Active Directory - Just In-Time User Provisioning
Instructions for Configuration of Microsoft Active Directory Just In-Time Provisioning with InsightCloudSec
InsightCloudSec supports using Microsoft Active Directory authentication as a valid authentication server. This page provides details for configuring InsightCloudSec for use with Active Directory. For details on Azure Active Directory, check out the Azure Active Directory docs.
Before getting started you will need to have the following
- A functioning InsightCloudSec platform
- Appropriate InsightCloudSec permissions (Domain Admin or Org Admin)
- Administrative credentials to your Active Directory instance
- An established Active Directory Group that contains an Account (User and Password) to establish access, in addition the selected group will also need to have the users designated within the selected Group (before you enable JIT).
For questions or issues, reach out to us through the Customer Support Portal.
Value Names (DivvyCloud vs. InsightCloudSec)
Some components, screen captures, examples, and values use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.
Active Directory Authentication Server Setup
Refer to the steps outlined below to create an Active Directory Authentication Server:
1. Navigate to "Administration --> Identity Management" and select the "Authentication Servers" tab.
2. Click the "Add Server" button to launch the form.
3. Complete the "Create Authentication Server" form as follows:
- Nickname: Provide a nickname for the Active Directory server.
- Select Server Type: Select "Active Directory" from the drop-down server type menu.
- Global Scope Checkbox: Select the Global Scope checkbox if you want to use this server across all of your Organizations.
- Learn more about Organizations.
- Server Host/ IP: the server hostname or IP for the Active Directory.
- This is often represented as ‘dc.yourdomain.com’. Do not include any protocol or port information here.
- Port Number: Provide the Port number (the port for which your Active Directory instance is configured).
- Port ‘389’ is the default Active Directory port.
- If your Active Directory is configured to use SSL, the default port is ‘636’.
- If your Active Directory instance has been configured to use any other port, supply that value here.
4. Configuration continued
Secure Server Checkbox: Select the "Secure Server" checkbox if your Active Directory instance has been configured to use SSL.
- Provide an "Admin Username" - enter the Distinguished Name (“DN”) of a user account with ‘bind’ privileges. The DN is usually represented as “CN=Your Name,OU=YourOrganization,DC=YourCompanyName,DC=Com).
- Provide the corresponding password for the given Admin username
Base User DN: The Base User DN is the search string applicable to where user accounts are situated within the directory.
- Usually, this looks something like “CN=Users,DC=YourCompanyName,DC=Com”.
- Note: It is important here to provide the most specific possible search string. A search string of “DC=YourCompanyName,DC=Com” might work depending on how the directory was configured but will result in inefficient lookups which are taxing to the Active Directory instance and could result in timeouts while users attempt to authenticate.
UPN Suffix: If you have configured your Active Directory instance to use a ‘User Principal Name’, or your domain is configured to use explicit UPN names, supply the UPN suffix value.
- Note that this will preclude users from being able to authenticate into InsightCloudSec using implicit suffixes, even if the Active Directory instance is configured to allow that.
Enabling JIT for Active Directory
5. This step assumes that you are configuring Just In-Time Provisioning (periodic user provisioning).
- If you are not familiar with this feature check out the Just In-Time User Provisioning (Authentication Server Support) summary details.
- To enable JIT, select the two checkboxes at the end of the form in the "Enable periodic user provisioning" section.
Active Directory JIT Requirements
JIT configuration requires the following:
- An Active Directory Group established and configured correctly, including all members/users that you want to be included for InsightCloudSec access.
- It is important that these members are configured/added to the group before you enable JIT within InsightCloudSec.
- For additional details on Microsoft Active Directory, refer to their documentation on Using Groups here.
InsightCloudSec JIT also requires that you have completed Group Mappings with your desired entitlements configured.
- Check out our documentation on Basic User Groups, Roles, & Entitlements, and our User Entitlements Matrix for details.
Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.
If you create a group and enable group mapping BEFORE you establish entitlements, the users within your groups will have nothing configured and will not be able to access anything.
Refer to our documentation on Basic User Groups, Roles, & Entitlements, and our User Entitlements Matrix for details.
6. To enable JIT, select the two checkboxes at the end of the form in the "Enable periodic user provisioning" section.
- Enabled periodic user provisioning: enables the synchronization between InsightCloudSec and your Active Directory Group. We will now be able to synchronize your users in Active Directory once an hour or on-demand (by clicking on the synchronize users option next to the server name in the actions menu)
- Update profile (email & display name on periodic user provisioning): every time we sync (every hour or every manual sync) we will update the username and email within InsightCloudSec to match what is supplied from Active Directory.
7. Click "Submit" once you have completed the form.
- InsightCloudSec will verify that the credentials you submitted are correct and that the account provided has the required ‘bind’ privilege.
- Note: If an error message appears, verify the values you entered are correct for the Active Directory instance in which you are trying to authenticate.
Updated 12 months ago