Skip to Content
DocsOplon Secure AccessActive Directory

Active Directory Guide

This guide describes how to connect an AD (Active Directory) server. The goal is to use this server as an Identity Provider instead of the Oplon server. To do this, the SOC (Super Oplon Cloud) needs to synchronize its users with those of the AD.

Setup

To set up access in Active Directory one must:

  1. Create a connection to the AD in the RAG module;
  2. Add a rewrite rule and token in the ADC;
  3. Add a URL and token in SOC (Super Oplon Cloud);
  4. Synchronize users.

All users in the AD server who do not have the email field valorized will not be considered in the synchronization procedure. If a user is already registered as an MFA user, it will be converted to an AD user, this means it will have to use AD credentials and not MFA credentials. If a user is not already registered as an MFA user, a new user will be created with the email present in ADUC (Active Directory Users and Computers) and set as an AD user in SOC.

Connection with AD

The module that allows connection with the AD is RAG (Remote Access Gateway). Go to Modules -> RAG services and click on the edit button of the RAG you want to connect to the AD.

Figura 1: RAG conf

In the Active Directory servers panel, enter the ip and port of the AD. In the Active Directory setup panel, enter the credentials of the AD user (username is the userPrincipalName field of the AD) who has administrator permissions. This is to allow synchronization with SOC (Super Oplon Cloud) and the ability to reset password self service.

To notify the user when the password expires, there are two attributes:

  • notifyPwdExpiration: after logging in, the user will be redirected to their SOC account and notified of the expiration, but will still be able to access the resource they requested by clicking the SKIP button;
  • mandatoryPwdChange: after logging in, the user will be redirected to his SOC account and forced to change his password;

Solo in SSL sarà possibile effettuare il cambio password self service

The Active Directory queries panel contains the queries used to login and synchronize with the SOC of AD users.

Tip: Do not change the default queries

Rewrite header

To accept only calls coming from SOC, the rewrite header rule will check if a token exists in the request (login or sync). If that token matches the token present in the rewrite, then the request passes, otherwise it is blocked. There is a template called LBLHTTPHeaderTokenAuth that you need to apply only to the endpoint pointing to /ad in port 2222 of the virtualDomain that handles OSA. Change the TOKEN_AUTH variable of the rewrite to any value you like (as complicated as it needs to be), which must then also be entered in the OSA interface as described in the Active Directory URL section.

Make sure that there is no WAF doing checks on header length or special characters otherwise synchronization will fail

Active Directory URL

In the OSA interface, go to Tenant -> Active Directory. Click on the + button in the Manage Active Directory table and value the two attributes:

  • Url: https URL of the ADC that applied the rewrite header rule, whose path must end in /ad. Example: https://mydomain/ad;
  • Token: must be equal to the value of the TOKEN_AUTH variable of the rewrite header.

Save by clicking Save.

These two values are used by Super Oplon Cloud in the call to the ADC

Sincronizzazione utenti

To synchronize users—that is, to update the AD user information in SOC—simply click the Sync users from AD button in the row of the Manage Active Directory table, then enter the Active Directory username and password configured in the RAG module (as described in the Connection with AD section). If everything has been set up correctly and there is no firewall blocking the request, all AD users with a populated email field will appear in the Manage Active Directory Users table. At this point, only the users listed in this table will be able to log in using their Active Directory email and password. All others will log in using MFA credentials.

The topic of user synchronization is covered in more detail in the dedicated tenant’s MFA section here.

Figura 2: Diagramma di sequenza della sincronizzazione

Login

Un utente AD che deve fare login, dovrà inserire la sua email (non lo username) e la password AD. Tutti gli utenti che non sono presenti nella tabella Gestisci utenti Active Directory, sono utenti MFA e quindi faranno login con le credenziali MFA.

Self Service

To enable users to reset the Self Service password, a delegated user must be set up. In case there are PSOs (Password Settings Objects) configured, then you have to enable reading of some PSOs information.

Password reset

To enable this function, you must delegate permission for password reset in the ADUC (Active Directory Users and Computers) console:

  1. Right click the OU or domain on ADUC and select Delegate Control from;
  2. Click on Next;
  3. Click on Add to Select users and groups, select the users or groups to delegate and click Ok. Click Next;
    Figure 3: Select delegated users/groups
  4. Select Create a custom task to delegate and click on Next;
    Figure 4: Task to delegate
  5. Select Only the following objects in the folder. In this list, select User objects and click on Next;
    Figure 5: Task scope
  6. Click on General and select Property-specific. In this list, select Reset password, Read pwdLastSet adn Write pwdLastSet. Click on Next and Finish;
    Figure 6: Permission to reset
    Figure 7: Read and write permissions

Enabling password policy (PSO)

To enable this function, you must enable the PSO reading permission in the ADUC (Active Directory Users and Computers) console:

  1. Right click on OU or domain on ADUC and select Delegate Control from;
  2. Click on Next;
  3. Click on Add and select the users or groups to delegate and click on Ok. Click on Next;
    Figure 8: Select delegated users/groups
  4. Select Create a custom task to delegate and click on Next;
    Figure 9: Task to delegate
  5. Select Only the following objects in the folder. In this list, select msDS-PasswordSettings objects and msDS-PasswordSettingsContainer objects. Click on Next;
    Figure 10: Select permissions
  6. Make sure General is checked and select the Read permission. Click on Next and Finish.
    Figure 11: Read permissions

Note

  • For password change, the user must have the password change permission;
  • If a user, nearing the expiration of his password, does not display the days before the password expires in his private area under Change Password, Password never expires need to be disabled in the user’s account properties on Active Directory.
Last updated on
VaultEnd User Guide