How to configure Active Directory (AD) as an external identity provider (IDP) for Symantec Mobility: Suite

book

Article ID: 178587

calendar_today

Updated On:

Products

Mobility Suite

Issue/Introduction

 

Resolution

 

1.  To log into the console, go to the tenant admin URL.  For example:
https://mobile.mydomain.com/admin/login

Note: If a temporary internal or self-sign certificate was used, there may be an SSL error when accessing the console. To change the SSL certificate(s) used by Mobility see HOWTO94512.

2.  This first page is the administrative dashboard.  This contains a heads-up view of the tenant’s health and usage.

3.   Before setting up and external IDP, first create a backup local administrative account which does not share a corporate email address.  To do this go to Users > Add New User enter the new administrative account’s vital information, check Administrators for groups and click Save:

4. Now that a backup administrative account has been created go to Settings > External IDP > Configure IDP, review the message and click Start to begin.

Note: In this example an Active Directory (AD) will be used.  For SAML via ADFS see HOWTO84940.

5.  To use Active Directory or LDAP, there must be communication between the Mobility FE and the LDAP/AD server.  Enter the required server information, once a successful connection is made click Save to continue.

Tip: The connection will auto-test with any form changes.  To see the exact reason for the connection failure, review the /var/log/nukona/appstore.log entries.  Use a command like:
tail –f /var/log/nukona/appstore.log to view a live feed of this log while testing the connection:

Note: A user with sufficient credentials to query the AD/LDAP schema must be used.  The Distinguished Name (DN) of the user may be required.  In the above example the sAMAccountName@<domain> is shown.  If the LDAP server requires SSL, try using a combination of ldaps://<serverURL> or ldap://<serverURL> and checking and unchecking the use SSL box.  Also for LDAPS, the issuing CA LDAP certificate must be uploaded to Settings > Certificates > LDAP Certificates.  Contact the AD/LDAP administrator for more details.

6.  Enter the Search Base Domain Name (DN) leaving the rest of the AD attributes as they are.  Click Test to confirm that Mobility is able to query the DN. 
IMPORTANT: Test a non-administrative account as this can overwrite the tenant-administrator’s privileges.

Tip: If the organization’s domain name is: mydomain.com then the base DN would be dc=mydomain,dc=com. The purpose of the base DN is to limit queries to a domain or an organizational unit (OU). When testing the connection only use the defined User name attribute.  For AD it would be the user’s sAMAccountName.

7.  IDP setup cannot proceed until a successful AD/LDAP bind is completed.  Once a successful authentication occurs click Save to continue. 

8.  Group mapping allows Mobility: Suite to map AD groups to locally created groups.  The search base DN may be left blank.  The wildcard attribute * (asterisk) may be used:

Tip: Click Test next to each Group search criteria, this will query the AD/LDAP for the specific group.

9.   In the above screen capture, the AD administrator has already created a group designated for Mobility: Suite administrators.  Custom groups and roles may be created at a later time.  See the Mobility: Suite Administration Guide for more details. It is highly recommended not to enable IDP until an administrative group is successfully mapped.  Once this is completed, click Save and on the next page, Enable IDP. 

Tip: Re-visit this page to toggle the IDP settings on/off.

 

 

Attachments