LDAP/Active Directory Integration
cidaas supports LDAP (Lightweight Directory Access Protocol) and Active Directory for authentication and user synchronization. You can configure cidaas to act as an Identity Provider (IdP) or as a Service Provider (SP).
Understanding IDP vs SP
-
Identity Provider (IdP): cidaas provides and provisions user identity to other systems (applications)
- cidaas authenticates users against LDAP/AD and sends their identity information to applications
- Applications trust cidaas to verify who the user is
- Example: Users authenticate with LDAP/AD credentials in cidaas, then access multiple applications without logging in again
-
Service Provider (SP): cidaas receives user identity from other systems (external LDAP/AD directories)
- External LDAP/AD systems authenticate users and provide identity information to cidaas
- cidaas trusts the external directory to verify who the user is
- Example: Users authenticate with an external Active Directory, then access cidaas without logging in again
Key Features:
- LDAP v3 protocol support
- Active Directory integration
- User synchronization (provisioning and de-provisioning)
- Bind operations for authentication
- Attribute mapping and transformation
- Group and role synchronization
- Directory search and query support
LDAP/Active Directory as Identity Provider (IdP)
When cidaas acts as an Identity Provider (IdP), it authenticates users against LDAP/Active Directory and provides SSO authentication for your applications. Users authenticate once with their LDAP/AD credentials in cidaas and can access multiple applications without re-entering credentials.
What this means: cidaas provides and provisions user identity to other systems (your applications) after authenticating against LDAP/AD.
cidaas as Identity Provider Flow
The following diagram illustrates the authentication flow when cidaas acts as an Identity Provider with LDAP/AD backend:
Detailed Authentication Flow:
-
User Access Request: The user attempts to access a protected resource in an application.
-
Redirect to cidaas: The application redirects the user to cidaas for authentication.
-
cidaas Authentication:
- If the user has an active SSO session with cidaas, authentication may be automatic
- If not authenticated, cidaas presents the login page
- User provides LDAP/AD credentials (username/password)
-
LDAP Bind Operation: cidaas performs an LDAP bind operation:
- Constructs user DN (Distinguished Name) from username and base DN
- Attempts to bind to LDAP/AD server with user credentials
- LDAP/AD validates credentials and returns success or failure
-
User Attribute Retrieval: After successful authentication, cidaas:
- Searches LDAP/AD directory for user attributes
- Retrieves user information (email, name, groups, etc.)
- Maps LDAP/AD attributes to cidaas user profile
-
User Account Management: cidaas:
- Creates a new user account or updates an existing one
- Synchronizes user attributes from LDAP/AD
- Synchronizes group memberships and roles
- Creates a user session
-
Identity Provisioning: cidaas provides user identity to the application:
- Via SAML assertion (if using SAML)
- Via OAuth2/OIDC tokens (if using OAuth2/OIDC)
- User can now access the application without re-authenticating
Benefits of cidaas as IdP with LDAP/AD:
- Centralized authentication against existing LDAP/AD infrastructure
- Single Sign-On across multiple applications
- User synchronization from LDAP/AD to cidaas
- Group and role synchronization
- Consistent security policies
- Audit trail of authentication events
Configuration Steps
To configure cidaas as an Identity Provider with LDAP/AD backend:
-
Configure LDAP/AD Connection:
- Navigate to Providers → Identity Providers in Trustdesk
- Click + Add provider and select LDAP as the standard type
- Configure connection settings:
- Provider Name: must be unique across your tenant
- Connection String (or Host/Port): LDAP server connection details
- Bind DN / Bind Credentials: Service account used for directory searches
- Base DN (or Search Base): Starting point for user searches
-
Configure User Synchronization:
- Enable User Sync (
user_sync) if you want synchronization from LDAP - Configure attribute mapping (see Attribute Mapping):
- Map LDAP attributes to cidaas user fields
- Set the Unique Field (
unique_field) used to identify users
- Enable User Sync (
-
Configure Default Groups:
- Set Default Groups (
default_groups) to assign tenant-local groups/roles to users imported or synced from this provider
- Set Default Groups (
-
Enable for Applications:
- Navigate to Integrations → Applications in Trustdesk (see App management)
- Select your application
- Under identity providers, enable the LDAP/Active Directory provider
Technical Integration
| API | Method | Description | Reference |
|---|---|---|---|
| Create LDAP Configuration | POST | Create a provider with standard_type: LDAP | View API |
| List LDAP Providers | GET | List all provider configurations | View API |
| Get LDAP Configuration | GET | Retrieve a specific LDAP/Active Directory provider configuration | View API |
| Update LDAP Configuration | PUT / PATCH | Update an existing LDAP/Active Directory provider configuration | View API |
| Delete LDAP Configuration | DELETE | Delete an LDAP/Active Directory provider configuration | View API |
Triggering an on-demand sync run and checking sync status are not yet part of this unified API. If your setup relies on those operations, check with cidaas support for current availability.
LDAP Bind Operations
Bind DN and Credentials:
- Bind DN: The Distinguished Name of a service account used to search the directory
- Bind Credentials: The password for the service account
- This account needs read permissions to search users and groups
User Authentication:
- When a user logs in, cidaas constructs the user's DN
- Performs a bind operation with the user's credentials
- If bind succeeds, user is authenticated
Example DN Structure:
Base DN: dc=example,dc=com
User DN: cn=john.doe,ou=users,dc=example,dc=com
LDAP Synchronization
Directory Synchronization:
- Synchronizes users from LDAP/AD to cidaas
- Synchronizes groups and group memberships
- Updates user attributes when changed in LDAP/AD
- Handles user de-provisioning (when users are removed from LDAP/AD)
Synchronization Process:
- cidaas connects to LDAP/AD using Bind DN credentials
- Searches for users under Base DN
- For each user found:
- Checks if user exists in cidaas
- Creates new user or updates existing user
- Maps LDAP attributes to cidaas user profile
- Synchronizes group memberships
- Removes users from cidaas if they no longer exist in LDAP/AD (if configured)
Sync Status Indicators:
- Grey: Sync in progress
- Green: Sync completed successfully
- Orange: Sync failed (check error message)
Attribute Mapping
When cidaas acts as a Service Provider, attribute mapping defines how LDAP/AD attributes are mapped to cidaas user attributes, using the same unified attribute_mapping structure as every other provider type (see SAML attribute mapping for the full field reference):
external_key: the LDAP/AD attribute namefield_key: the corresponding cidaas user attribute
Standard LDAP Attributes:
cn(Common Name): User's full namesn(Surname): Last namegivenName: First namemail: Email addressuid: User IDsAMAccountName: Active Directory usernameuserPrincipalName: Active Directory UPN
Example attribute mapping:
{
"attribute_mapping": {
"email": {
"field_key": "email",
"external_key": "mail"
},
"given_name": {
"field_key": "given_name",
"external_key": "givenName"
},
"family_name": {
"field_key": "family_name",
"external_key": "sn"
}
},
"ldap": {
"unique_field": "sAMAccountName"
}
}
Unique Field:
The unique_field (on the ldap sub-document, not inside attribute_mapping) specifies which LDAP/AD attribute should be used as the unique identifier for user matching. Common choices:
sAMAccountName(Active Directory)uid(LDAP)userPrincipalName(Active Directory UPN)objectGUID(Active Directory)
Connection String Format
LDAP Connection String Examples:
Active Directory:
ldap://ad.example.com:389
ldaps://ad.example.com:636
OpenLDAP:
ldap://ldap.example.com:389
ldaps://ldap.example.com:636
Connection Parameters:
- Protocol:
ldap://(unencrypted) orldaps://(SSL/TLS encrypted) - Host: LDAP server hostname or IP address
- Port: 389 (LDAP) or 636 (LDAPS)
Security Considerations:
- Use
ldaps://(LDAP over SSL/TLS) for encrypted connections - Ensure Bind DN credentials are stored securely
- Use service accounts with minimal required permissions
- Regularly rotate service account passwords
Base DN Configuration
Base DN Structure: The Base DN is the starting point for LDAP searches. It should point to the organizational unit (OU) or domain component (DC) where your users are located.
Examples:
dc=example,dc=com
ou=users,dc=example,dc=com
cn=users,dc=example,dc=com
User DN Construction: cidaas constructs user DNs by combining:
- Username (from login)
- Base DN
- User DN pattern (if configured)
Example:
Base DN: ou=users,dc=example,dc=com
Username: john.doe
User DN: cn=john.doe,ou=users,dc=example,dc=com
LDAP/Active Directory Standards
cidaas supports the following LDAP standards:
- LDAP v3: RFC 4511 (Protocol)
- LDAP Data Models: RFC 4512 (Schema)
- LDAP Authentication: RFC 4513 (Bind operations)
- Active Directory: Microsoft's LDAP implementation
- OpenLDAP: Open-source LDAP implementation
Supported LDAP Operations
- Bind: User authentication
- Search: User and group lookup
- Compare: Attribute value comparison
- Modify: User attribute updates (if permissions allow)
Security Best Practices
- Use LDAPS: Always use
ldaps://for encrypted connections - Secure Bind Credentials: Store service account passwords securely
- Minimal Permissions: Use service accounts with read-only permissions
- Network Security: Ensure LDAP traffic is encrypted and network is secure
- Regular Sync: Schedule regular synchronization to keep user data current
- Monitor Sync Status: Regularly check sync status and resolve errors promptly
Please contact us directly on our support page or reach out to cidaas support at [email protected].