Skip to main content

LDAP/Active Directory Integration

cidaas supports LDAP (Lightweight Directory Access Protocol) and Active Directory for authentication and user synchronization. You can configure cidaas to act as an Identity Provider (IdP) or as a Service Provider (SP).

Understanding IDP vs SP

  • Identity Provider (IdP): cidaas provides and provisions user identity to other systems (applications)

    • cidaas authenticates users against LDAP/AD and sends their identity information to applications
    • Applications trust cidaas to verify who the user is
    • Example: Users authenticate with LDAP/AD credentials in cidaas, then access multiple applications without logging in again

  • Service Provider (SP): cidaas receives user identity from other systems (external LDAP/AD directories)

    • External LDAP/AD systems authenticate users and provide identity information to cidaas
    • cidaas trusts the external directory to verify who the user is
    • Example: Users authenticate with an external Active Directory, then access cidaas without logging in again

Key Features:

  • LDAP v3 protocol support
  • Active Directory integration
  • User synchronization (provisioning and de-provisioning)
  • Bind operations for authentication
  • Attribute mapping and transformation
  • Group and role synchronization
  • Directory search and query support

LDAP/Active Directory as Identity Provider (IdP)

When cidaas acts as an Identity Provider (IdP), it authenticates users against LDAP/Active Directory and provides SSO authentication for your applications. Users authenticate once with their LDAP/AD credentials in cidaas and can access multiple applications without re-entering credentials.

What this means: cidaas provides and provisions user identity to other systems (your applications) after authenticating against LDAP/AD.

cidaas as Identity Provider Flow

The following diagram illustrates the authentication flow when cidaas acts as an Identity Provider with LDAP/AD backend:

Detailed Authentication Flow:

  1. User Access Request: The user attempts to access a protected resource in an application.

  2. Redirect to cidaas: The application redirects the user to cidaas for authentication.

  3. cidaas Authentication:

    • If the user has an active SSO session with cidaas, authentication may be automatic
    • If not authenticated, cidaas presents the login page
    • User provides LDAP/AD credentials (username/password)

  4. LDAP Bind Operation: cidaas performs an LDAP bind operation:

    • Constructs user DN (Distinguished Name) from username and base DN
    • Attempts to bind to LDAP/AD server with user credentials
    • LDAP/AD validates credentials and returns success or failure

  5. User Attribute Retrieval: After successful authentication, cidaas:

    • Searches LDAP/AD directory for user attributes
    • Retrieves user information (email, name, groups, etc.)
    • Maps LDAP/AD attributes to cidaas user profile

  6. User Account Management: cidaas:

    • Creates a new user account or updates an existing one
    • Synchronizes user attributes from LDAP/AD
    • Synchronizes group memberships and roles
    • Creates a user session

  7. Identity Provisioning: cidaas provides user identity to the application:

    • Via SAML assertion (if using SAML)
    • Via OAuth2/OIDC tokens (if using OAuth2/OIDC)
    • User can now access the application without re-authenticating

Benefits of cidaas as IdP with LDAP/AD:

  • Centralized authentication against existing LDAP/AD infrastructure
  • Single Sign-On across multiple applications
  • User synchronization from LDAP/AD to cidaas
  • Group and role synchronization
  • Consistent security policies
  • Audit trail of authentication events

Configuration Steps

To configure cidaas as an Identity Provider with LDAP/AD backend:

  1. Configure LDAP/AD Connection:

    • Navigate to Settings > Login Providers > Active Directory
    • Click + Create New Active Directory
    • Configure connection settings:
      • Provider Name: Unique identifier
      • Connection String: LDAP server connection details
      • Bind DN: Service account DN for directory searches
      • Bind Credentials: Service account password
      • Base DN: Starting point for user searches

  2. Configure User Synchronization:

    • Enable LDAP Sync if you want automatic user synchronization
    • Configure user attribute mapping:
      • Map LDAP attributes to cidaas user fields
      • Configure unique fields
      • Set up custom field mappings

  3. Configure Groups and Roles:

    • Map LDAP groups to cidaas groups
    • Map LDAP roles to cidaas roles
    • Configure group synchronization

  4. Enable for Applications:

    • Navigate to Apps > App Settings
    • Select your application
    • Under Login Providers, enable Active Directory provider

Technical Integration

APIMethodDescriptionReference
List LDAP ProvidersGETRetrieve all LDAP/Active Directory provider configurationsView API
Create LDAP ConfigurationPOSTCreate a new LDAP/Active Directory provider configurationView API
Get LDAP ConfigurationGETRetrieve a specific LDAP/Active Directory provider configurationView API
Update LDAP ConfigurationPUTUpdate an existing LDAP/Active Directory provider configurationView API
Start LDAP SyncPOSTInitiate LDAP synchronization to sync users from directory to cidaasView API
Get LDAP Sync StatusGETRetrieve the status of LDAP synchronization processView API

LDAP Bind Operations

Bind DN and Credentials:

  • Bind DN: The Distinguished Name of a service account used to search the directory
  • Bind Credentials: The password for the service account
  • This account needs read permissions to search users and groups

User Authentication:

  • When a user logs in, cidaas constructs the user's DN
  • Performs a bind operation with the user's credentials
  • If bind succeeds, user is authenticated

Example DN Structure:

Base DN: dc=example,dc=com
User DN: cn=john.doe,ou=users,dc=example,dc=com

LDAP Synchronization

Directory Synchronization:

  • Synchronizes users from LDAP/AD to cidaas
  • Synchronizes groups and group memberships
  • Updates user attributes when changed in LDAP/AD
  • Handles user de-provisioning (when users are removed from LDAP/AD)

Synchronization Process:

  1. cidaas connects to LDAP/AD using Bind DN credentials
  2. Searches for users under Base DN
  3. For each user found:
    • Checks if user exists in cidaas
    • Creates new user or updates existing user
    • Maps LDAP attributes to cidaas user profile
    • Synchronizes group memberships
  4. Removes users from cidaas if they no longer exist in LDAP/AD (if configured)

Sync Status Indicators:

  • Grey: Sync in progress
  • Green: Sync completed successfully
  • Orange: Sync failed (check error message)

Attribute Mapping

When cidaas acts as a Service Provider, attribute mapping defines how LDAP/AD attributes are mapped to cidaas user attributes:

Standard LDAP Attributes:

  • cn (Common Name): User's full name
  • sn (Surname): Last name
  • givenName: First name
  • mail: Email address
  • uid: User ID
  • sAMAccountName: Active Directory username
  • userPrincipalName: Active Directory UPN

Example Attribute Mapping:

{
  "userinfo_fields": {
    "email": "mail",
    "given_name": "givenName",
    "family_name": "sn",
    "username": "sAMAccountName"
  }
}

User ID Attribute: The user_id_attribute field specifies which LDAP attribute should be used as the unique identifier for user matching. Common choices:

  • sAMAccountName (Active Directory)
  • uid (LDAP)
  • userPrincipalName (Active Directory UPN)

Connection String Format

LDAP Connection String Examples:

Active Directory:

ldap://ad.example.com:389
ldaps://ad.example.com:636

OpenLDAP:

ldap://ldap.example.com:389
ldaps://ldap.example.com:636

Connection Parameters:

  • Protocol: ldap:// (unencrypted) or ldaps:// (SSL/TLS encrypted)
  • Host: LDAP server hostname or IP address
  • Port: 389 (LDAP) or 636 (LDAPS)

Security Considerations:

  • Use ldaps:// (LDAP over SSL/TLS) for encrypted connections
  • Ensure Bind DN credentials are stored securely
  • Use service accounts with minimal required permissions
  • Regularly rotate service account passwords

Base DN Configuration

Base DN Structure: The Base DN is the starting point for LDAP searches. It should point to the organizational unit (OU) or domain component (DC) where your users are located.

Examples:

dc=example,dc=com
ou=users,dc=example,dc=com
cn=users,dc=example,dc=com

User DN Construction: cidaas constructs user DNs by combining:

  • Username (from login)
  • Base DN
  • User DN pattern (if configured)

Example:

Base DN: ou=users,dc=example,dc=com
Username: john.doe
User DN: cn=john.doe,ou=users,dc=example,dc=com

LDAP/Active Directory Standards

cidaas supports the following LDAP standards:

  • LDAP v3: RFC 4511 (Protocol)
  • LDAP Data Models: RFC 4512 (Schema)
  • LDAP Authentication: RFC 4513 (Bind operations)
  • Active Directory: Microsoft's LDAP implementation
  • OpenLDAP: Open-source LDAP implementation

Supported LDAP Operations

  • Bind: User authentication
  • Search: User and group lookup
  • Compare: Attribute value comparison
  • Modify: User attribute updates (if permissions allow)

Security Best Practices

  • Use LDAPS: Always use ldaps:// for encrypted connections
  • Secure Bind Credentials: Store service account passwords securely
  • Minimal Permissions: Use service accounts with read-only permissions
  • Network Security: Ensure LDAP traffic is encrypted and network is secure
  • Regular Sync: Schedule regular synchronization to keep user data current
  • Monitor Sync Status: Regularly check sync status and resolve errors promptly

Need Support?

Please contact us on our support page.