Configuring identity federation

You can configure identity federation if you want admin groups and users to be managed in another system such as Active Directory, OpenLDAP, or Oracle Directory Server.

Before you begin

About this task

You must configure an identity source for the Grid Manager if you want to import the following types of federated groups:
  • Administration groups. The users in admin groups can sign in to the Grid Manager and perform tasks, based on the management permissions assigned to the group.
  • Tenant user groups for tenants that do not use their own identity source. Users in tenant groups can sign in to the Tenant Manager and perform tasks, based on the permissions assigned to the group in the Tenant Manager.
Note: Configuration of identity federation has been verified with Active Directory, OpenLDAP, and Oracle Directory Server. If you want to use another LDAP service, contact support.
Note: StorageGRID uses STARTTLS for securing LDAP communications. It does not support the LDAP over SSL (LDAPS) protocol. The default port used for communications with the LDAP server is 389, but you can use any port as long as your firewall is configured correctly.
Note: If you plan to enable single sign-on (SSO), you must use Active Directory as the federated identity source and AD FS as the identity provider. See "Requirements for using single sign-on."

Steps

  1. Select Configuration > Identity Federation.
  2. Select Enable Identity Federation.
    The fields for configuring the LDAP server appear.
  3. Select the type of LDAP service you want to configure from the LDAP Service Type drop-down list.
    You can select Active Directory, OpenLDAP, or Other.
    Note: If you select OpenLDAP, you must configure the OpenLDAP server. See "Guidelines for configuring an OpenLDAP server."
  4. If you selected Other, complete the fields in the LDAP Attributes section.
    • Unique User Name: The name of the attribute that contains the unique identifier of an LDAP user. This attribute is equivalent to sAMAccountName for Active Directory and uid for OpenLDAP. If you are configuring Oracle Directory Server, enter uid.
    • User UUID: The name of the attribute that contains the permanent unique identifier of an LDAP user. This attribute is equivalent to objectGUID for Active Directory and entryUUID for OpenLDAP. If you are configuring Oracle Directory Server, enter nsuniqueid. Each user’s value for the specified attribute must be a 32-digit hexadecimal number in either 16-byte or string format, where hyphens are ignored.
    • Group Unique Name: The name of the attribute that contains the unique identifier of an LDAP group. This attribute is equivalent to sAMAccountName for Active Directory and cn for OpenLDAP. If you are configuring Oracle Directory Server, enter cn.
    • Group UUID: The name of the attribute that contains the permanent unique identifier of an LDAP group. This attribute is equivalent to objectGUID for Active Directory and entryUUID for OpenLDAP. If you are configuring Oracle Directory Server, enter nsuniqueid. Each group’s value for the specified attribute must be a 32-digit hexadecimal number in either 16-byte or string format, where hyphens are ignored.
  5. Enter the required LDAP server and network connection information in the LDAP Server section:
    • Hostname: The server host name or IP address of the LDAP server.
    • Port: The port used to connect to the LDAP server. Enter 389.
    • Username: The full path of the distinguished name (DN) for the user that will connect to the LDAP server.
      Note: For Active Directory, you can also specify the Down-Level Logon Name or the User Principal Name.
      The specified user must have permission to list groups and users and to access the following attributes:
      • sAMAccountName or uid
      • objectGUID, entryUUID, or nsunique
      • cn
      • memberOf or isMemberOf
    • Password: The password associated with the username.
    • Group Base DN: The full path of the distinguished name (DN) for an LDAP subtree you want to search for groups. In the Active Directory example (below), all groups whose Distinguished Name is relative to the base DN (DC=storagegrid,DC=example,DC=com) can be used as federated groups.
      Note: The Unique Group Name values must be unique within the Group Base DN they belong to.
    • User Base DN: The full path of the distinguished name (DN) of an LDAP subtree you want to search for users.
      Note: The Unique User Name values must be unique within the User Base DN they belong to.
  6. Select a security setting from the Transport Layer Security (TLS) drop-down list to specify if TLS is used to secure communications with the LDAP server:
    • Use operating system CA certificate: Use the default CA certificate installed on the operating system to secure connections.
    • Use custom CA certificate: Use a custom security certificate.

      If you select this setting, copy and paste the custom security certificate in the CA Certificate text box.

    • Do not use TLS: The network traffic between the StorageGRID system and the LDAP server will not be secured.
  7. Optionally, click Test Connection to validate your connection settings for the LDAP server.
    A green checkmark appears on the button if the connection is valid.

    Test Connection valid

  8. If the connection is valid, click Save.
    Example
    The following screenshot shows example configuration values for an LDAP server that uses Active Directory.
    Identity Federation page showing LDAP server that uses Active Directory
    Example
    The following screenshot shows example configuration values for an LDAP server that uses Oracle Directory Server.
    screen shot of Configuration > Identity Federation > Other