Documentation Center

General settings for an LDAP identity provider

Access Management uses the following settings to define identity providers that use the LDAP authentication protocol:

Key

A unique identifier for the IdP. The key is case sensitive and not editable once you save the new identity provider.

Optionally, you can include the key together with the user name from the identity provider to form a name that is specific to this provider. This may be useful when supporting multiple providers where user names could be duplicated. For more information, refer to the description of Separator.

Name

A name for the IdP. This name will appear on the user sign-in screen to represent the IdP as an option to authentication. The name must be unique within Access Management.

Description

Text that describes the IdP and its use. This description is visible only in Access Management.

Icon URL

The URL of an icon that represents the IdP.

This icon will appear along with the IdP's name on the user sign-in screen as well as in the Access Management user interface. If you do not provide an icon, Access Management will use a generic IdP icon.

Provider type

The type of IdP, which in this case must be LDAP.

Server address

The DNS (host) name or IP address of the LDAP server.

If you are enabling SSL, the address must be a fully qualified name.

Port

The port number of the LDAP server (typically, 389 for LDAP and 636 for LDAPS).

Use SSL

Indicates whether SSL should be used for a secure connection to LDAP. Select Yes to make the connection secure.

When enabling SSL, you must also set the Server address to a fully qualified name of the LDAP server.

Search account

The DN (distinguished name) for the LDAP administration user (the account with permissions to read the specified User and Group subtrees).

Search account password

The password for the LDAP administration user.

User base DN

The DN of the LDAP directory object where a search for users should start.

For users to be found in a search, they must be located in the subtree of this DN.

Group base DN

The DN of the LDAP directory object where a search for user groups should start.

For groups to be found in a search, they must be located in the subtree of this DN.

Group member attribute

The attribute that LDAP uses to identify members of a group. For example, member.

Within LDAP, the attribute can include multiple distinguished names (DNs) to identify the users who are members of the group.

Additional attributes

Other attributes to be used as claims.

Separator

A character that Access Management includes as part of the user name.

User names in Access Management are in the following format: KEY<SEPARATOR>USERNAME

Where:

  • KEY is the unique identifier assigned to the external IdP (when it is created).
  • <SEPARATOR> is the character defined in this property, which is typically a colon (:) or other special character.
  • USERNAME is the name of the user as it comes directly from the external IdP.

Example: azure:testuser

Username Claim

The claim in external IdP that Access Management will use as the User Subject when creating a user instead of the user name.

Full name claim

The claim in external IdP that Access Management will use as Name when creating a user.