Before connecting EmpowerID to an external directory, please review the Getting Started with Directory Systems topic. The topic walks you through the prerequisites you need to complete before connecting to an external directory for the first time. These prerequisites include:
|
EmpowerID provides connectors for a wide range of user directories and resource systems. As an administrator, you can use these connectors to quickly connect EmpowerID to your organization's identity-aware systems and applications. When you do so, you create an account store for that application in the EmpowerID Identity Warehouse and use that account store to configure how you want EmpowerID to manage the identity information in that system. In this article, we demonstrate how to use the EmpowerID Active Directory connector to connect to Active Directory. After ensuring you have met the prerequisites specified in the Getting Started with Directory Systems topic, you connect EmpowerID to Active Directory by doing the following:
|
If you are connecting to an Active Directory Forest with multiple domains, you must first create an account store for the forest root domain before creating account stores for other domains in the forest. The proxy account used when adding your AD account store, must have read access to the AD Configuration Partition in order for topology discovery to succeed. Errors will occur if this process and its required access are not followed.
|
In the FQDN field, enter the fully qualified domain name of the AD forest.
If you are using LDAPS, enter the Subject name of the certificate for the domain controller to which you are connecting followed by port 636 in the FQDN of Forest field. Thus, if the Subject name is "dc01.eiddoc.com," you enter dc01.eiddoc.com:636. |
In the Proxy Account Username field, enter a user account that has read access to the Active Directory configuration partition that holds the list of all of the domains in the forest (and to the Exchange Organization, if present).
In the Account Domain field, enter the NetBIOS name of the domain or child domain that hosts Active Directory.
Click Submit.
On the Choose Servers page that appears, select the appropriate EmpowerID server and click Submit.
The Choose Servers page displays only those servers where the EmpowerID Web Role service is running. If you do not see your server on the page, check the following:
(The LDAP Management Host WCF Service is responsible for LDAP communications and is enabled by default on each server running the EmpowerID Web Role service.) |
Select the server or servers to register and click Submit.
All selected servers must be in the same forest and able to communicate with the Active Directory over LDAP port TCP 389. |
The Account Store is created and appears in the list of Account Stores in both the web application and the Management Console and a corresponding Resource System is created.
This opens the Discover AD Forest window, which is where you enter the identifying information about your Active Directory to allow EmpowerID to discover and connect to it.
Enter the fully qualified domain name of the AD forest in the FQDN of Forest field.
If you are using LDAPS, you type the Subject name of the certificate for the domain controller to which you are connecting followed by port 636 in the FQDN of Forest field. Thus, if the Subject name is "dc01.eiddoc.com," you enter dc01.eiddoc.com:636. |
Enter the proxy information into the fields of the Proxy Information panel.
The user account entered here is saved as the default proxy account (connection credential) used when managing the selected domains; therefore this account must have read access to the Active Directory configuration partition that holds the list of all of the domains in the forest (and to the Exchange Organization, if present). You can change this at any time.
|
In the Choose Servers window, toggle the Server button from a red sphere to a green checkbox for one or more servers running the EmpowerID Web Role service, where the LDAP Management Host WCF Service is enabled. (The LDAP Management Host WCF Service is responsible for LDAP communications and is enabled by default on each server running the EmpowerID Web Role service.)
Each server selected must be in the same forest and able to communicate with the Active Directory over LDAP port TCP 389. Please note that the EmpowerID Web Role service must be started on a given server before that server will show in the Choose Servers window. |
After several moments to perform the requested action, EmpowerID opens the Account Store Details screen for the new account store. This screen provides access to the configuration options for the various jobs that EmpowerID performs against managed domains and is divided into three tabs, the Details tab, the Directory Servers tab, and the UPN Suffixes tab. Of these three tabs, the Details tab is where the majority of the configuration occurs. A general overview of these settings is provided in the drop-downs below. Step-by-step guidance for configuring this screen during your initial configuration follows in the next section.
|
The Account Store Details screen is divided into three tabs, the Details tab, the Directory Servers tab, and the UPN Suffixes tab. Of these three tabs, the Details tab provides the functionality for configuring how you want EmpowerID to manage the account store and the user accounts it finds therein.
EmpowerID recommends using the Account Inbox to provision Person objects from user accounts. The below information is included to make you aware of the option to provision during inventory. |
Toggle Allow Automatic Person Provision On Inventory to reflect your policy for the account store (red sphere for disable and green checkbox for enable). When enabled (and Allow Person Provisioning is enabled for the account store), EmpowerID will provision Person objects for all new accounts discovered during inventory in real-time, if they meet the conditions of your Provision rules.
When provisioning people during inventory, the following options can be set:
EmpowerID includes the Standard Employee and Temporary Role Business Roles out of the box; however, if you wish to assign new Persons to another Business Role before inventory occurs, you can easily do so. You simply need to create them first. Once created, those additional Business Roles will appear in the Business Role Selector. For information on creating Business Roles see Creating Business Roles. |
The last action to perform on this screen is to enable inventory. However, before doing so, it is important to review the attribute flow rules for the account store and to map your directory locations to corresponding EmpowerID locations as these will be used for initial Business Role and Location placement of all provisioned Person objects. We discuss these in the next two sections.
|
Open a browser and log in to the EmpowerID Web application.
From the Attribute Flow Rules page, click the Advanced Search drop-down button, enter the name of the account store for which you want to configure the flow rules and then click Search to filter the rules shown in the grid.
The attributes from the EmpowerID Person object are displayed in the left column with the corresponding attributes from the account store displayed in the right column. |
To change the flow for an attribute, click the Attribute Flow drop-down located between the Person Attribute column and the External Directory Attribute column, and select the desired flow direction from the context menu.
To change the score for any of the available CRUD operations (Create, Update and Delete), enter the new score in the appropriate field. By default, scores are weighted evenly, which means that a change to an attribute originating in one connected external directory has the same authority as a change to an attribute occuring in another connected external directory.
EmpowerID only considers scores for attribute CRUD operations when multiple account stores with the same user records are connected to EmpowerID, such as would be the case if an HR System and Active Directory were being inventoried by EmpowerID. |
Next, map the OUs containing user accounts and other managed objects in your account store to corresponding EmpowerID locations as described in the next section. This ensures that the location of an object in EmpowerID reflects the location of the object in Active Directory. In environments with multiple directories or domains, location mapping allows administrators and business users to see one condensed view of the organizations and have policies applied in one spot.
EmpowerID Role and Location mappings allow multiple AD, LDAP or other external directory containers to be visually mapped to one or more logical locations in EmpowerID for unified and easy management. When a mapping occurs, all the resources or objects located in the directory container are assigned to a corresponding EmpowerID location, allowing you to use those locations for delegating user access and setting default policy settings. If you create these mappings before your first inventory, all new people discovered by EmpowerID during the inventory process will be provisioned in EmpowerID locations (instead of directory locations), and those EmpowerID locations will be assigned to them as the "Location" portion of their Business Role and Location (BRL). For example, if you have a user named "Barney Smythe" in a London > Contractors OU and a user named "Chris Emerick" in a London > Employees OU and you map both of those London OUs to a single London location in EmpowerID, when you turn on your inventory the Location portion of the BRL for both Barney Smythe and Chris Emerick would be the EmpowerID location and not the external OUs.
|
To map external locations to EmpowerID locations in the Web interface, you need to create an EmpowerID location for each external location you want to map. For directions on creating EmpowerID locations, expand the the below drop-down.
|
From the Navigation Sidebar, expand Admin > Applications and Directories and click Role and Location Mapper.
From the Location pane of the Location Mapper tab, enter the name of the EmpowerID location you want to map and press ENTER to load the location.
From the External Location pane, enter the name of the external directory location to which you want to map the EmpowerID location.
If you select an external location that is a parent location, the children of that location will be mapped to the selected EmpowerID location. |
Click Save to save the mapping.
You can view the mapped external locations for any EmpowerID location by expanding the Mapped External Location from the View or View One pages for that location. |
Now that the mappings and attribute flow have been configured, you can enable inventory for the account store as demonstrated below.
Return to the Account Store Details screen in Configuration Manager.
Look over your settings one last time and when satisfied, turn on inventory by toggling the Enable Inventory button from a red sphere to a green check box.
If you want EmpowerID to provision Persons from the user accounts in your Active Directory, you need to enable the Account Inbox permanent workflow. This is demonstrated below.
|
|