Quick and easy SaaS provisioning for OpenLDAP

To Each His Own

Assigning Application Groups

To check whether you can see your OpenLDAP application groups, go to Directory | Groups and edit the entry that corresponds to your application by clicking on its name (Figure 10). Click the Manage apps button, and then use the Assign Applications to DropBoxBusinessUsers dialog (in this case) to select the application that is being assigned to this group.

Figure 10: Assigning groups to an app.

Assigning an app to a group of confirmed Okta users is the final step in making this integration achieve a useful result. It should immediately provision those users in the app, and, depending on the app configuration, the users will receive activation email from the app itself and be able to start using it, with their sign-in method determined by the SWA/SSO choice made at the Okta application configuration stage. To revoke a user's access to the app, remove them from the LDAP group; to restore it, just re-add them. (You'll need to wait for the next scheduled Okta import in both cases, and you should receive email after every import that results in changes.)

Testing Your Integration

This integration has quite a number of moving parts and scope for unexpected outcomes. Given what's at stake – access to critical data and applications by people whose jobs will either depend on the access or, conversely, who should absolutely not have access at all – Table 1 runs through a comprehensive set of tests.

Table 1

Testing the Integration

Add a new user to your LDAP directory and assign them to application groups
Can they sign in to Okta with their LDAP password?
Do they have access to the applications in their assigned groups (SWA or SSO as applicable)?
Are they unable to sign in to applications in other groups?
Reset a user's password.
Does this immediately take effect on their Okta account and on their assigned apps?
Remove a user from an application group
Does this keep them from accessing only that application without affecting their access to other applications?
Disable a user's app access flag
Does this remove their access to all apps? (It should take effect on the next scheduled import.)
Re-enable the app access flag
Is the user's account restored along with access to their original data? (This behavior depends on the app itself.)
Restart the server that runs the agent
Do you receive notification email?
Does integration continue working after a restart?

Conclusion

Don't let your users suffer in a SaaS desert on account of directory management worries. By integrating your LDAP directory with cloud-based SaaS providers, you can achieve the dual aims of retaining control over your users' data and access to applications, while giving them the tools they want.

Infos

  1. phpLDAPadmin on SourceForge: https://sourceforge.net/projects/phpldapadmin/
  2. Architecture of Okta directory integration: https://www.okta.com/resources/whitepaper/ad-architecture/
  3. Okta Cloud Connect: https://okta.com/occ/

The Author

Abe Sharp is technical operations manager for StarLeaf Inc. (Americas), which is a provider of cloud-based video conferencing and collaboration services.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • LDAP integration with popular groupware suites
    Your LDAP directory holds user data for the whole network. Why not save time and avoid duplication by integrating the LDAP directory with your groupware environment?
  • OpenLDAP Workshop
    Centralized user management with LDAP or Active Directory is the standard today, although many prefer to manage user data manually rather than build this kind of infrastructure. In this article, we look at a better approach with OpenLDAP.
  • Single sign-on with Keycloak
    Google and Facebook are two of the biggest providers for single sign-on on the web, with OAuth2 and OpenID, but if you don't want to put your customers' or employees' data in their hands, Red Hat's Keycloak software lets you run your own operations with the option of integrating existing Kerberos or LDAP accounts.
  • What's new in Samba 4
    In December 2012, the open source world received the first, and very long awaited, release of the Samba 4.x series.
  • Secure passwordless logins with FIDO2 and LDAP
    Log in to your account securely without a password with LDAP and a schema to establish the objects and attributes required for FIDO2 authentication.
comments powered by Disqus