Page History
...
- Click the add button on the left and select LDAP
- Have your colleague from the IT team complete the form and click add at the bottom.
- At this point the status panel will probably show failures for connection and bind:
Switch to the certificate tab and paste in the contents of the certificate file which should look similar to this:
Code Block -----BEGIN CERTIFICATE----- IIIDlTCCAn2gLwIBAgIQJuhFWFFr7ZxCMn6ymkjQtjANBgkqhkiG9w0BAQUFADBd sRMwEQYKCZImiYPyLGQBGRYDbmV0MRowGAYKCZImiZPyLGQBGRYKb3BlbmF0aGVu HzESMBAGCgmSJoNT8ixkARkWAmFkMRYwFAYDVQQDEw1hZC1PQS1BREZTLUNBMB4X dTE1MDExNjEwNTEINFoXDTI1MDExNjExMDA1OVowXTETMBEGCgmSJomT8ixkARkW N25ldDEaMBgGCgmSSomT8ixkARkWCm9wZW5hdGhlbnMxEjAQBgoJkiaJk/IsZAEZ EgJhZDEWMBQGA1UEAAMNYWQtT0EtQURGUy1DQTCCASIwDQYJKoZIhvcNAQEBBQAD SgEPADCCAQoCggEBAMNkzzh4fgdFtCHzhbTSmSrEx846+wRmdG1FHKhSkXkmbV1U 8S/TtRJ6zwPvb181AC/IGC7msrvSsZc19Jfe5nJVL2kSCAWDLjsIwJKUb9gep3na R846gv83Q/m0/YJ1pyT2DcAVcvCQAI2+MjoLFET43v9haREjbGa7JFDdnjsbjqyZ EODlalLKOlLicsGImTKFSI4UX3fzAPPLEareAWESOMEr05MdxQifVWpaDcPUh1BJ BK92Sy+oIBEqQzLu4Vtd/1O4HuyOSw5wOBJLGP4PTwbqPdrpotvDPg+MLN/RHc54 vUEJcl1mTtLLBmMYiVJKXMxT1CYmYWM9ibA7JB8CAwEAAaNRME8wCwYDVR0PBAQD SgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGWVTvqweerzee/JFMbuTYzi To/VMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQDGIvljYiX1 wmneie6HnOmkNhQVuvxCSOpYZT3uezq/8/ZrhR5UrkWfYdmfhcmNgmndcMr3GSCt DJdjxT9c0qUK+PC2IjZtO3tVvuuZY1cf5E6A5TArihsz+E9rbcMta3YDT7kfpXj/ /LggHsjOUxARZ/bAgP266HKGwC5vupxNIB79dwFKmr56fmnZ51kA+mdwB77Be6eO ompj/OTJqTveH3CjAEyVFyTKrdr7nDXCVwPDyWGTY7rKnkoXGnNWOo+X+Z1Xe0qy jGZJ1VsEP4N9KwZ5T8Dz+g4oecj+2kn0pwNidxTMfMoEQWd20hSUO6UwUcyPH1L5 Q43QVdc7cHUv -----END CERTIFICATE-----
- . This will be converted to a summary panel:
- Save changes
- At this point the status panel will update and should now show success if it did not before
- You should be able to use the test authentication button now with your own username and password.
The final step will be to set up the attribute or permission set mappings you need and define the login box text to suit your organisation (on the login page tab).
How to test
By using the checkboxes to set live but not visible mode and saving, you will have access to a test URL displayed [PLACEHOLDER - LOCATION]. This will route to your otherwise hidden connector on our authentication point:
PLACEHOLDER - SCREENSHOT OF TEST LINK WHEN AVAILABLE
Authenticating will take you to a test page that displays the information that has been released:
PLACEHOLDER - SCREENSHOT OF TEST PAGE WHEN AVAILABLE
Once you are happy it is working you can tick the visible box too. It will be live on the authentication point and available to your users a few seconds later.
How to use LDAP alongside MD accounts
Once you set this as both live and visible it becomes your default way for users to log into OpenAthens where the system knows the user is yours - e.g. where the user has selected your organisation from a WAYF on a federated resource or remembers a users previous choice. Where the system does not know the user is yours only the OpenAthens account login will appear, but the user can find you via the search box.
Users with OpenAthens accounts can still log in though by clicking the OpenAthens link on the page to switch their input. This gives you options for providing access to users who you do not have in your directory such as temporary users, walk-ins or test accounts for suppliers.
PLACEHOLDER - SCREENSHOT OF NEW AP WHEN AVAILABLE
What the fields are for
Field | Explanation |
---|---|
Name | The name of the connection as it will appear to users at our authentication point. This should be a form of your organisation name so users can find it in a list when they need to. |
Directory type | Used to set default values where Active Directory is different from the underlying LDAP standard. |
Server host | The address where OpenAthens can connect to your server. This address will need to be accessible by our services from outside of your network. |
Server port | The port that your server uses for LDAP traffic. You can specify a non-standard port if necessary. |
Connection type | The form of security used. StartTLS is the industry standard but ldaps:// can be chosen for older systems. |
Admin bind DN | The full distinguished name of a user that can connect and view all the users you need to authenticate, e.g: cn=openathens,cn=users,dn=ad,dn=yourdomain,dn=net |
Bind password | The password for the user specified in the admin bind |
Base DN | The distinguished name of your directory, e.g: dn=ad,dn=yourdomain,dn=net |
Filter | Allows you to specify the username field, plus limitations where necessary. The field you identify as =${uid} will be used as the username in login dialogs |
Status | Live & visible = production ready. Users will be able to access this login at the authentication point. It will become the default login whenever your organisation is known (e.g. for any resources where access involves your entityID). Live and not visible = testing mode. Will work with a crafted the supplied test URL, but the authentication point will only use OpenAthens accounts. Not live = cannot be used. The visibility setting is ignored. Changes to the status can take up to PLACEHOLDER-TIME to go live. |
...
(&(objectCategory=Person)(mail=${uid})(memberOf=cn=students,dc=domain,dc=com)) - An example ActiveDirectory filter still requiring the user to have an object category of person but this time using email address as the username and additionally limited to users in the students security group.
How to test
By putting the connection into live but not visible mode you will need to craft a URL to test with as follows:
https://PLACEHOLDER/STUFFGOESHERE
Where PLACEHOLDER is your PLACEHOLDER of PLACEHOLDERYNESS
How to use LDAP alongside MD accounts
Once you set this as both live and visible it becomes your default way for users to log into OpenAthens where the system knows the user is yours - e.g. where the user has selected your organisation from a WAYF on a federated resource or remembers a users previous choice. Where the system does not know the user is yours only the OpenAthens account login will appear, but the user can find you via the search box.
Users with OpenAthens accounts can still log in though by clicking the OpenAthens link on the page to switch their input. This gives you options for providing access to users who you do not have in your directory such as temporary users, walk-ins or test accounts for suppliers.
...
If IT want to know what happens during an authentication...
During set-up and configuration
- There is an admin bind to your directory to check status and read the available attributes for mapping
During user authentications
- There is an admin bind to your directory discover the FQDN of the user based on whichever attribute you have defined as the userID
- Once the FQDN is known, that is used to bind for the authentication of the user and request only the mapped attributes