Active Directory Synchronization for Identity Providers

This setting enables Active Directory synchronization for Identity Providers in Laserfiche Directory Server.

Enable Active Directory Synchronization for Identity Providers

1. Click the Settings tab.
2. Click the Identity Providers tab.
3. Choose an identity provider in the left pane.
4. Click the Rules tab.
5. Toggle Enable Active Directory synchronization to Yes.
6. Click Test to ensure connection is successful.

Note: To learn more, navigate to Adding an Active Directory Identity Provider.

Configuring Active Directory Group Synchronization rules

If you have Windows domain accounts as named users, you can take advantage of Active Directory group synchronization in Directory Server to automatically assign or remove user licenses based on group membership. With Active Directory synchronization, Directory Server will poll specified Active Directory domain controllers for changes to specific groups, whether users were added or removed from the specified groups.

To add a synchronization rule, Directory Server must subscribe to one or more Active Directory identity providers. For each domain controller, you can then add a synchronization rule that monitors a single Windows group. Each rule can then automatically assign full licenses, assign retrieval licenses, or remove licenses as group membership changes.

The synchronization process runs on a specified interval. By default, this interval is set at 1 hour. During each synchronization cycle, Directory Server polls the registered domain controllers, retrieves the list of monitored groups, then processes all the synchronization rules.

Note: See the General tab to configure the polling interval.

Tip: Use the Synchronize button to force Active Directory synchronization rules to run at a particular time for testing purposes.

For each registered domain controller, Directory Server processes synchronization rules sequentially from top to bottom in the order that the rules are listed on the Directory Server administration site. For example:

1. You have two Windows groups: QA and Engineering.
2. The QA group contains 1 user: John.
3. The Engineering group contains 2 users: Jane and John (same John as the one in the QA group).
4. You add a synchronization rule that assigns full named user licenses to the QA group.
5. you add a second synchronization rule below the rule in step 4 that assigns retrieval named user licenses to the Engineering group.
6. Because the rule added in step 5 is the last rule that Directory Server will process, both Jane and John will end up with retrieval named user licenses.

During a synchronization cycle, Directory Server will process all rules before checking to see whether you have the proper available licenses do the desired action. For example:

1. You are licensed for 100 full named user licenses.
2. One synchronization rule assigns full named user licenses to a group with 200 members.
3. A second synchronization rule removes named user licenses from a group that contains 100 members from the group in step 2.
4. Directory Server processes both rules before checking your primary license, and you end up with a valid configuration utilizing your 100 full named user licenses.

Note: Active Directory synchronization only adds and removes users from the Named Users list, it does not grant them access to your repository or repositories. You will also need to make sure that the user has Trusted authentication status in the Laserfiche Administration Console to allow that user to sign in to the repository. However, you can grant the Trusted status to an entire group; its users will inherit that setting even if they have not been manually added.

To create a group synchronization rule

1. Open the Laserfiche Directory Server administration site and select your licensing site.
2. View the Settings tab and click the Identity Providers secondary tab.
3. Select the desired identity provider.
4. View the Rules tab.
5. Make sure that Active Directory synchronization is enabled.
6. Use the button to insert a new rule.
7. Under Group, use the button to search for a group. Type all or part of the group name you wish to locate and click Search.
8. Select the group you want to monitor with this rule.
9. Optional: Under Organization, choose whether members of the group should be added to a Directory Server organization.
10. Under License, select the type of license you want to assign to members of this group.

    Note: Users with license type "None" will not be added to Laserfiche Directory Server. Users with no license can still sign in to a licensed server through public portal.

11. Use the button to insert additional rules as needed.
12. Click Save to save your rule.

Active Directory group synchronization rules are run in order, and the same set of rules can return different results when ordered differently. To obtain your desired result, you can reorder your rules in the list. Use the up arrow and down arrow to the right of a rule to move the rule up or down the list.

Important: When processing Active Directory group synchronization rules, Directory Server clears out all non-exempt named users. Registered named users that are marked as being exempt from synchronization rules and registered named devices are not affected.