You can integrate your cloud with an external identity provider and import users and groups to your organization.
You can enable your organization to use a SAML identity provider or you can configure an LDAP server connection.
This chapter includes the following topics:
Enable Your Organization to Use a SAML Identity Provider
Edit LDAP Settings for Your Organization
Configure, Test, and Synchronize an LDAP Connection
Enable Your Organization to Use a SAML Identity Provider
Enable your organization to use a Security Assertion Markup Language (SAML) identity provider, also called single sign-on, to import users and groups from a SAML identity provider and allow imported users to sign on to the organization with the credentials established in the SAML identity provider.
When you import users and groups, the system extracts a list of attributes from the SAML token, if available, and uses them for interpreting the corresponding pieces of information about the user attempting to log in.
-
email address = "EmailAddress"
-
user name = "UserName"
-
full name = "FullName"
-
user's groups = "Groups"
-
user's roles = "Roles"
The role attribute is configurable.
Group information is necessary if the user is not directly imported but is expected to be able to log in by virtue of membership in imported groups. A user might belong to multiple groups, and can have multiple roles during a session.
If an imported user or group is assigned the Defer to Identity Provider role, the roles are assigned based on the information gathered from the Roles attribute in the token. If a different attribute is used, this attribute name can be configured by using the API only, and only the Roles attribute is configurable.
If the Defer to Identity Provider role is used, but no role information can be extracted, the user can log in but does not have any rights to perform any activities.
Prerequisites
- This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.
- Verify that you have access to an SAML 2.0 compliant identity provider.
- Verify that you receive the required metadata from your SAML identity provider. You must import the metadata to Cyfuture Cloud Console either manually or as an XML file. The metadata must include the following information:
- The location of the single sign-on service
- The location of the single logout service
- The location of the service's X.509 certificate
For information on configuring and acquiring metadata from a SAML provider, see the documentation for your SAML identity provider.
Procedure
- In the top navigation bar, click Administration.
- Under Identity Providers, click SAML.
- Click Edit.
- On the Service Provider tab, enter the Entity ID.
The Entity ID is the unique identifier of your organization to your identity provider. You can use the name of your organization, or any other string that satisfies the requirements of your SAML identity provider.
Important: Once you specify an Entity ID, you cannot delete it. To change the Entity ID, you must do a full SAML reconfiguration for your organization. For information about Entity IDs, see Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) 2.0.
5. Click the Metadata link to download the SAML metadata for your organization. The downloaded metadata must be provided as-is to your identity provider.
6. Review the Certificate Expiration date and, optionally, click Regenerate to regenerate the certificate used to sign federation messages.
The certificate is included in the SAML metadata, and is used for both encryption and signing. Either or both encryption and signing might be required depending on how trust is established between your organization and your SAML identity provider.
7. On the Identity Provider tab, enable the Use SAML Identity Provider toggle.
8. Copy and paste the SAML metadata you received from your identity provider to the text box, or click Upload to browse to and upload the metadata from an XML file.
9. Click Save.
What to do next
Configure your SAML provider with Cyfuture Cloud Console metadata. See your SAML identity provider documentation and the Cyfuture Cloud Console Installation, Configuration, and Upgrade Guide.
Import users and groups from your SAML identity provider. See Managing Users,Groups and Roless
Edit LDAP Settings for Your Organization
You can configure your organization to use the system LDAP connection as a shared source of users and groups. You can configure your organization to use a separate LDAP connection as a private source of users and groups.
Prerequisites
This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.
Procedure
- In the top navigation bar, click Administration.
- In the left panel, under Identity Providers, click LDAP. The current LDAP settings are displayed.
- On the LDAP Settings tab, click Edit.
- Configure the LDAP source of users and groups for your organization and click Save.
Option
Description
Do not use LDAP
The organization does not use an LDAP server as a source of organization users and groups.
Cyfuture Cloud Console system LDAP service
The organization uses the Cyfuture Cloud Console system LDAP connection configured by your service provider.
Enter the distinguished name for the organizational unit.
Custom LDAP service
The organization uses a private LDAP server as a source of organization users and groups.
What to do next
If you selected Custom LDAP service, click the Custom LDAP tab to Configure, Test and Synchronize an LDAP Connection
Configure, Test, and Synchronize an LDAP Connection
To configure an LDAP connection, you set the details of your LDAP server. You can test the connection to make sure that you entered the correct settings and the user and group attributes are mapped correctly. When you have a successful LDAP connection, you can synchronize the user and group information with the LDAP server at any time.
Prerequisites
If you plan to connect to an LDAP server over SSL (LDAPS), verify that the certificate of your LDAP server is compliant with the Endpoint Identification introduced in Java 8 Update 181. The common name (CN) or the subject alternative name (SAN) of the certificate must match the FQDN of the LDAP server. For more information, see the Java 8 Release Changes at https://www.java.com.
This operation requires the rights included in the predefined Organization Administrator role or an equivalent set of rights.
Procedure
-
In the Connection tab, enter the required information for the LDAP connection.
Required Information |
Description |
Server |
The host name or IP address of the LDAP server. |
Port |
The port number on which the LDAP server is listening. For LDAP, the default port number is 389. For LDAPS, the default port number is 636. |
Base distinguished name |
The base distinguished name (DN) is the location in the LDAP directory where Cyfuture Cloud Console to connect. To connect at root level, enter only the domain components, for example, DC=example,DC=com. To connect to a node in the domain tree structure, enter the distinguished name for that node, for example, OU=ServiceDirector,DC=example,DC=com. Connecting to a node limits the scope of the directory available to Cyfuture Cloud Console. |
Connector type |
The type of your LDAP server. Can be Active Directory or OpenLDAP. |
Use SSL |
If your server is LDAPS, select this check box. |
Accept all certificates |
If your server is LDAPS, either select this check box or upload the LDAP SSL certificate. |
Custom Truststore |
If your server is LDAPS, either click the upload icon () and import an LDAP SSL certificate or select Accept all certificates. |
Authentication method |
Simple authentication consists of sending the user's DN and password to the LDAP server. If you are using LDAP, the LDAP password is sent over the network in plain text. If you want to use Kerberos, you must configure the LDAP connection by using the vCloud API. |
User name |
Enter the full LDAP distinguished name (DN) of a service account with domain admin rights. Cyfuture Cloud Console uses this account to query the LDAP directory and retrieve user information. If the anonymous read support is enabled on your LDAP server, you can leave these text boxes blank. |
Password |
The password for the service account that connects to the LDAP server. If the anonymous read support is enabled on your LDAP server, you can leave these text boxes blank. |
2. Click the User Attributes tab, examine the default values for the user attributes, and, if your LDAP directory uses different schema, modify the values.
3. Click the Group Attributes tab, examine the default values for the group attributes, and, if your LDAP directory uses different schema, modify the values.
4. Click Save.
5. If you selected the Use SSL check box, and if the certificate of the LDAPS server is not yet trusted, on the Trust Certificate window, confirm if you trust the certificate presented by the server endpoint.
6. To test the LDAP connection settings and the LDAP attribute mappings:
a Click Test
b. Enter the password of the LDAP server user that you configured and click Test.
If connected successfully, a green check mark is displayed.
The retrieved user and group attribute values are displayed in a table. The values that are successfully mapped to LDAP attributes are marked with green check marks. The values that are not mapped LDAP attributes are blank and marked with red exclamation marks.
c. To exit, click Cancel.
7. To synchronize Cyfuture Cloud Console with the configured LDAP server, click Sync.
Cyfuture Cloud Console synchronizes the user and group information with the LDAP server regularly depending on the synchronization interval that you set in the general system settings.
Wait a few minutes for the synchronization to finish.
Results
You can import users and groups from the newly configured LDAP server.