Even as enterprises continue to adopt more cloud applications, Active Directory and Lightweight Directory Access Protocol (LDAP) still play a critical role in how information security, personal computers and users are managed. This whitepaper describes how OneLogin securely connects your LDAP infrastructure to OneLogin and your cloud applications.
There are several other advantages to directory integration besides enabling users to sign into applications with the existing network credentials:
The rest of this white paper goes into more detail about how OneLogin integrates with LDAP. (Note that a similar white paper exists about OneLogin’s Active Directory integration.)
Integrating internal directories with cloud applications can be an expensive and cumbersome process that frustrates IT administrators and causes maintenance headaches for the entire organization. OneLogin’s LDAP integration sets a new standard for ease-of-use with its no-touch installation process, which can be completed in as little as one minute.
The LDAP Connector is installed by downloading a Java ARchive (JAR) ﬁle that you can deploy in a Java container such as WebSphere, WebLogic and JBoss. Or you can simply run it from the shell using java or jre. You want to make sure that the Connector is running at all times so that OneLogin is always able to delegate authentication to the LDAP server.
OneLogin issues a unique 40-character security token for each directory connected with OneLogin, which must be entered during the connector installation process. OneLogin uses it to identify each directory.
As soon as the installation is complete, the LDAP Connector establishes a secure, outbound SSL connection to OneLogin that it will keep up at all times. You’ll see in the OneLogin screen that the directory is connected, and you can browse a visual tree of all organizational units in the directory. Import one or more subtrees into OneLogin to begin user synchronization. From that point on, users in the selected subtrees will be automatically synchronized with OneLogin at conﬁgurable intervals.
The LDAP Connector does not require any ﬁrewall changes to communicate with OneLogin, as all communication is performed over two separate, outbound SSL connections (see Figure 1).
The connection for authentication and password updates is a persistent connection that the LDAP Connector keeps up at all times. If, for some reason, the connection fails, the LDAP Connector re-establishes it immediately. The Connector for user synchronization communicates with OneLogin’s REST API and is only established when there are pending user updates.
The LDAP Connector also supports high-availability mode, in which there are multiple LDAP servers per domain (see Figure 2). You can install multiple LDAP Connectors per LDAP server, all of which will be connected to OneLogin simultaneously. One Connector is designated as the primary Connector. If OneLogin is unable to reach the primary Connector, one of the secondary Connectors is promoted to primary, automatically.
Figure 2 shows how multiple connectors can run in parallel. You can even install multiple connectors per LDAP instance. Administrators can also manually promote LDAP Connectors or bring them online or ofﬂine in OneLogin.
When users are created, updated or disabled in LDAP, the changes are pushed to OneLogin within minutes, which has several key beneﬁts.
By default, the LDAP directory is scanned for changes every 5 minutes, but this interval is conﬁgurable as a command line option.
As a minimum, OneLogin synchronizes email address, user name and group memberships. You can also conﬁgure OneLogin to synchronize additional ﬁelds and map them to custom ﬁelds. Note that OneLogin does not synchronize passwords from LDAP, unless the administrator explicitly enables this feature.
OneLogin automatically imports user group memberships, which can be used to automate the assignment of applications to users. This is done via powerful rule-based mappings that make it possible to express rules such as the following:
Roles are the mechanism within OneLogin that assigns applications to users. A user can have multiple roles, and one application can belong to multiple roles. For example:
Even though both the marketing and sales roles contain Salesforce, assigning both roles to a user will only give the user one Salesforce login.
The outbound, persistent connection from the LDAP Connector enables OneLogin to validate user credentials against an LDAP server, without having to store any LDAP passwords in OneLogin. When a user tries to sign into OneLogin by entering the username and password, OneLogin sends a delegated authentication request to the LDAP Connector, which in turn validates the user’s credentials against LDAP. Delegated authentication ensures that your LDAP passwords are not stored anywhere outside the ﬁrewall.
When a user with an expired password tries to sign into OneLogin, they are prompted to enter the existing password and select a new password that complies with password requirements as deﬁned by the user’s security policy in OneLogin. Security policies deﬁne password minimum length, whether the password must contain digits or special characters, how often the password expires and how long to prevent reuse of old passwords.
Once the user enters a valid new password, OneLogin updates the user’s password in LDAP and the user is signed into OneLogin. It is possible to disable this password update feature in OneLogin.
For organizations with multiple directories, OneLogin is a real life saver, because it allows for the integration of any number of Active Directory and LDAP directories, and presents them as a single directory to to other applications (see Figure 4).
Figure 4. Unifying Multiple Directories Most applications are only able to integrate with one directory per customer, but the combination of OneLogin’s directory integration capabilities and SAML overcomes this limitation.
OneLogin’s turnkey solutions makes it easy to connect your directory infrastructure to applications in the cloud and behind the ﬁrewall, without compromising security.