Employee Management
Configure Authentication Methods
Single Sign-On Integration
Manage Enterprise Device Login
User Authorization
Permission Review
Data Sync
Cloud Bridge Agent
Customize Login/Registration Pages
Customize Notification Methods and Templates
Configure Security Information
Develop Dynamic Scripts in Mapping Definitions
Todo/Notification Integration
Approval Flow Configuration
Monitoring & Maintenance
Plugin Installation
Automation
Application Security Gateway
Third-party Platform SSO to IDaaS

Configuring LDAP Authentication Source

Authentication Source

# Description

To facilitate authentication and login for enterprise users, IDaaS directs authentication to LDAP via the LDAP protocol. After LDAP authentication succeeds, the user attributes returned by LDAP are matched and validated against the associated user attributes in IDaaS. Upon successful verification, users can log in to IDaaS. This feature is currently only supported in 2E scenarios.

This section describes the relevant operations for configuring an LDAP authentication source.

# Prerequisites

Administrator privileges for the IDaaS Enterprise Center platform.

# Steps

# Configuring LDAP Authentication Source on the IDaaS Platform

Log in to the IDaaS Enterprise Center platform. In the top navigation bar, select "Authentication > Authentication Source Management". On the LDAP authentication source page, click "Add Authentication Source".

Configure the key parameters for the LDAP authentication source according to the on-screen prompts. Key parameter descriptions are as follows.

Connection Method: Configures how the LDAP service connects to the IDaaS service.

Direct Connection: If the LDAP server has a fixed public IP address and is accessible from the public network, it is recommended to choose the direct connection method.
Via Cloud Bridge Agent: If the LDAP server is not accessible from the public network and needs to be accessed via Authentication Source Cloud Bridge, choose to connect via the Cloud Bridge Agent method.

# Configuring Direct Connection Parameters (Direct Connection)

Two authentication modes are supported, described below.

Configure Direct Authentication Based on DN: If your enterprise users all have similar DN patterns, such as uid=XXX,ou=user,dc=test,dc=com, it is recommended to choose this configuration.

Select Direct Connection as the connection method. Configure the LDAP address, Base DN, and User DN pattern according to the on-screen prompts. Other parameters are optional.
Configure Administrator Account Password Authentication: If your enterprise users do not have a fixed DN pattern, it is recommended to choose this configuration.

Select Direct Connection as the connection method. Configure the LDAP address, Base DN, Administrator DN, Administrator password, User Search Base, and User Search Filter according to the on-screen prompts. Other parameters are optional.
- It is recommended to use a transport-encrypted method for the LDAP address connection, such as ldaps://[hostname]:[port]/. Using an ldaps address will verify the certificate by default. You can choose to ignore certificate verification based on your actual situation.
- If both authentication modes mentioned above are configured, DN pattern authentication will be prioritized during the authentication login phase. If authentication fails, administrator account password authentication will be used.

# Configuring Cloud Bridge Connection Parameters (Via Cloud Bridge Agent Connection)

Parameter	Description
Connection Method	The method to connect to the LDAP server. Select "Via Cloud Bridge Agent Connection".
Select Cloud Bridge Agent	Select an already installed and deployed Authentication Source type Cloud Bridge. Cloud Bridges with versions prior to 22.6.1.0 are filtered out.
Source Attribute	LDAP username attribute. Default value: uid.
Associated User Attribute	IDaaS user attribute field. Options include Username, ID, Mobile Number, Employee ID, Email. It is recommended to use Username to associate with the LDAP username.
When User Not Associated	Strategy when the LDAP attribute does not match any IDaaS user attribute. Can be configured to automatically create a user or fail.
Update Existing Attributes	Default is No (displayed when automatically creating users).

Purpose of Source Attribute and Associated User Attribute: Maps a user attribute from LDAP to a user attribute in IDaaS. Authentication succeeds if this attribute from the user information returned by LDAP matches the associated attribute in IDaaS.
When User Not Associated: When the source attribute from the user information returned by LDAP does not match the associated attribute in IDaaS, and no system user is associated, the following configurations are available.

If failure is selected, authentication is not allowed to pass.

When automatic user creation is selected, an IDaaS user is created based on mapping rules and associated attributes, and authentication passes.

The mapping attribute description is as follows:

User attribute name: Drop-down selection of user attributes in IDaaS.
Mapping type: Select the mapping type.
- When selecting the authentication source attribute option, enter the attribute name returned by the authentication source in the third row's authentication source attribute name input field.
- When selecting the fixed value option, enter the fixed attribute value in the third row's fixed value input field.
- When selecting script transformation, enter the transformation script in the third row's script content input field. For the syntax of script transformation, please refer to How to Develop Dynamic Scripts in Mapping Definitions. For common AD returned attributes in the script transformation object, please refer to the Script Transformation Object section below.
Authentication source attribute name: User attributes in the LDAP server.

:::

# Script Transformation Object

The script object is idp, containing attributes returned by LDAP. Common attributes are as follows:

Attribute Name	Display Name
uid	Usually refers to the user login name. Example: uid=tester
sn	Usually refers to a person's surname. Example: sn: Wang
cn	Usually refers to an object's name. For a person, the full name should be used. Example: CN=ldapadmin
telephoneNumber	Phone number
mail	Email

The objectClass defined in the LDAP schema determines the attributes available in LDAP. As shown in the LDAP control panel image below, you can see this user's objectClass is organizationalPerson, which includes attributes sn (Last Name) and cn (Common Name).
When using the script object, you can directly use idp.【attribute name】 to retrieve it, for example: idp.cn, idp.sn.

After completing the LDAP authentication source parameter configuration, enter the LDAP username and password at the bottom of the configuration, click "Test" to verify the LDAP authentication source configuration and the connection to the LDAP server. If the test is successful, save the configuration.

Configure AD Password Login Configure LDAP Password Login