LDAP

LdapProvider authentication connection extends Identify with the capability to authenticate a user against a LDAP-WS service, which in turns validate a user against an LDAP-compliant server. Note: Identify*Admin requires that the standard Name claim type must be used so we must set Name claim as its identify bearing claim.

The specific configuration for LDAP Authentication connection are:

  • Authentication type: Contains FormBase method and Integrated methodDomain: (Only applies to Microsoft Active Directory) The Active Directory domain name.
  • Prefix user identity with domain name: (Only applies to Microsoft Active Directory) Check to allow Identify to prefix the user identity with the domain name.
  • Identity's LDAP attribute:Specifies the LDAP attribute, which is used as the user name. It can be pre-defined attribute such as: email address, telephone number, employee ID or new added in LDAP Attribute Definitions UI. Only single-valued attribute should be used for this setting.
  • LdapWS service name: Specifies the LdapWS tenant (please refer to LDAP Web Service Settings) used for this connection.
  • Ldap attribute to specify the primary account: Specifies the LDAP attribute which is used to specify the primary account if a user cannot be uniquely identified by the identity filter above.
  • Primary account attribute value: The value to be used to filter in “LDAP attribute to specify the primary account”.
  • Use on screen keyboard : allow user to input his pasword via this onscreen keyboard. Its default status is False. When you check it, your login page will look like below :

ldap 1

 

  • Enable reset password: allow user to be able to changing his/her password in Login page. The password will be auto-generated following the password policy of the LDAP-WS.
  • Roles that skip reset password: if user has role(s) in this setting, Identify will ignore the change password request.
  • Check for deactivated users when password reset.

The LdapProvider authentication connection even includes a whole range of fields that will help you set up a two factor authentication process. Each of these fields are explained below.

  • Second factor authentication connection: If you want this LdapProvider Authentication Connection to use a second factor, you must choose this second factor among the different Authentication Connections that have been set up in the system. This also encompass all the One Time Password Connections.
  • Two factor identities condition:When using two different Authentication Connections together (which is basically what you are doing when setting up two-factor authentication), then the two may try to identify the incoming user based on two different identity bearing claims. This dropdown is activated when a user has chosen, that the connection will have a second factor. Options in the dropdown are:
    • Use the first identity: System will disregard the “Identity bearing claim” value of the second factor and just focus on identifying the user based on the first one.
    • Two identities must be the same: The user will not be allowed to log in unless the identity of the user for the first factor is identical to that of the second factor.
  • Use as second factor only: If you just want the Authentication Connection to be used as the second factor for other connections and not have it offered to users as a primary connection option, then this checkbox must be set to true.
  • Ignored by second factor roles claim type: If there are subsets of users that you will allow to perform logins without having to authenticate using the second factor, you must specify whom these users are based on a rule. The rule states that any users who have a specific value for a specific claim type, will be excluded from the second factor. This setting specifies which claim will be tested. The setting below (“Ignored by second factor roles”) states which roles will be ignored.Identify will search in both the received assertion and local store.
  • Ignored by second factor roles: The list of roles (claims type values) that a user must have at least one of in order to avoid having to authenticate via the second factor. You should use colon as seperator for these roles.
  • Ignore roles check: If you do not want to let anyone login without also authenticating via the second factor (thus in effect ignoring the two parameters above), you should set this checkbox to true.
  • Custom authentication view:Allow user to select a custom view instead of using the default view.

There is also option to enable/disable support for specialized web pages for mobile use.

  • Enabled for mobile use

Windows integrated settings:

  • Registry: disable the loopback check by setting the DisableLoopbackCheck registry key
  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate and then click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

  1. Right-click Lsa, point to New, and then click DWORD Value.
  2. Type DisableLoopbackCheck, and then press ENTER.
  3. Right-click DisableLoopbackCheck, and then click Modify.
  4. In the Value data box, type 1, and then click OK.
  5. Quit Registry Editor, and then restart your computer.
  • Browsers settings:

 Internet Explorer, Chrome, Safari:

Tools > Option > Security > Local Intranet

> Site : Add the Identify website

> Custom Level…> User Authentication > Logon > Automatic logon only in Intranet Zone

Firefox:

Logging

  • Event 999 following by another event: there is a problem with LDAP Web Service Settings, the following event describes detail information of the LDAP Web Service Settings failure.
  • Event 97 : the following event describes detail information about license issue
  • Event 143 : it describes how the LDAP claims transformation failed :
    • No LDAP-WS is attached
    • The speficied filter is sufficient to uniquely identify a user so that his or her attributes and be fetched.
    • The ClaimsPrincipal didn't contain a claim whose type is {0}. That claim is required to extract user identity to look up for more claims