Working with an Active Directory Identity Provider

You can add an Active Directory identity provider on the Laserfiche Directory Server administration site. This process lets you configure and set up rules for Active Directory synchronization within Laserfiche Directory Server.

Adding an Active Directory Identity Provider

  1. Open the Laserfiche Directory Server administration site and select your licensing site.
  2. View the Settings tab and click the Identity Providers secondary tab.
  3. Use the Add Identity Provider button to open the New Identity Provider page.
  4. Specify a display name for the identity provider within Directory Server.
  5. Under Identity Provider Type, choose Active Directory.
  6. Under Host, type the fully-qualified domain name of your Active Directory host name.
  7. Under Root, specify an appropriate base distinguished name value to limit directory searches to that subtree.
  8. Optional: Provide alternate credentials if you want to use a specific user to query Active Directory instead of the Directory Server service user. Directory Server uses these credentials to perform Active Directory synchronization or retrieve a DN for authentication purposes.
  9. Optional: Select Use TLS to connect using TLS.
  10. Optional: Turn on the Enable AD FS authentication option to allow users from that provider to authenticate using Active Directory Federation Services (AD FS).
  11. Next to AD FS Host, specify the AD FS host name.
  12. Click Get Configuration From Host to automatically get the Issuer and Endpoint values.

    Note: For a new AD FS identity provider, clicking the Get Configuration From Host button will automatically retrieve both Issuer and Endpoint values, but not the certificate. When editing an AD FS identity provider, clicking the Get Configuration From Host button will automatically retrieve Issuer and Endpoint values as well as the certificate.



    You can also manually specify the values.
    1. Next to Issuer, specify your AD FS issuer value. By default, it should look similar to the following:

      http://adfs.sampledomain.com/adfs/services/trust

    2. Next to Endpoint, specify your AD FS endpoint. By default, it should look similar to the following:

      https://adfs.sampledomain.com/adfs/ls/

  13. Under Certificates, click Choose File and specify your AD FS X.509 token-signing certificate.

Configuring Active Directory Group Synchronization Rules

  1. Click the Settings tab.
  2. Click the IdentityProviders tab.
  3. Select an Active Directory identity provider in the left pane.
  4. Click the Rules tab.
  5. Set Enable Active Directory synchronization to Yes.
  6. Click Test to validate that the connection is successful.

If you have Windows domain accounts as named users, you can take advantage of Active Directory group synchronization in Directory Server to automatically assign or remove user licenses based on group membership. With Active Directory synchronization, Directory Server will poll specified Active Directory domain controllers for changes to specific groups, whether users were added or removed from the specified groups.

To add a synchronization rule, Directory Server must subscribe to one or more Active Directory identity providers. For each domain controller, you can then add a synchronization rule that monitors a single Windows group. Each rule can then automatically assign full licenses, assign retrieval licenses, or remove licenses as group membership changes.

The synchronization process runs on a specified interval. When the Poll Active Directory for synchronization every value is set to 0, Active Directory synchronization will occur every 30 minutes after the service is started. During each synchronization cycle, Directory Server polls the registered domain controllers, retrieves the list of monitored groups, then processes all the synchronization rules.

Note: See the General tab to configure the polling interval.

Tip: Use the Synchronize button to force Active Directory synchronization rules to run at a particular time for testing purposes.

For each registered domain controller, Directory Server processes synchronization rules sequentially from top to bottom in the order that the rules are listed on the Directory Server administration site. For example:

  1. You have two Windows groups: QA and Engineering.
  2. The QA group contains 1 user: John.
  3. The Engineering group contains 2 users: Jane and John (same John as the one in the QA group).
  4. You add a synchronization rule that assigns full named user licenses to the QA group.
  5. you add a second synchronization rule below the rule in step 4 that assigns retrieval named user licenses to the Engineering group.
  6. Because the rule added in step 5 is the last rule that Directory Server will process, both Jane and John will end up with retrieval named user licenses.

During a synchronization cycle, Directory Server will process all rules before checking to see whether you have the proper available licenses do the desired action. For example:

  1. You are licensed for 100 full named user licenses.
  2. One synchronization rule assigns full named user licenses to a group with 200 members.
  3. A second synchronization rule removes named user licenses from a group that contains 100 members from the group in step 2.
  4. Directory Server processes both rules before checking your primary license, and you end up with a valid configuration utilizing your 100 full named user licenses.

Note: Active Directory synchronization only adds and removes users from the Named Users list, it does not grant them access to your repository or repositories. You will also need to make sure that the user has Trusted authentication status in the Laserfiche Administration Console to allow that user to sign in to the repository. However, you can grant the Trusted status to an entire group; its users will inherit that setting even if they have not been manually added.

To create a group synchronization rule

  1. Open the Laserfiche Directory Server administration site and select your licensing site.
  2. View the Settings tab and click the Identity Providers secondary tab.
  3. Select the desired Active Directory identity provider.
  4. View the Rules tab.
  5. Make sure that Active Directory synchronization is enabled.
  6. Use the Add (+Add) button to insert a new rule.
  7. Next to Group, click the ellipsis (…) button to search for a group. Type all or part of the group name you wish to locate and click Search.
  8. Select the group you want to monitor with this rule.
  9. Optional: Under Organization, choose whether members of the group should be added to a Directory Server organization.
  10. Under License, select the type of license you want to assign to members of this group.

    Note: Users with license type "None" will not be added to Laserfiche Directory Server. Users with no license can still sign in to a licensed server through public portal.

  11. Use the Add (+Add) button to insert additional rules as needed.
  12. Click Save to save your rule.

Active Directory group synchronization rules are run in order, and the same set of rules can return different results when ordered differently. To obtain your desired result, you can reorder your rules in the list. Use the up arrow and down arrow to the right of a rule to move the rule up or down the list.

Important: When processing Active Directory group synchronization rules, Directory Server clears out all non-exempt named users. Registered named users that are marked as being exempt from synchronization rules and registered named devices are not affected.