How to setup LDAP login provider for Identify

LDAP web service Setup

Install the LDAP web service configurator.

Step 1: create the LDAP web service where its settings looks like following screenshot:

ldapws-new-instance

Step 2: in "IIS setup" screen, update settings likes below:

ldapws-new-iis

Step 3: in "Certificates" screen, update certificates information:

  • The certificate: "LDAP web service server certificate" for the server certificate section
  • The certificate: "LDAP web service client certificate" for the client certificate section

ldapws-new-certificate

Step 4: once the LDAP web service is created successfully, go to Safewhere Admin > Settings > "LDAP web service" tab:

swadmin-ldapws-list

Step 5: create the LDAP web service whose name is "ldapwstest" and point to: "http://#LDAPdomain/LdapCredentialsService.svc" like below:

swadmin-ldapws-edit-page

Step 6: after clicking "Save" button and the LDAP web service is created successfully, you can use the "Test" button to verify it.

swadmin-ldapws-test-page

Claim Transformation for LDAP identity provider

To convert the AD attributes from the AD server to Identify, create the LDAP transformation named "LDAP Claim Transformation" in Safewhere Admin. Following settings need to be updated:

  • LdapWS service name: choose "ldapwstest"
  • LDAP attribute to filter for user object: select "SAM-Account-Name"
  • Claim type to extract value from claims principal to match against the LDAP attribute Name: select Name claim.
  • Map the AD attributes to the Identify claim types.

swadmin-ldaptransformation

LDAP identity provider setup

Using Safewhere Admin, go to "Identity providers" page, create an LDAP identity provider and update following settings:

Step 1: in "Connection" tab:

  • Authentication type: select "FormBased"
  • Domain: input your AD domain name.
  • Identity's LDAP attribute: choose "SAM-Account-Name".
  • LDAP WS service name: choose the new created "ldapwstest" LDAP web service.
  • LDAP attribute to specify the primary account: choose "SAM-Account-Name".

swadmin-ldap-auth-connection

Step 2: in "Claim rules" tab, add the new created LDAP transformation.

swadmin-ldap-auth-claimrule

Step 3: save the LDAP identity provider.

To get rid off using web service, you can also use the "Direct AD". See the instruction here.