identify an email address in LDAP is email. Make sure that this attribute matches the value that is specified for the email address attribute in LDAP.	email
      Mobile Phone Number Attribute	Specify a mobile phone number attribute. Important The default attribute that is used to identify a mobile phone number in LDAP is telephoneNumber. Make sure that this attribute matches the value that is specified for the mobile phone number attribute in LDAP.	telephoneNumber

   3. Configure logon and authentication methods.

      Parameter	Description	Example
      PC Logon Method	Logon with Account and Password Password-free Logon	Logon with Account and Password
      Two-factor Authentication	Verification Code-based Authentication: If you select Text Message Verification, make sure that each user in the IdP has a mobile phone number. OTP-based Authentication: If you select this option, make sure that clock synchronization on your one-time password (OTP) client works as expected. Common OTP clients such as Google Authenticator, Microsoft Authenticator, and Alibaba Cloud App are supported.	Text Message Verification

      If a test failure message appears, check whether information such as the server address and the server port is valid.

4. Click OK.

   You can click Logon Test to check whether the configuration is valid.

   Note

   If the configuration is invalid, SASE displays the corresponding error. After you click Logon Test, the Failed to connect to the LDAP server. Contact the administrator message may be displayed. In this case, check whether the server address and port number are valid and whether the network is connected.

   After you connect your LDAP IdP to SASE, go to the User Group Management tab and click Create User Group. In the panel that appears, check whether the organizational structure of your LDAP IdP is synchronized.

   The system requires approximately 30 seconds to synchronize data. If data is not synchronized after 30 seconds, refresh the User Group Management page.

Step 2: Check whether the IdP is connected

After the preceding configuration is complete, perform the following operations to check whether the IdP is connected to SASE.

1. Open the SASE client that you download.

2. On the SASE Client Logon page, enter your enterprise authentication identifier and click Confirm.

   You can obtain the enterprise authentication identifier on the Settings page of the SASE console.

3. Optional. On the SMS verification page, enter the verification code that you receive.

   If you do not configure SMS verification, this page is not displayed.

4. Use the account and password of user1 to log on.

   If the authentication is successful, the IdP is connected to SASE.