LDAP


Table of Contents:


Basic usage

Note that this basic LDAP information is also included in the ldap section of the config file explanation page. The advanced section below covers more advanced usage.

Please note that in the MFA platform all identities are converted to lowercase. Hence, if you assign an email containing uppercase characters to a Windows user in Active Directory the user will be required to authenticate with the lowercase equivalent. For example John.Smith@example.com will need to authenticate as john.smith@example.com

Here you can enter your ldap server details:

"ldap": {
  "server": {
    "global": {
      "method": "plain",
      "address": "52.xx.xx.xxx:389",
      "user": "cn=admin,dc=ldap,dc=example,dc=com",
      "password": "strong_password"
    }
  },
  "query": {
    "query1": {
      "server": "global",
      "search": [
        {
        "dn": "ou=dept1,dc=ldap,dc=example,dc=com",
        "filter": "(mail={{.UserID}})"
        }
      ]
    }
  }
},

Within the server subsection it is possible to add more than one LDAP server and then have one or more queries for each server, within the query subsection. As an example you could add a query for 'query2' which also queries the 'global' server:

  "query": {
    "query1": {
      "server": "global",
      "search": [
        {
        "dn": "ou=dept1,dc=ldap,dc=example,dc=com",
        "filter": "(mail={{.UserID}})"
        }
      ]
    },
    "query2": {
      "server": "global",
      "search": [
        {
        "dn": "ou=dept2,dc=ldap,dc=example,dc=com",
        "filter": "(mail={{.UserID}})"
        }
      ]
    }
  }

The "filter" in the above example programatically picks up the current UserID value from the IdP (which is the user's email address) and checks it with the 'mail' attribute on the LDAP server.

When configuring a particular Service Provider, any queries can then be invoked by the "authorize" parameter within the sp section of the config file:

  "authorize": [
    [
      { "email":"^[^@]+@yourcompany.com$"},
      { "ldap":"query1"}
    ]
  ],

Note that the above example shows that regex email filters can be used, which may mitigate the need for some simple LDAP setups.

It is possible to use authorize queries as boolean OR lists:

For the json OR list, note that each expression is within its own set of square brackets:

"authorize": [
                [{"email": "^[^@]+@test.com$"}],
                [{"email": "^[^@]+@example.com$"}],
                [{"email": "^[^@]+@mycompany.co.uk$"}]
            ],

An AND query can be used to allow, for example, only authorized users from a particular email domain AND who are also in a particular LDAP group:

For the json AND list, note that both expressions are within the one set of square brackets:

"authorize":[
        [{"email":"^[^@]+@example.com$"},{"ldap":"dept1"}]
  ],

Advanced usage

Some Service Providers require the use of custom attributes for authentication. MIRACL Trust SSO can be used to extract both basic LDAP attributes (cn, givenName, etc.) and custom attributes (such as ImmutableID for Office 365). The configuration of LDAP attribute extraction is done as follows:

  1. The attributes to be extracted are set in the attribute subsection of the profile section, e.g.:

    "profile": {
    "attribute": {
        "exampleco": "<AttributeStatement><Attribute Name=\"givenName\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\">{{ range (AttrVals \"givenName\") }}<AttributeValue>{{.}}</AttributeValue>{{ end }}</Attribute><Attribute Name=\"cn\" NameFormat=\"urn:oasis:names:tc:SAML:2.0:attrname-format:basic\"><AttributeValue>{{AttrVal \"cn\" 0 \"unknown\"}}</AttributeValue></Attribute></AttributeStatement>"
    }
    }
  2. The attributes to be used are made available in an ldap query:

    "ldap": {
      "server": {
        "global": {
          "method": "plain",
          "address": "52.xx.xx.xxx:389",
          "user": "cn=admin,dc=ldap,dc=example,dc=com",
          "password": "strong_password"
        }
      },
      "query": {
        "global": {
          "server": "global",
          "search": [
              {
              "dn": "ou=dept1,dc=ldap,dc=example,dc=com",
              "filter": "(mail={{.Email}})",
              "attributes": ["cn", "givenName"]
              }
          ]
        }
      }
    }
  3. The attribute profile and ldap query are then invoked in the Service Provider's entry in the SP subsection:

    "sp": {
        "exampleco": {
        "description": "",
        "issuer": "",
        "relay_state": "/",
        "login_url": "",
        "logout_url": "",
        "slo_url": "",
        "metadata": "",
        "sign_response": true,
        "sign_assertion": true,
        "encrypt_assertion": false,
        "user_id_transform": [
            {}
        ],
        "authorize": [
            [
            {
                "ldap": "query1"
            }
            ]
        ],
        "profile": {
            "assertion": "global",
            "nameid": "global",
            "attribute": "exampleco",
            "response": "global",
            "signature": "global"
        }
        }
    }

Top