Configure Active Directory authentication

Semarchy xDM supports authentication with Active Directory using an Active Directory identity provider.

The Active Directory Identity Provider is an LDAP-like IDP, specialized for Microsoft Active Directories with a simplified configuration.

Supported capabilities

With this identity provider, the authenticating user credentials (user name and password) are entered in a login form.

The user’s Active Directory Groups are retrieved as the roles and the profile properties are synchronized from attributes of the user object.

Configuration

To configure Active Directory authentication, follow the steps to configure an identity provider with the Active Directory type, using the properties listed in the configuration properties.

For a simple Active Directory setup, refer to the Basic configuration section. If the basic configuration does not work with your Active Directory, review the Advanced configuration section to understand the default behavior of the identity provider and how to customize it.

Basic configuration

The basic configuration for the Active Directory requires the Active Directory Server URL. For example, ldap://acmecorporate.acme.com:389/.

In addition, to allow users to connect with their username (e.g., john.doe) instead of their full user principal (e.g., john.doe@acme.com), you can provide the Active Directory Domain. For example, acme.com.

During the authentication, the list of groups is obtained from the data contained in the memberOf attribute of the user object.

Advanced configuration

By default, users are authenticated and searched in the directory using an LDAP search filter, under a search base DN. You can configure both with advanced properties.

Search base

The search base is derived by default from the Active Directory Domain, or from the domain name provided in the user name.
For example, if the Active Directory Domain is set to acme.com, or if user1@acme.com authenticates, the user is searched under the derived dc=acme,dc=com search base.

You can override and specify a User Search Base if the users are under a search base that does not correspond to the one derived from their domain. For example:

if the active directory domain is acme.com but all users are under the dc=acmecorporate,dc=com search base.
if users have variable domain names (e.g. user1@acme.com, user2@acme.ca), but are all located under the same dc=acmecorporate,dc=com search base.

Search filter

Users are searched using their User Principal Name - UPN (userPrincipalName attribute), which must match:

The username entered in the login form if this username includes a domain name.
For example, if user1@us.acmecorporate.com logs in, this UPN is searched.
The username entered in the login form, appended with the Active Directory Domain if the username does not include a domain.
For example, if user1 authenticates, the domain name (acme.com) is appended to the username and the resulting value user1@acme.com is searched.

You can specify, using the User Search Filter, a different attribute than the userPrincipalName. This option allows you, for example, to authenticate users with their Logon Name (Pre-windows 2000) (sAMAccountName attribute) instead of their User Principal Name. Note only the configurations where the sAMAccountName is equal to the UPN without the domain are supported.

The following screenshot illustrates the difference between the userPrincipalName and sAMAccountName that you can use to authenticate with Active Directory.

Configuration properties

Property Definition

Property	Definition
Connectivity The following properties configure the basic Active Directory connection.
Active Directory Server URL	URL of the active directory server. For example, `ldap://acmecorporate.acme.com:389/`
Active Directory Domain	Active directory domain name. The domain name should not include any `http://` or `@` prefix. For example, `acmecorporate.com` is a valid domain name.
Advanced The following properties cover specific configuration situations.
User Search Filter	LDAP Search filter applied to search users under the User Search Base, with {0} marking where the actual username should be inserted. For example, you can set this property to: `(&(objectClass=user)(sAMAccountName={0}))` to authenticate users using their Logon Name (Pre-windows 2000). `(&(objectClass=user)(userPrincipalName={0}))` to authenticate users using their User Principal Name.
Override User Search Base	Select this option to explicitly set the User Search Base, corresponding to the location of the user object in the directory. When unselected, the user search base is derived from the Active Directory Domain value, or the domain name specified in the authenticating user name.
User Search Base	LDAP Base DN to look for the user. This property is used only if Override User Search Base is selected. Setting an empty value forces a search from the root of the directory. For example, `dc=acmecorporate,dc=com`.

Connectivity
The following properties configure the basic Active Directory connection.

Active Directory Server URL

URL of the active directory server. For example, ldap://acmecorporate.acme.com:389/

Active Directory Domain

Active directory domain name. The domain name should not include any http:// or @ prefix. For example, acmecorporate.com is a valid domain name.

Advanced
The following properties cover specific configuration situations.

User Search Filter

LDAP Search filter applied to search users under the User Search Base, with {0} marking where the actual username should be inserted. For example, you can set this property to:

(&(objectClass=user)(sAMAccountName={0})) to authenticate users using their Logon Name (Pre-windows 2000).
(&(objectClass=user)(userPrincipalName={0})) to authenticate users using their User Principal Name.

Override User Search Base

Select this option to explicitly set the User Search Base, corresponding to the location of the user object in the directory.
When unselected, the user search base is derived from the Active Directory Domain value, or the domain name specified in the authenticating user name.

User Search Base

LDAP Base DN to look for the user. This property is used only if Override User Search Base is selected. Setting an empty value forces a search from the root of the directory. For example, dc=acmecorporate,dc=com.

Profile synchronization

With Active Directory, each profile property is retrieved as an attribute name of the user object.