LDAP Web Services

It is located at Settings > LDAP Web Services. Each LDAP web service entry contains all the necessary settings to make a successful call to a LDAP web service tenant.

LDAP web service uses SSL certificate mutual authentication binding between LDAP web service and the client (in this case, Safewhere Identify). This type of binding requires that:

  • An LDAP web service tenant must have its own certificate (referred to as the server certificate in the remainder of the section).
  • A client that needs to communicate with LDAP web service must also have its own certificate (referred to as the client certificate in the remainder of the section).
  • The machine that the LDAP web service is running on must trust the client certificate. This means that the public key of the client certificate must be imported to the LocalMachine/TrustedPeople store on the server machine.

The machine that the client is running on must trust the server certificate. This means that the public key of the server certificate must be imported to the LocalMachine/TrustedPeople store on the server machine.

UI fields are explained below:

LDAP web service creation

  • Name: A unique name for the LDAP Web Service Settings. This name only needs to be meaningful in Identify’s context.
  • Client Certificate: The settings for client certificates, including Store Location, Store Name, Find Type, and Find Value. All fields are required.
  • Server Certificate: The settings for server certificates, including Store Location, Store Name, Find Type, Find Value, and Raw Certificate. You can fill in either Raw Certificate directly or the four fields.
  • Endpoint identity: Endpoint Identity: The server certificate’s subject; it’s autogenerated after inputting the server certificate, for instance, “ADFS Two factoer server certificate”.
  • Service URL: The fully qualified domain name of the LDAP Web Service Server (or the URL we call API), for instance, http://ldapws34r3.safewhere.local/LdapCredentialsService.svc.

There is also a Test button, which can be used to validate the configuration (that is, to ensure that Identify is able to contact LDAP web service). Remember to save your changes before clicking the Test button.