Imply Cloud Auth with SSO support is a beta feature for Imply Cloud. See About experimental features for more information about beta features.
You can use LDAP-based identity federation with Imply SSO for user authentication and role assignment. By default, Imply LDAP support maps username, email, first name, and last name from attributes.
Adding an LDAP provider
To configure LDAP, follow these steps:
In the Imply auth console, click
User Federationin the left navigation menu.
Add Providermenu and choose ldap from list. The LDAP configuration settings appear as follows:
Configure the settings based on your use case. The following sections provide more information about the configuration options.
Console Display Name
Name used when this provider is referenced in the admin console
The priority of this provider when looking up users or adding a user.
By default, Imply auth imports users from LDAP into the local Imply auth user database. This copy of the user is either synchronized on demand or through a periodic background task.
The single exception to this is the synchronization of passwords. Passwords are never imported. Their validation is always delegated to the LDAP server. The benefits of this approach is that all Imply auth features will work as any extra per-user data that is needed can be stored locally. The downside of this approach is that each time that a specific user is queried for the first time, a corresponding Imply auth database insert is performed.
The import may also have to be synchronized with your LDAP server. However, import synchronization is not necessary in the case that the LDAP mappers are configured to always read particular attributes from the LDAP rather than from the database.
Alternatively, you can choose not to import users into the Imply auth user database. In this case, the common user model that the Imply auth runtime uses is backed only by the LDAP server. This means that if LDAP doesn't support a piece of data that a Imply auth feature needs that feature will not work. The benefit to this approach is that you do not have the overhead of importing and synchronizing a copy of the LDAP user into the Imply auth user database.
This storage mode is controlled by the
Import Users switch. Set to
On to import users.
If user import is disabled, you cannot save user profile attributes into the Imply auth database. Also you cannot save metadata except for user profile metadata that are mapped to the LDAP. The single exception to this are user profile metadata, which are mapped to the LDAP. This possibly includes role mappings, group mappings and other metadata based on the configuration of your LDAP mappers.
When the attempt is made to change some of the non-LDAP mapped user data, the update of the user will not be possible. For example you will not be able to disable the LDAP mapped user unless the
enabled flag of the user is mapped to some LDAP attribute (which is usually not the case).
Users, through the User Account Service, and admins through the Admin Console can modify user information. Depending on your setup you may or may not have LDAP update privileges. The Edit Mode configuration option defines the edit policy you have with your LDAP store.
- READONLY: Username, email, first name, last name, and other mapped attributes will be unchangeable. Imply auth will show an error anytime anybody tries to update these fields. Also, password updates will not be supported.
- WRITABLE: Username, email, first name, last name, and other mapped attributes and passwords can all be updated and will be synchronized automatically with your LDAP store.
- UNSYNCED: Any changes to username, email, first name, last name, and passwords will be stored in Imply auth local storage. It is up to you to figure out how to synchronize back to LDAP. This allows Imply auth deployments to support updates of user metadata on a read-only LDAP server. This option only applies when you are importing users from LDAP into the local Imply auth user database.
When the LDAP provider is created, the set of initial LDAP mappers is created. The mappers are configured on a "best-effort" basis based on the chosen combination of the
Edit Mode, and
Import Usersswitches. For example, in case of UNSYNCED edit mode, the mappers are pre-configured in a way that a particular user attribute is preferably read from the database instead of from the LDAP.
However when you later change the edit mode, the mappers configuration will not be changed as it is not easily possible to detect if they were manually changed in the meantime. This means that it is recommended NOT to update the
Edit Modeswitch, but rather always decide on
Edit Modewhen creating the LDAP provider. This applies for
Import Usersswitch as well.
Does your LDAP support adding new users? Click this switch if you want new users created by Imply auth in the admin console or the registration page to be added to LDAP.
Allow Kerberos authentication
Enable Kerberos/SPNEGO authentication in realm with users data provisioned from LDAP. More info in Kerberos section.
For information about other configuration settings, hover over the tooltips for each setting in the Admin Console to see help.
Synchronizing LDAP users to Imply auth
If you enable the Import Users option, the LDAP Provider will automatically take care of synchronization (import) of needed LDAP users into the Imply auth local database. As users log in, the LDAP provider will import the LDAP user into the Imply auth database and then authenticate against the LDAP password. This is the only time users will be imported.
If you go to the
Users left menu item in the Admin Console and click the
View all users button, note that only those LDAP users who have been authenticated at least once appear. Viewing all users does not trigger an import of the entire LDAP user database.
If you want to sync all LDAP users into the Imply auth database, you may configure and enable the
Sync Settings on the LDAP provider configuration page.
Two types of synchronization exist:
Performing periodic full sync
This type will synchronize all LDAP users into the Imply auth database. Those LDAP users, which already exist in Imply auth and were changed in LDAP directly will be updated in the Imply auth database. For example, the user
Mary Kelly was changed in LDAP to
Performing periodic changed users sync
When syncing occurs, only those users that were created or updated after the last sync will be updated and/or imported.
The best way to handle syncing is to click the
Synchronize all users button when you first create the LDAP provider,
then set up a periodic sync of changed users.
Setting up LDAP mappers
LDAP mappers are
listeners, which are triggered by the LDAP Provider at various points and provide another extension point to LDAP integration.
They are triggered when a user logs in via LDAP and needs to be imported, during Imply auth initiated registration, or when a user is queried from the Admin Console.
When you create an LDAP Federation provider, Imply auth will automatically provide set of built-in
mappers for this provider. You are free to change this set and create a new mapper or update/delete existing ones.
User Attribute Mapper
This allows you to specify which LDAP attribute is mapped to which attribute of Imply auth user.
So, for example, you can configure that LDAP attribute
This allows you to specify that the full name of the user, which is saved in some LDAP attribute (usually
cn ) will be mapped to
lastname attributes in the Imply auth database.
cn to contain full name of user is a common case for some LDAP deployments.
When registering new users in Imply auth and
Sync Registrationsis ON for the LDAP provider, the fullName mapper allows the possibility of fallback to the username. This fallback is especially useful in case of the Microsoft Active Directory. The common setup for the MSAD is to configure
cnLDAP attribute as fullName and at the same time, the
cnis usually used as
RDN LDAP Attributein the configuration of the LDAP provider. With this setup, the fallback to the username will be used. For example when you create Imply auth user "john123" and leave firstName and lastName empty, then fullname mapper will save "john123" as the value of the
cnin LDAP. When you later enter "John Doe" for firstName and lastName, the fullname mapper will update LDAP
cnto the value "John Doe" as fallback to the username will not be needed anymore.
Hardcoded Attribute Mapper
This mapper adds a hardcoded attribute value to each Imply auth user linked with LDAP.
This mapper can also force the values for the
emailVerified user properties.
This allows you to configure role mappings from LDAP into Imply auth role mappings.
One Role mapper can be used to map LDAP roles (usually groups from a particular branch of LDAP tree) into roles corresponding to either realm roles or client roles of a specified client.
It's not a problem to configure more Role mappers for the same LDAP provider.
So for example you can specify that role mappings from groups under
ou=main,dc=example,dc=org will be mapped to realm role mappings and role mappings from groups under
ou=finance,dc=example,dc=org will be mapped to client role mappings of client
Hardcoded Role Mapper
This mapper will grant a specified Imply auth role to each Imply auth user from the LDAP provider.
This allows you to map LDAP groups from a particular branch of an LDAP tree into groups in Imply auth. It will also propagate user-group mappings from LDAP into user-group mappings in Imply auth.
MSAD User Account Mapper
This mapper is specific to Microsoft Active Directory (MSAD). It's able to tightly integrate the MSAD user account state
into the Imply auth account state (account enabled, password is expired, and so on).
It is using the
pwdLastSet LDAP attributes, which are both specific to MSAD and are not LDAP standard.
For example if
0, the Imply auth user is required to update their password
and there will be an UPDATE_PASSWORD required action added to the user. If
514 (disabled account) the Imply auth user is disabled as well.