Using Active Directory (AD) as Identity Source
The Identity Management Framework provides the ability to synchronize users and their associated user groups from Active Directory (AD) to SafeNet Trusted Access (STA) using Identity Management Framework. If you have existing users and groups in Active Directory (AD), you can take advantage of Identity Management Framework to synchronize them from Active Directory (AD) to SafeNet Trusted Access (STA). The solution can connect both using custom Connectors and can create, update, and delete both users and groups.
The solution is preconfigured using XML files. This eliminates the need for manual configuration of connectors, roles, and templates for user synchronization. However, the configuration can always be modified as required. The XML files can be imported into Identity Management Framework to avoid manual configuration of connectors, roles and templates that are required to synchronize users and groups. However, you can always modify the configuration later as per your preferred configuration.
You should run either SafeNet Synchronization Agent or Identity Management Framework at a time for synchronization from AD to STA.
The image below displays the connection between AD connector and STA.
Supported Use Cases
This section informs about the use cases supported by Active Directory (AD) connector when syncing with SafeNet Trusted Access (STA) using Identity Management Framework.
Use Case | Description |
---|---|
User Synchronization | Supports all the Create, Read, Update, and Delete (CRUD) operations. |
Group Synchronization | Supports all the Create, Read, Update, and Delete (CRUD) operations. |
User Live Synchronization | Synchronizes changes and new user creation. |
Group Live Synchronization | Synchronizes changes and new group creation. |
User and Group Filtering | Synchronizes specific Users & Groups |
The complete solution is tested at the forest level, which consists of a forest root domain, its subdomain/child domain (for example, mytestdomain.org is a forest domain and child.mytestdomain.org is its subdomain or child domain), and a tree root domain (for example, mydemodomain.org). For executing setup with more domain controllers, contact Thales Support.
The Group type must be Universal when there is tree-root trust between two domains.
Limitations
Following are the limitations that are encountered while syncing the AD Connector with STA using Identity Management Framework:
-
A user group cannot be updated in Identity Management Framework if it is associated with a provisioning rule in STA.
-
STA does not support nested group synchronization.
-
Duplicate groups (two groups with same names in the domain controller) cannot be synced to STA. In this scenario, only one group will be synced to STA on First Come, First Served (FCFS) basis and all the users from both the groups (duplicate groups) will be synced to one single group.
-
User password sync to STA is not supported.
Prerequisites
You need to setup a certificate, XML files, and connectors that are required to successfully run the Active Directory (AD) Connector with Identity Management Framework.
Ensure to have an Identity Management Framework instance installed and running on your machine.
As prerequisites,
-
Configure your SafeNet Trusted Access (STA) Connector in Identity Management Framework
-
Add the Active Directory Certificate in the Identity Management Framework keystore
-
Import the Connector XML File in Identity Management Framework
-
Import the Template XML File in Identity Management Framework
Configuring your SafeNet Trusted Access (STA) Connector in Identity Management Framework
Configure the SafeNet Trusted Access (STA) Connector in Identity Management Framework by performing the steps mentioned in SafeNet Trusted Access IdM Connector documentation.
Adding the Active Directory Certificate in the Identity Management Framework keystore
To establish trust between Active Directory and Identity Management Framework, you need to add the Root CA certificate in the Identity Management Framework keystore.
Perform the following steps to add the Root CA Certificate in the Identity Management Framework keystore:
-
Obtain the Root CA issuing certificate from the Certificate Manager. You can download the certificate from the Active Directory (AD) server machine.
-
Stop Identity Management Framework.
-
Copy the certificate and paste it in the midpoint-installation-directory/var directory (for example, /opt/midpoint/var).
-
Open the terminal and run the following command:
keytool -keystore keystore.jceks -storetype jceks -import -alias <alias_name> -trustcacerts -file <path_to_certificate_file>
For example,
keytool -keystore keystore.jceks -storetype jceks -import -alias ADCert -trustcacerts -file IssuingCertificate.crt
-
Enter your keystore password and enter Y.
-
Start Identity Management Framework.
Importing the Connector XML File in Identity Management Framework
The Active Directory (AD) connector .xml file consists of initial configuration of the connector. Perform the following steps to import the AD connector .xml file (for example, Active_Directory.xml) to Identity Management Framework:
- Click here to download the Active_Directory.xml file and then save the file on your local machine.
-
Login to the Identity Management Framework administrator console as an administrator.
-
On the Identity Management Framework administrator console, in the left pane, scroll down, click Import object, and perform the following steps to setup the connector .xml file:
-
Under Options, select the Keep OID checkbox.
-
In the Get objects from field, ensure that the File option is selected
-
Click Choose File to upload the Active_Directory.xml file.
-
Click Import object.
-
-
In the left pane, click Resources > All resources. The AD resource is displayed in the right pane.
Importing the Template XML File in Identity Management Framework
The template XML files enable you to sync users and groups to SafeNet Trusted Access (STA). Perform the following steps to import the template XML files in Identity Management Framework:
-
Click here to download the following template XML files and save them on your local machine.
-
RoleTemplate_for_AD.xml: Contains the mappings that are used to assign a meta role to the groups imported from AD.
-
UserTemplate_for_AD.xml: Contains the mappings that are used to assign a role (STA user role) to users imported from AD.
-
MetaRole_for_STA.xml: Used to create a meta role in Identity Management Framework. The meta role acts as a super role and is used to create a group in STA along with the users’ membership.
-
STA_user_role.xml: Used to create a role in Identity Management Framework. The role is used to create a user(s) in STA automatically.
-
-
Perform the following steps to import the XML files that you downloaded in the previous step:
-
On the Identity Management Framework administrator console, in the left pane, scroll down, and click Import object.
-
Under Import object, in the right pane, under Options, select the Keep OID checkbox.
-
Under Get objects from, ensure that the File option is selected and then click Choose File to upload an XML file.
-
Click Import object.
-
-
Perform step 2 to upload rest of the template XML files.
Granting Access Rights to the Service Account
It is recommended to use a delegated administrator account (Service account) for the Active Directory (AD) connector configuration. Perform the following steps to grant access rights to the Service account (for example, iamadmin):
-
On the Windows Start menu, go to Server Manager > Tools > Active Directory Users and Computers.
-
Expand the domain and right-click Users.
-
Click Delegate Control.
-
Delegate at least the following minimum required permissions to the Service account (for example, iamadmin) using the Active Directory domain Delegate Control mechanism:
-
Create, delete and manage user accounts
-
Reset user passwords and force password change at next logon
-
Read all user information
-
Create, delete and manage groups
-
Modify the membership of a group
-
Create, delete and manage inetOrgPerson accounts
-
Reset inetOrgPerson accounts and force password change at next logon
-
Read all inetOrgPerson information
-
If you face any permission-related issue, you can use an account with Administrative privileges.
Configure your Active Directory (AD) Connector in Identity Management Framework
Configuring Active Directory (AD) Connector in Identity Management Framework enables user and group synchronization. Perform the following steps to configure a working AD Connector in Identity Management Framework:
-
On the Identity Management Framework administrator console, in the left pane, click Resources > All resources.
-
In the right pane, under All resources, click on the Active Directory resource that you created earlier as a prerequisite.
Ignore the validation warnings at the top of the window. They will disappear once you complete all the configuration steps.
-
On the Active Directory resource window, scroll down, and perform the following steps:
-
In the left pane, click Basic and in the right pane, perform the following steps to configure the resource:
- In the Name field, modify the name of the resource as per your preferred configuration (for example, Active Directory (AD) Connector). This is for identification purpose only.
- [Optional] In the Description field, enter a description of the resource.
- In the connectorRef field, ensure that the AD Connector is selected (for example, Connid com.evolveum.polygon.connector.ldap.ad.AdLdapConnector v3.7).
-
In the left pane, click Connector configuration, and in the right pane, perform the following steps to modify the fields' values as per your AD configuration:
- In the Host field, replace the existing value with the Hostname/IP Address of your Active Directory Server (for example, localhost).
- In the Port field, ensure that 636 is entered.
- In the Connection security field, ensure that ssl is entered.
- In the SSL protocol field, ensure that TLSv1.2 is entered as the standard name for the protocol.
- In the Bind DN field, replace the field value with the Distinguished Name (DN) of your Active Directory service account (for example, CN=Iamadmin,CN=Users,DC=example,DC=com) that you created earlier as a prerequisite.
- In the Bind password field, click Change and enter the password for your Service account.
- In the Repeat Password field, enter the same password again.
- In the Base context field, replace the field value with the base context of your Active Directory server (for example, DC=example,DC=com).
- In the Paging block size field, update the value as per your preferred configuration.
- Click Save to save the configuration.
-
On the All resources window, click on the Active Directory connector, on the resource, click Test connection to verify the configuration, and then click OK.
While testing the connection, if you face any error, check your AD connector configuration. For any error related to the certificate, ensure that you have added the Active Directory Root CA Certificate in your Identity Management Framework keystore as mentioned in Adding Active Directory Certificate in the Identity Management Framework keystore as a prerequisite.
-
In the left pane, click Schema handling. Schema handling contains attribute mapping for both users and groups for synchronization.
The default set values are case-sensitive.
You can configure Schema handling for,
- Accounts
- GroupsAccounts
You can view or edit attribute mappings and synchronization for users by performing the following steps:
- In the right pane, in the Display name column, click Account.
- On the Object type wizard window, select the Mappings tile.
- On the Inbound mappings tab, the users' attribute mapping is displayed. Ensure that mapping is done for all the attributes as shown in the below screenshot.
- Click Exit wizard else, click Save mappings to save the changes, if any.
- On the Object type wizard window, select the Synchronization tile.
- The Synchronization window displays the synchronization properties (configuration) of a resource object (user or group). It specifies the information regarding the Identity Management Framework action when a new synchronization event is detected. For example, when an event related to the account creation or deletion is detected, the Identity Management Framework action can be to create a new user, delete or disable an existing user, ignore the event, etc.
- On the Object type wizard, click on the Back to object type link to exit from the window.
You can edit an attribute mapping as per your preferred configuration. Refer to the Adding or Modifying an Attribute Mapping section.
On the Synchronization window, ensure that all the values are set, and then click Exit wizard.
Groups
You can view or edit attribute mappings and synchronization for groups by performing the following steps:
- In the right pane, in the Display name column, click Group.
- On the Object type wizard window, select the Mappings tile.
- Go to the Inbound mappings tab, the groups' attribute mapping is displayed. Ensure that mapping is done for all the attributes as shown in the below screenshot.
- Click Exit wizard else, click Save mappings to save the changes, if any.
- On the Object type wizard window, select the Synchronization tile.
- The Synchronization window displays the synchronization properties (configuration) of a resource object (user or group). It specifies the information regarding the Identity Management Framework action when a new synchronization event is detected. For example, when an event related to the account creation or deletion is detected, the Identity Management Framework action can be to create a new user, delete or disable an existing user, ignore the event, etc.
- On the Object type wizard window, click on the Back to object type link to exit from the window.
You can edit an attribute mapping as per your preferred configuration. Refer to the Adding or Modifying an Attribute Mapping section.
On the Synchronization window, ensure that all the values are set, and then click Exit wizard.
-
Filtering Users and Groups for Synchronization
You can filter users and groups to be synchronized in to STA. To achieve this, specify the names of the desired groups for synchronization in the GroupList variable. The specified groups will then be synchronized, including the users, which are members of these groups.
Identity Management Framework synchronizes users within nested groups, where users may be members of a group that is part of another group. The synchronization options for groups enable the retention of group membership attributes solely for users. The groups are visible in a flat structure within the Identity Management Framework.
STA is not aware of trust relationships in AD and, consequently, remains unaware of the nesting arrangement of groups.
Perform the following steps to configure user and group filtering:
-
On the resource window, in the left pane, click Schema handling, and in the right pane, click Account.
-
On the Object type wizard window, select the Synchronization tile.
-
On the Synchronization window, the configuration for the users is displayed. In the table, for the Situation type as Linked, click , and click Next: Action.
-
Click Next: Optional settings.
-
On the Optional settings window, perform the following steps:
-
In the Language field, select Groovy (default).
-
Copy the code from the AD_User_Filtering_Script.groovy file available in the package.
-
In the Code field, paste the code that you copied in the previous step.
-
-
Similarly, follow steps 2 to 5 for the rest of the Situation types (Deleted, Unlinked, and Unmatched).
Only those group users will be synchronized to STA that are mentioned in the
GroupList
variable. -
Click Save synchronization settings at the end.
-
Similarly, follow the above steps for groups. The code for groups is available in the AD_Group_Filtering_Script.groovy file.
Adding or Modifying an Attribute Mapping
Perform the following steps to add or modify an attribute mapping:
-
In the right pane, in the Display name column, click Accounts.
-
On the Object type wizard window, select the Mappings tile.
-
Go to the Inbound mappings tab, the attribute mapping is displayed. Next to Lifecycle state, click to edit an attribute or to add a new attribute.
-
The Main configuration window is displayed. Perform the following steps:
-
In the From resource attribute field, select an attribute.
-
In the Target field, enter a name for the IdM attribute (for example, givenName) that you want to map with the name attribute of STA.
Similarly, you can add or modify an attribute mapping for Groups.
By default, the Delete option is disabled. If you want to allow Identity Management Framework to delete user identities from Active Directory, you need to enable the Delete option from the Details tab available on the resource window.
-
Create Tasks
Tasks are created in Identity Management Framework to automatically synchronize users and groups at a specific time. You can create the following tasks in Identity Management Framework:
Import Tasks
You can create import tasks for the synchronization of,
Creating an Import Task to Synchronize Users
Perform the following steps to create an import task to synchronize users:
-
On the Identity Management Framework administrator console, in the left pane, click Server tasks > Import tasks.
-
Under Import tasks, in the right pane, click on the New import task icon to add a new task.
-
On the New Import task window, in the right pane, under Resource objects, perform the following steps:
-
In the Resource field, click Edit, and select your Active Directory connector (for example, Active Directory: Resource Type).
-
In the Kind field, select Account.
-
In the Intent field, select default.
-
In the Object class field, select user.
-
-
Click Save to create the task.
Creating an Import Task to Synchronize Groups
Perform the following steps to create an import task to synchronize groups:
-
Under Import tasks, in the right pane, click on the New import task icon to add a new task.
-
On the New Import task window, in the right pane, under Resource objects, perform the following steps:
-
In the Resource field, click Edit, and select your Active Directory connector (for example, Active Directory: Resource Type).
-
In the Kind field, select Entitlement.
-
In the Intent field, select group.
-
In the Object class field, select group.
-
-
Click Save to create the task.
Live Synchronization Tasks
A Live synchronization task is created for users and groups. This task processes the events (creation, modification, or deletion) that represent the changes related to the resource objects. It ensures that these events are processed, so that the resource objects’ changes are reflected on Identity Management Framework objects (and extended to other resources, if needed).
The Live synchronization task does not recognize any update in AD regarding user's group membership, therefore membership update cannot be synchronized to IdM Framework.
You can create the Live Synchronization task for,
Creating a Live Synchronization Task for Users
Perform the following steps to create a live synchronization Task task for users:
-
In the left pane, scroll down, click Server tasks > Live synchronization tasks.
-
Under Live synchronization tasks, in the right pane, click on the New live synchronization task icon to add a new task.
-
On the New Live synchronization task window, perform the following steps:
-
Under Resource objects, perform the following steps:
- In the Resource field, click Edit, and select your Active Directory connector (for example, Active Directory: Resource Type).
- In the Kind field, select Account.
- In the Intent field, select default.
- In the Object class field, select user.
-
In the left pane, click Schedule, and in the right pane, in the Interval field, enter the value of the interval in seconds (for example, 1200).
Interval is the time period after which the task will be automatically repeated until all the records are synchronized.
-
-
Under Operations, click Save.
Creating a Live Synchronization Task for Groups
Perform the following steps to create a Live Synchronization task for groups:
-
In the left pane, scroll down, click Server tasks > Live synchronization tasks.
-
Under Live synchronization tasks, in the right pane, click on the New live synchronization task icon to add a new task.
-
On the New Live synchronization task window, perform the following steps:
-
Under Resource objects, perform the following steps:
- In the Resource field, click Edit, and select your Active Directory connector (for example, Active Directory: Resource Type).
- In the Kind field, select Entitlement.
- In the Intent field, select group.
- In the Object class field, select group.
-
In the left pane, click Schedule, and in the right pane, in the Interval field, enter the value of the interval in seconds (for example, 1200).
Interval is the time period after which the task will be automatically repeated until all the records are synchronized.
-
Under Operations, click Save.
-
Reconciliation Tasks
A Reconciliation task is created to compare the data stored in the IGA platform with the data stored in the target systems.
You can create Reconciliation tasks for,
Creating a Reconciliation Task for Users
Perform the following steps to create a reconciliation task for users:
-
On the Identity Management Framework administrator console, in the left pane, click Server tasks > Reconciliation tasks.
-
Under Reconciliation tasks, in the right pane, click on the New reconciliation task icon to add a new task.
-
On the New Reconciliation task window, perform the following steps:
-
In the right pane, under Resource objects, perform the following steps:
- In the Resource field, click Edit, and select your Active Directory connector (for example, Active Directory: Resource Type).
- In the Kind field, select Account.
- In the Intent field, select default.
- In the Object class field, select user.
-
In the left pane, click Schedule, and in the right pane, in the Interval field, enter the value of interval in seconds (for example, 86400).
Interval is the time period after which the task will be automatically repeated until the data of all the users is reconciled.
-
-
Under Operations, click Save.
Creating a Reconciliation Task for Groups
Perform the following steps to create a reconciliation task for groups:
-
Under Reconciliation tasks, in the right pane, click on the New reconciliation task icon to add a new task.
-
On the New Reconciliation task window, perform the following steps:
-
In the right pane, under Resource objects, perform the following steps:
- In the Resource field, click Edit, and select your Active Directory connector (for example, Active Directory: Resource Type).
- In the Kind field, select Entitlement.
- In the Intent field, select group.
- In the Object class field, select group.
-
In the left pane, click Schedule, and in the right pane, in the Interval field, enter the value of interval in seconds (for example, 86400).
-
-
Under Operations, click Save.
Running the Solution
You need to perform certain steps to run the tasks created earlier to synchronize users and groups with STA.
Duplicate users and groups cannot be synced to STA using Identity Management Framework.
Running the Import Task for Groups
Perform the following steps to run the import task to synchronize groups:
-
On the Identity Management Framework administrator console, in the left pane, under ADMINISTRATION, click Server tasks > Import tasks.
-
Under Import tasks, in the right pane, click the Import task: Active Directory for group (entitlement/group) task for groups that you created earlier under Create Tasks.
-
On the Import task window, click Save and Run to execute the task.
Running the Import Task for Users
Perform the following steps to run the import task to synchronize users:
-
On the Administrator console, in the left pane, scroll down and click Server tasks > Import tasks.
-
In the right pane, under Import tasks, click on the Import task: Active Directory for user (account/default) task for users that you created earlier under Create Tasks.
-
On the Import task window, click Save and Run to execute the task.
Similarly, you need to run all other tasks like Live Synchronization Task and Reconciliation Task by following the above-mentioned steps for groups and users. You must always run Group task before the User task.
Verifying Users and Groups in STA
You need to verify if the users and groups are successfully synced with STA.
Verifying Users in STA
Perform the following steps to verify if the users are successfully synced with STA:
-
On the STA Management console, go to the Assignment tab.
-
In the Search User module, you can search for a list of users that are pushed from Active Directory (AD) to STA. Alternatively, you can search for individual users to verify if the user is synchronized to STA.
Verifying Groups in STA
Perform the following steps to verify if the groups are successfully synced with STA:
-
On the STA Management console, go to the Groups tab.
-
Under Group Maintenance, select the Synchronized option. All the AD groups that are synchronized to STA should be displayed.