IDaaS Open Platform

AD as Identity Source

Identity Source

# Overview

This section explains how to configure AD as an identity source in the IDaaS platform, synchronizing the organization and user data uniformly maintained in AD to the IDaaS platform to ensure data consistency across enterprise application systems.

# Prerequisites

  • The IDaaS public cloud service can access the AD service. If network policies exist on the AD server, you can add the IDaaS public cloud service IP (47.92.171.137) to the network whitelist.
  • Have administrator privileges for the IDaaS Enterprise Center platform.

# Steps

  1. Log in to the IDaaS Enterprise Center platform, select "Users > Identity Source Management" from the top navigation bar, click "Add Identity Source", and choose the "AD" identity source.

  2. Customize the identity source name, fill in parameters such as host and TCP port according to the interface prompts. It is recommended to select "Direct Connection" for the "Connection Method". After setting, click "OK" to save.

  3. Enter the details page of the newly added identity source to view and update the "Basic Configuration" of the AD identity source, including connection parameters and synchronization mechanisms.

  4. Switch to the "Optional Configuration" tab. Key configuration references are as follows.

    • Only configure the parameters mentioned in the table below for optional configuration; keep the remaining parameters at their defaults.
    • If you want to use other attributes from AD as the username in IDaaS, such as using sAMAccountName as the username, you can set it to sAMAccountName. In the next step, under Object Model - User Mapping Definition - Account Name > Username mapping, change the execution method to Create and Update.
    Parameter Description
    Account Object Class Change to top,person,organizationalPerson,user
    Account Username Attribute Default is uid,cn. During synchronization, the cn value from AD will be synced to the username in IDaaS.
    UID Attribute Change to objectGUID

  5. After configuration is complete, switch to the "Advanced Configuration" tab. It is recommended to keep defaults or fill in according to actual needs.

    Parameter Description
    Select Root Organization Set the organization node to synchronize to in IDaaS
    Organization Matching Policy Match organizations by mapping attribute names in IDaaS with attribute names in the AD identity source. Supports adding multiple matching rules.
    Create Organization Default is "Yes", meaning organizations created in AD are automatically created in IDaaS
    Update Organization Default is "Yes", meaning organizations updated in AD are automatically updated in IDaaS
    Delete Organization After an organization is deleted in AD, IDaaS supports disabling the organization, keeping it, or synchronizing the deletion.
    User Matching Policy Match user information by mapping attribute names in IDaaS with attribute names in the AD identity source. Supports adding multiple matching rules.
    Create User Default is "Yes", meaning users created in AD are automatically created in IDaaS
    Update User Default is "Yes", meaning users created in AD are automatically created in IDaaS
    Delete User After a user is deleted in AD, IDaaS supports disabling the user, keeping the user, or synchronizing the deletion.
    Safety Threshold Adjustment Sets the maximum threshold percentage for upstream identity source changes such as user deletion, organization deletion, or organizational hierarchy changes.
    Threshold = (Difference between platform recycled data and this batch's recycled data / Recycled data) * 100%. When upstream identity source application disables/deletes data exceeding the set threshold, the platform will not perform disable/delete operations upon receiving the instruction.

  6. After configuration is complete, switch to the "Object Model" tab and select "Mapping Definition". Complete the attribute definitions and mapping definitions according to actual requirements. Key parameter descriptions are as follows.

    The object model supports mapping and matching attributes from users and organizations in the AD identity source with attributes of users and organizations in IDaaS. After configuration, this enables retrieving user and organization attributes from AD and syncing them to the corresponding user and organization attributes in IDaaS.

    • Execution Mode: Sets under which circumstances the attribute needs to be mapped.
      • Do Not Map: This attribute will not be synchronized to IDaaS.
      • On Create: The attribute is synchronized only during creation.
      • On Update: The attribute is synchronized only during updates.
      • On Create and Update: The attribute is synchronized during both creation and updates.
    • Transformation Method: Sets the method for attribute mapping.
      • Automatic Transformation: Synchronizes the value exactly as it is from the identity source.
      • Script Transformation: Use this method to transform the value from the identity source if it does not meet the required format. Refer to Script Mapping Methods.

  7. After completing the object model settings, click "Execute Synchronization" to perform the synchronization operation immediately.

    If the synchronization mechanism in the basic configuration is set to scheduled synchronization, manual execution of synchronization tasks is not required here.

  8. After execution is complete, switch to the "Synchronization Events" page to view all synchronization tasks for this identity source. Click "Details" under the "Actions" column to view the import results, or go to the "Users > Users and Organizations" page to view the imported data.

LDAP as Identity Source