How to enable ADS authentication in the Identity Governance
search cancel

How to enable ADS authentication in the Identity Governance

book

Article ID: 195772

calendar_today

Updated On: 10-12-2023

Products

CA Identity Governance CA Identity Suite

Issue/Introduction

This document describes how to set up AD (Active Directory) authentication in the Identity Governance

Environment

Identity Governance 14.x

Resolution

These steps were done using Client Tool and Identity Governance Portal

 

1) We must import the Active Directory accounts to Eurekify.cfg file.

Currently, we have only Default users

 

2) First, let’s connect and import Active Directory users

From Identity Governance Client Tool, menu > Import > Import from Active Directory

1 – Type the Active Directory IP or hostname

2 – Type the DOMAIN\Account to connect t Active Directory

3 – Type the account’s password

4 – Click Set button

5 – Click Browse button and type the Configuration file name

6 – Click Browse button and type Users DB file name

7 – Click Browse button and type Resources DB file name

Click Next button

 

3) In the next window, select the OUs where the accounts are located or the root to search in all containers

Click Next

 
) In this window, we will create a new Field which will be used to configure the DOMAIN\Account configuration in your Universe

1 – Click + button to add a new field

2 – Select the new field

3 – Type LoginID in “Configuration’s Entity Field Name” field and click Set Field button

Click Next button

 

5) In the next window, you can set up the Roles

Click Next

 

6) In the next window set up the Resources

Click Next button

 

7) In the new window, you need to type the name of the XML file which has the configuration you just inform. Click the Finish button.
 
8) The next window will display the number of Users, Roles, and Resources imported

 

9) In the Identity Governance Client Tool, open the CFG file you saved at step #2

Check if all accounts were imported and make sure the column LoginID was created

 

10) Let’s save the Master and Model to the Database for this configuration

1 – Menu > File > Save to Database

2 – Select New Configuration and type the Master name, click Next

3 – Repeat step #1 and #2 but now, type your configuration name _Model

 

11) Now let’s create a new Universe using the Master / Model created above.

Home > Administration > Universes > Add New button

At this point make sure the Users Login Field was set to LoginID, the attribute created in step #4

Click Save button

In the next window, click the Yes button

 

12) Let’s run the Permissions and RACI

Home > Administration > Permissions and RACI

Select Update Permissions Configuration with Universe Users

In the list box, select your Universe, created in step #11 and click Select button

 

13) Now let’s configure your Domain, which will be added in front of all users, the Prefix

In the Users To Fix section, select PersonId and type your Domain + \ as displayed below

DO NOT FORGET to add the backslash

If you want you can view all users which will be fixed by click on the View button.

After reviewing, click “Fix Selected Users” or “Fix All Users”

In the “New users” section, click View button and check all users in Person ID column has the Domain\UserName, after that, click the “Add All Users” button

 

Run the Create RACI for your Universe

 

Run the Synchronize RACI

 

14) Open Identity Governance Client Tool and open the Eurekify.cfg file, now all users were imported and the PersonID were updated with Prefix (Domain)

 

 

15) With this configuration done we can enable AD Authentication, below the Properties you need to change to enable AD Authentication.

Set the following properties through the Identity Governance Portal under Administration=> Settings => Properties Settings:

  • security.disable = false
  • security.disable.ADAuthentication = false
  • ldap.server = <domain name> (example: your_domain)
  • manager.dn = <AD bind account> (example: Administrator). DN is only needed if you have SSL enabled
  • manager.password = <AD bind account's password>

You MUST have a Login ID filed in the UDB with the domain name (example: domain\chrislee)

When logging in, the user MUST provide the Login ID (example: domain\chrislee)

  • security.siteminder.domain.attribute = rcm_domain
  • security.credentials.expiration.seconds = 60
  • security.eurekify.keystore.password = (leave empty)
  • security.GUID.expiration.minutes = 360
  • security.disable.webpage.authorization = false
  • security.siteminder.username.attribute = sm_user
  • security.eurekify.keyStore.file = (leave blank)
  • security.GUID.expiration.delta.seconds = 60
  • security.siteminder.enabled = false
  • security.disable.ADAuthentication = false
  • sage.security.disable.ssl.ADAuthentication = true

 

Note: For all properties above, change the Property Value and after that change the Type to Database Property as displayed below, and click the Save button.

 

Now, Log out and Log in with your Active Directory user using Domain\User