Configuring identity federation

You can use identity federation to import admin groups and users. Using identity federation makes setting up groups and users faster, and it allows users to sign in to their accounts using familiar credentials.

Before you begin

About this task

The identity source you configure for the Grid Management Interface allows you to import the following types of federated groups:
  • Administration (or "admin") groups. The users in these groups can sign in to the Grid Management Interface and perform tasks, based on the management permissions assigned to the group. See "About administration user groups."
  • Tenant account groups, assuming that the tenant is not using its own identity source (that is, assuming the Uses Own Identity Source checkbox is unchecked for the tenant account). Users in tenant account groups can sign in to the Tenant Management Interface and perform tasks, based on the permissions assigned to the group. See information about creating tenant accounts and the StorageGRID Webscale Tenant Administrator Guide.
Note: When using identity federation, be aware that users who only belong to a primary group on Active Directory are not allowed to sign in to the Grid Management Interface or the Tenant Management Interface. To allow these users to sign in, grant them membership in a user-created group.

Steps

  1. Select Configuration > Identity Federation.
  2. Select Enable Identity Federation.
    LDAP service configuration information appears.
  3. Select the type of LDAP service you want to configure from the LDAP Service Type drop-down list.
    You can select Active Directory, OpenLDAP, or Other.
    Note: If you select OpenLDAP, you must configure the OpenLDAP server. See "Guidelines for configuring an OpenLDAP server" in this guide.
  4. If you selected Other, complete the fields in the LDAP Attributes section.
    • Unique User Name: The name of the attribute that contains the unique identifier of an LDAP user. This attribute is equivalent to sAMAccountName for Active Directory and uid for OpenLDAP.
    • User UUID: The name of the attribute that contains the permanent unique identifier of an LDAP user. This attribute is equivalent to objectGUID for Active Directory and entryUUID for OpenLDAP.
    • Group Unique Name: The name of the attribute that contains the unique identifier of an LDAP group. This attribute is equivalent to sAMAccountName for Active Directory and cn for OpenLDAP.
    • Group UUID: The name of the attribute that contains the permanent unique identifier of an LDAP group. This attribute is equivalent to objectGUID for Active Directory and entryUUID for OpenLDAP.
  5. Enter the required LDAP server and network connection information:
    • Hostname: The host name or IP address of the LDAP server.
    • Port: The port used to connect to the LDAP server. This is typically 389.
    • Username: The username used to access the LDAP server, including the domain.
      The specified user must have permission to list groups and users and to access the following attributes:
      • cn
      • sAMAccountName or uid
      • objectGUID or entryUUID
      • memberOf
    • Password: The password associated with the username.
    • Group Base DN: The fully qualified Distinguished Name (DN) of an LDAP subtree you want to search for groups. In the example, all groups whose Distinguished Name is relative to the base DN (DC=storagegrid,DC=example,DC=com) can be used as federated groups.
      Note: The Unique Group Name values must be unique within the Group Base DN they belong to.
    • User Base DN: The fully qualified Distinguished Name (DN) of an LDAP subtree you want to search for users.
      Note: The Unique User Name values must be unique within the User Base DN they belong to.
  6. Select a security setting from the Transport Layer Security (TLS) drop-down list to specify if TLS is used to secure communications with the LDAP server.
    • Use operating system CA certificate: Use the default CA certificate installed on the operating system to secure connections.
    • Use custom CA certificate: Use a custom security certificate.

      If you select this setting, copy and paste the custom security certificate in the CA Certificate text box.

    • Do not use TLS: The network traffic between the StorageGRID Webscale system and the LDAP server will not be secured.
    Example
    The following screen shot shows example configuration values for an LDAP server that uses Active Directory.
    Identity Federation page showing LDAP server that uses Active Directory
  7. Optionally, click Test Connection to validate your connection settings for the LDAP server.
  8. Click Save.