LDAP - Just In-Time User Provisioning

The instructions on this page detail the steps required to configure Just In-Time User Provisioning for LDAP. For general information check out the Just In-Time User Provisioning (Authentication Server Support) overview documentation.

If you are looking for instructions on Configuring Authentication Server Support for LDAP without JIT, refer to the LDAP documentation.

Supported Options

These steps use Okta configurations as an example. For specific details on Okta we recommend you refer to their documentation. For other providers, we recommend you refer to the provider's configuration documentation.

As always, if you have questions or issues or want details on implementation using something other than Okta we're here to help, reach out to us through the Customer Support Portal.

Configuration Considerations

Entitlements

You must be prepared to complete the setup of your entitlements. Attempting to create group mappings without completing this setup in InsightCloudSec will create groups with users that have NO associated permissions.

Take a look at our documentation around Basic User Groups, Roles, & Entitlements or the User Entitlements Matrix if you still need to prepare these configurations.

Scheduled Updates

In InsightCloudSec, scheduled updates run once an hour. The authentication server gets lists of members of the mapped user groups, and InsightCloudSec’s users and group associations are updated to match.

Credentials

A credential to the authentication server is required to perform the scheduled updates

  • For Okta, this is implemented using a read-only API key.
  • For LDAP, InsightCloudSec uses the credentials of a user with directory-read privileges.

Configuring JIT for LDAP

Okta Setup for LDAP

Refer to the steps below to complete the required configuration setup for LDAP using Okta. You can refer to Okta's documentation on Groups here.

  1. Log in to Okta as an administrator.
  2. Under Directory > Groups click on Add Group.
    • Give this group a name and group description that makes sense for your mapping.
    • InsightCloudSec requires unique remote group names so keep this mind when creating.
  3. Locate your new group by searching for the name, and clicking on it to open the Group details.
  4. Select Assign People to add/remove the desired group members.
    • Clicking the + next to their name to add them to the group.
      • If a user is already added to the group they will not come up in a search*.
    • Make any changes desired to this group and then click Done.
    • Store this group name in a safe place to complete your setup in InsightCloudSec.

InsightCloudSec Setup for LDAP

Refer to the steps below to complete the required configuration for LDAP using Okta within InsightCloudSec.

  1. In InsightCloudSec, navigate to Administration > Identity Management and open the tab labelled Basic User Groups.
  2. Click Add Basic User Group, name your new group as desired, and click Submit. This field will populate the InsightCloudSec Group name when you configure your Group Mapping (these must match and are case sensitive).
  3. Click on the Actions menu to the left of your new/target group name to select Manage Basic User Entitlements and access those settings.

Managing Entitlements

Before you proceed with Group Mappings for external authentication you must have all of your desired entitlements configured.

If you create a group and enable group mapping BEFORE you establish entitlements, the users within your groups will have nothing configured and will not be able to access anything.

Refer to our documentation on Basic User Groups, Roles, & Entitlements, and our User Entitlements Matrix for details.

  1. Navigate to Administration > Identity Management and select Authentication Server. Click on Add Server to create a new authentication server.
    • Select a Server Nickname (name)
    • Select LDAP
    • Select the Global Scope checkbox if you want to use this server across multiple InsightCloudSec Organizations. Learn more about Organizations.
  2. Complete the details for the LDAP Authentication Server including the following fields:
    • Server Host/IP
    • Server Port
    • Select/Enable Secure Server (Note: enabling this is required)
    • Admin Username
    • Admin Password
    • Base user DN (the LDAP string for the base search)
    • Checkbox Enable periodic user provisioning - will sync provisioning hourly.
      • JIT requires this to be enabled to function correctly.
  3. Click Submit once you have completed the LDAP server details.
  4. Click on the Actions menu to the right of your newly created server and select Update Group Mappings.
  5. Complete your Group Mappings as desired.
    • Click on the + at the top to add additional lines.
    • Domain Admin, Domain Viewer, and Organization Admin fields already exist as presets.
    • Even with mapped groups associated these mappings simply establish the Domain Admin, Domain Viewer, and Organization Admin users. These aren't technically groups, and as such you will have to locate them by name individually to modify or update them.
  6. Click Submit to complete your Group Mappings.
    • If you do nothing, Okta will sync hourly and update your mapping.
    • To manually sync click the actions menu and select Synchronize Users
    • You can verify the sync by checking out the View Logs option under the actions menu, or by visiting the User Groups tab to watch the user count increase.