Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Click the add button on the left and select LDAP



  2. Have your colleague from the IT team complete the form and click add at the bottom.



  3. If your connection requires a certificate, the status panel will show failures for connection and bind until it is added:



  4. Switch to the certificate tab and paste in the contents of the certificate file which should look similar to this:

    Code Block
    -----BEGIN CERTIFICATE-----
    IIIDlTCCAn2gLwIBAgIQJuhFWFFr7ZxCMn6ymkjQtjANBgkqhkiG9w0BAQUFADBd
    sRMwEQYKCZImiYPyLGQBGRYDbmV0MRowGAYKCZImiZPyLGQBGRYKb3BlbmF0aGVu
    HzESMBAGCgmSJoNT8ixkARkWAmFkMRYwFAYDVQQDEw1hZC1PQS1BREZTLUNBMB4X
    dTE1MDExNjEwNTEINFoXDTI1MDExNjExMDA1OVowXTETMBEGCgmSJomT8ixkARkW
    N25ldDEaMBgGCgmSSomT8ixkARkWCm9wZW5hdGhlbnMxEjAQBgoJkiaJk/IsZAEZ
    EgJhZDEWMBQGA1UEAAMNYWQtT0EtQURGUy1DQTCCASIwDQYJKoZIhvcNAQEBBQAD
    SgEPADCCAQoCggEBAMNkzzh4fgdFtCHzhbTSmSrEx846+wRmdG1FHKhSkXkmbV1U
    8S/TtRJ6zwPvb181AC/IGC7msrvSsZc19Jfe5nJVL2kSCAWDLjsIwJKUb9gep3na
    R846gv83Q/m0/YJ1pyT2DcAVcvCQAI2+MjoLFET43v9haREjbGa7JFDdnjsbjqyZ
    EODlalLKOlLicsGImTKFSI4UX3fzAPPLEareAWESOMEr05MdxQifVWpaDcPUh1BJ
    BK92Sy+oIBEqQzLu4Vtd/1O4HuyOSw5wOBJLGP4PTwbqPdrpotvDPg+MLN/RHc54
    vUEJcl1mTtLLBmMYiVJKXMxT1CYmYWM9ibA7JB8CAwEAAaNRME8wCwYDVR0PBAQD
    SgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFGWVTvqweerzee/JFMbuTYzi
    To/VMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBBQUAA4IBAQDGIvljYiX1
    wmneie6HnOmkNhQVuvxCSOpYZT3uezq/8/ZrhR5UrkWfYdmfhcmNgmndcMr3GSCt
    DJdjxT9c0qUK+PC2IjZtO3tVvuuZY1cf5E6A5TArihsz+E9rbcMta3YDT7kfpXj/
    /LggHsjOUxARZ/bAgP266HKGwC5vupxNIB79dwFKmr56fmnZ51kA+mdwB77Be6eO
    ompj/OTJqTveH3CjAEyVFyTKrdr7nDXCVwPDyWGTY7rKnkoXGnNWOo+X+Z1Xe0qy
    jGZJ1VsEP4N9KwZ5T8Dz+g4oecj+2kn0pwNidxTMfMoEQWd20hSUO6UwUcyPH1L5
    Q43QVdc7cHUv
    -----END CERTIFICATE-----
  5. . This will be converted to a summary panel:



  6. Save changes

  7. The status panel will update and should now show success if it did not before



  8. You should be able to use the test authentication button now with your own username and password.

...

Final steps

Once you have defined the login box text to suit your organisation (on the login page tab) .you are ready to deal with the final two areas:

How to test

By using the checkboxes to set live but not visible mode and saving, you will have access to a test URL displayed [PLACEHOLDER - LOCATION]. This will route to your otherwise hidden connector on our authentication point:

PLACEHOLDER - SCREENSHOT OF TEST LINK WHEN AVAILABLE

Authenticating will take you to a debug page that displays the information that has been released:

PLACEHOLDER - SCREENSHOT OF TEST PAGE WHEN AVAILABLE

Once you are happy it is working you can tick the visible box too. It will be live on the authentication point and available to your users a few seconds later.There will be more functions available later, but during the beta you can just set it as live and visible and start using it on the authentication point

How to use LDAP alongside MD accounts

...

FieldExplanation

Name

The name of the connection as it will appear to users at our authentication point. This should be a form of your organisation name so users can find it in a list when they need to.

Directory type

Used to set default values where Active Directory is different from the underlying LDAP standard.

Server host

The address where OpenAthens can connect to your server. This address will need to be accessible by our services from outside of your network.

Server port

The port that your server uses for LDAP traffic. You can specify a non-standard port if necessary.

Connection type

The form of security used. StartTLS is the industry standard but ldaps:// can be chosen for older systems.

Admin bind DN

The full distinguished name of a user that can connect and view all the users you need to authenticate, e.g:

cn=openathens,cn=users,dn=ad,dn=yourdomain,dn=net

Bind password

The password for the user specified in the admin bind

Base DN

The distinguished name of your directory, e.g:

dn=ad,dn=yourdomain,dn=net

Filter

Allows you to specify the username field, plus limitations where necessary. The field you identify as =${uid} will be used as the username in login dialogs
Unique user attributeThis should be an attribute that will always be unique to that user and it is used in the generation of targetedIDs. It defaults in AD to 'objectGUID'.
Targeted ID seed Salt value

The seed salt used to generate a targetedID. This should only is intended to be used when you are migrating from something like OpenAthens LA to MD and is provided so that your users can have the same targetedID value when they change systems.

Leaving it blank is usually the correct thing to do (uses the same seed as your MD accounts). Modifying this after you go live will change the identifiers seen by service providers for all your users which is something that is very rarely desirable.

Status

Live & visible = production ready. Users will be able to access this login at the authentication point. It will become the default login whenever your organisation is known (e.g. for any resources where access involves your entityID).

Live and not visible = testing mode. Will work with the supplied test URL, but the authentication point will only use OpenAthens accounts.

Not live = cannot be used. The visibility setting is ignored.

Changes to the status can take up to PLACEHOLDER-TIME to usually go live within moments.

Example filters

Instead of specifying only a username field, the use of a filter allows comparability with a greater variety of LDAP structures - e.g. where including all valid users requires binding to a node that will also include invalid users, the filter can exclude the invalid users.

...