LDAP Authentication

LDAP Authentication is one of the three authentication methods available in Igloo. It employs Lightweight Directory Access Protocol (LDAP) for authentication, connecting directly to your Active Directory (AD).

The authentication process.

Users can sign in to your Igloo using their corporate domain credentials, eliminating the need to keep track of an additional username and password and allowing you to control password complexity and reset policies.

The Sign In page.

Sections in this article: 

Use cases

LDAP Authentication is typically used when you have an Active Directory but are prevented from using an identity provider to facilitate SAML authentications. It can also be used when you have multiple member directories each with a different membership that needs to log in to your workplace.

Features and functionality

Dual authentication support

When using LDAP Authentication you can also log in using Igloo Authentication. This provides a means to have members of your workplace that are not part of your active directory and a means for administrators to gain access in the case of an LDAP connection issue.

Multiple connections

You can configure your LDAP Authentication to connect to different ADs. When you use this feature, your users will be presented with a list of options when logging in.
The connection selector.

Auto Provisioning

LDAP Authentication can automatically add new users to your workplace if they successfully authenticate against your AD.

How to configure an LDAP Authentication connection

Before you can configure an LDAP Authentication connection, you will need an account that can make the LDAP queries on your AD. To create an account that can do this, see How to create an Active Directory service account for LDAP queries below.

  1. Whitelist TCP ports on your network.
    • You must ensure that your AD is able to receive communications from your digital workplace when a user attempts to authenticate. These communications occur over TCP ports 1024-65535. For LDAP Authentication to function, make sure that your firewall and AD server are not blocking these ports.
  2. Navigate to the LDAP Connection form.
    1. Open Control Panel.
    2. Under Membership, select Sign-In Settings.
      The Sign In Settings option in the Control Panel.
    3. Under LDAP Connections section, select Configure LDAP Connections.
      The Configure LDAP Connections button.
  3. Enter a title for your LDAP Connection. This should be a user friendly name, which will be exposed to your users if you are configuring multiple LDAP connections.
    The LDAP connection title.

  4. Enter your directory server details to allow your digital workplace to communicate with your AD. 

    • Server Name: Enter the externally resolvable IP address or hostname of your corporate environment in the Server Name field.
    • Server Port: Enter your Server Port. The standard ports are 389 for LDAP, or 636 for LDAPs.
    • SSL: Select SSL if you are using LDAPS. It is highly recommended that LDAPS is used.
      The Directory Server information.
  5. To confirm user credentials against your AD, you need to provide a user account with query access to your AD.

    • Query user DN: Enter the query user’s Distinguished Name (DN) from your AD.

    • Query User Password: Enter the query user’s AD password.

    • Base OU: Enter the base OU containing the query user in your AD.
      The account credentials.

  6. To provision and authenticate your users to the Igloo, there are 3 required fields that need to be populated in the corporate directory. This will prevent service accounts, and non-human user accounts from being added to the Igloo. In a default Active Directory configuration, please map the fields as follows:

    • User First Name: givenName

    • User Last Name: sn

    • User Email Address: mail
      The required profile attributes.

  7. Create an Account Filter by entering an LDAP search string to use when querying users in your AD that should be authenticated. Use {0} to specify where in the search query the user entered value should be entered. For example, the query filter (sAMAccountName={0}), for a user who entered “auser” in the username field will perform a search against the BaseDN of (sAMAccountName=auser).
    The search filter.

 

How to Create an Active Directory service account for LDAP queries

  1. To create a new user in your AD, open Active Directory Users and Computers and navigate to the Organizational Unit (OU) where you want to create the read-only service account. Right-click on the OU, select New and then User

    Selecting to create a new user.
  2. Set the Full name and User logon name.

    Entering user details.
  3. Set a secure password, de-select User must change password at next logon and select Password never expires and select Next.
    Entering a password for the user.
  4. Select Finish to save the new user.
    Completing user creation.

Troubleshooting

See Troubleshooting LDAP authentication.