Configuring an identity agent for authentication by using LDAP
About this task
A social identity provider can be set up one time and it is used as a sign-in option for applications only. It cannot be used to sign in to the IBM® Security Verify Admin Console or My home page.
Procedure
- Select Integrations > Identity agents.
- Select Create agent configuration.
- Select Authentication as the purpose.
- Select the LDAP tile.
- Select Next.
- Configure the connection settings. Provide the following information to define the LDAP connection properties.
- External LDAP host URI
- This attribute is the on-premises LDAP server connection information. For a cluster LDAP fail-over setup, you can add multiple LDAP server URIs by selecting ADD URI.
- Base
- This attribute is the LDAP container search base for users.
- LDAP bind DN
- This attribute is the LDAP server connection user.
- LDAP bind password
- This attribute is the ldap server connection password.
- LDAP certificate authority certificate
- This optional attribute is the SSL certificate that is used if the on-premises agent requires a TLS connection to the LDAP server.
- View additional settings
- You can define the following settings.
- Enable whether LDAP requires TLS.
- The maximum number of simultaneous LDAP connections for the LDAP server.
- How long a successful password authentication is cached.
- How long the connection is maintained.
- The idle time before the LDAP server closes a connection.
- The maximum time to process a request.
- Click Next.
- Provide the user properties.
- Attributes
- This attribute is a list of comma-separated LDAP user attributes that are returned from a successful password verify operation.
- Binary attributes
- This attribute is a list of comma-separated binary LDAP user attributes that are returned from a successful password verify operation.
- Username attribute
- This attribute is the naming attribute such as user id that is used to look
up a user for password verification.Note: Username identifier attributes are case sensitive. The default attribute sAMAccountName applies to earlier versions of Windows Active Directory. For Active Directory 2016 and later, the attribute is sAMAccountName.
- Object class
- This attribute is a list of comma-separated object classes that the LDAP user can have. The object classes are used with the username attribute to look up a user for password verification.
- Select Next.
- Map the identity provider attributes from the identity provider to the Verify Cloud Directory
attributes. After you create the identity agent, you can change or update the mappings by using the edit function
on the agent's tile.
- Select Next.
- In Finalize configuration, provide the following information.
- A unique and recognizable name for the agent
- A description
- A display name for the identity provider
- A realm for the identity provider
- Optional: Select View advanced settings to add configuration attributes or to select a certificate for encryption.
- Click Save and continue.
- In Next steps , do the following steps.
- Select View API credentials and use the copy to clipboard icon to copy and store the Client ID and Client secret.
- If not already downloaded, download the agent from IBM X-Force App Exchange.
- Add your API credentials to the agent configuration.
-
Click Finish. The configuration is added to Identity agents and the identity provider is listed in Authentication > Identity providers.