LDAP web service settings


It's located at System Setup > LDAP Web Service Settings. Each LDAP-WS entry contains all the necessary settings to make a successful call to a LDAP-WS tenant.

LDAP-WS uses SSL certificate mutual authentication binding between LDAP-WS and the client (in this case, Safewhere*Identify). This type of binding requires that:

  • An LDAP-WS tenant must have its own certificate (referred to as the server certificate in the remainder of the section).
  • A client that needs to communicate with LDAP-WS must also have its own certificate (referred to as the client certificate in the remainder of the section).
  • The machine that the LDAP-WS is running on must trust the client certificate. This means that the public key of the client certificate must be imported to the LocalMachine/TrustedPeople store on the server machine.

The machine that the client is running on must trust the server certificate. This means that the public key of the server certificate must be imported to the LocalMachine/TrustedPeople store on the server machine.

UI fields are explained below:

LDAP web service

  • Name: A unique name for the LDAP Web Service Settings. This name only needs to be meaningful in Identify’s context.
  • Client Certificate: The settings for client certificates, including Store Location, Store Name, Find Type, and Find Value. All fields are required.
  • Server Certificate: The settings for server certificates, including Store Location, Store Name, Find Type, Find Value, and Raw Certificate. You can fill in either Raw Certificate directly or the four fields.
  • Endpoint identity: Endpoint Identity: The server certificate’s subject; it’s autogenerated after inputting the server certificate, for instance, “ADFS Two factoer server certificate”.
  • Service URL: The fully qualified domain name of the LDAP Web Service Server (or the URL we call API), for instance, “http://ldapws34r3.safewhere.local/LdapCredentialsService.svc”.

There is also a Test button, which can be used to validate the configuration (that is, to ensure that Identify is able to contact LDAP-WS). Remember to save your changes before clicking the Test button.