sosix Trusted Contributor.
Trusted Contributor.
1259 views

SSO in IG with LDAP-AD

Hi,

I try to create SSO with IG 3.5 using LDAP, the only way is create identity for all users or specific OU in AD?

I believed that with only the OSP it was not necessary to create identities and that all AD users could do SSO in IG.

my design was;

IDENTITY: Human Resources Software
ACCOUNTS: AD, SAP, CRM, etc.
PERMISSION: AD groups, SAP tx, CRM permissions, etc.

but i need login with LDAP SSO in IG.... 😞
0 Likes
14 Replies
Micro Focus Expert
Micro Focus Expert

Re: SSO in IG with LDAP-AD

On 1/17/19 9:26 AM, sosix wrote:
>
> Hi,
>
> I try to create SSO with IG 3.5 using LDAP, the only way is create
> *identity *for all users or specific OU in AD?
>
> I believed that with only the OSP it was not necessary to create
> identities and that all AD users could do SSO in IG.
>
> my design was;
>
> IDENTITY: Human Resources Software
> ACCOUNTS: AD, SAP, CRM, etc.
> PERMISSION: AD groups, SAP tx, CRM permissions, etc.
>
> but i need login with LDAP SSO in IG.... 😞
>
>

Greetings,
For a user to be able to access ID Gov,

1) The User must be collected and published into the catalog of ID Gov.

2) They must exist in the Authorization Source (AD or eDirector/IDM)
that OSP is pointing.

3) The published data about the users in the ID Gov catalog must have
enough to match the information that OSP is going to return as part of
the matching process.

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
sosix Trusted Contributor.
Trusted Contributor.

Re: SSO in IG with LDAP-AD

Thanks Steven,

can you give me more detail on how to fulfill the 2) ???
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSO in IG with LDAP-AD

On 1/17/19 10:54 AM, sosix wrote:
>
> Thanks Steven,
>
> can you give me more detail on how to fulfill the 2) ???
>
>

Greetings,
I am not sure what you mean. For item #2, the LDAP authorization
source that OSP is pointing to must have the users that you are going to
have in the Catalog of ID Gov that you want to be able to interact with
the product in the different aspects that are possible.

Are you saying that your ldap source does not contain the same users
that you are collecting Identities from the "Human Resources Software"
source?



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
sosix Trusted Contributor.
Trusted Contributor.

Re: SSO in IG with LDAP-AD

stevewdj;2493951 wrote:
On 1/17/19 10:54 AM, sosix wrote:
>
> Thanks Steven,
>
> can you give me more detail on how to fulfill the 2) ???
>
>

Greetings,
I am not sure what you mean. For item #2, the LDAP authorization
source that OSP is pointing to must have the users that you are going to
have in the Catalog of ID Gov that you want to be able to interact with
the product in the different aspects that are possible.

Are you saying that your ldap source does not contain the same users
that you are collecting Identities from the "Human Resources Software"
source?



--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus




Thanks Steven,

My config in IG is;


Users in HR > Identity Catalog
Users in AD > Account Catalog


But, for SSO LDAP in IG is necessary set up users in AD for IDENTITY and that will generate duplicity of identities!


Otherwise, i match identity HR with account AD using an attribute, and then try to login with AD credentials but not success 😞
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSO in IG with LDAP-AD

On 1/18/19 8:44 AM, sosix wrote:
>
> stevewdj;2493951 Wrote:
>> On 1/17/19 10:54 AM, sosix wrote:
>>>
>>> Thanks Steven,
>>>
>>> can you give me more detail on how to fulfill the 2) ???
>>>
>>>

>> Greetings,
>> I am not sure what you mean. For item #2, the LDAP authorization
>> source that OSP is pointing to must have the users that you are going
>> to
>> have in the Catalog of ID Gov that you want to be able to interact with
>> the product in the different aspects that are possible.
>>
>> Are you saying that your ldap source does not contain the same users
>> that you are collecting Identities from the "Human Resources Software"
>> source?
>>
>>
>>
>> --
>> Sincerely,
>> Steven Williams
>> Principal Enterprise Architect
>> Micro Focus

>
>
>
> Thanks Steven,
>
> My config in IG is;
>
> *
> Users in HR > Identity Catalog
> Users in AD > Account Catalog*
>
> But, for SSO LDAP in IG is necessary set up users in AD for IDENTITY and
> that will generate duplicity of identities!
>
>
> Otherwise, i match identity HR with account AD using an attribute, and
> then try to login with AD credentials but not success 😞
>
>

Greetings,

When you have 2 (or more) Identity collectors you generally want to
utilize "Publish with Merge". In this case, there are a couple of
factors that come into play:
a) Which collector is marked as #1
b) What rules have set in the "set merging rules" area

We outline this in the docs. If you accept the defaults and your HR
system is listed as #1 then it would be that system's information that
will take precedent.

By default the matching attribute is dn, unless you changed the setting
in configutil. Depending upon what value from your HR Identity Collector
into the necessary fields could then cause a problem.
-If the attribute is not the actual dn value that OSP is getting from
the LDAP source
-If the attribute does not math the case.


Questions:
a) What do you have mapped into the ID Gov attribute "User ID from
Source" in both collectors?

b) What do you have mapped into the ID Gov attribute "LDAP Distinguished
Name" in both collectors?

c) Which collector is listed as #1?

d) What merging rules did you set?




--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
sosix Trusted Contributor.
Trusted Contributor.

Re: SSO in IG with LDAP-AD

I dont create two collector for Identity Steven...

Collector for Identity > HR Software
Collector for Account > Active Directory
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSO in IG with LDAP-AD

On 1/18/19 2:54 PM, sosix wrote:
>
> I dont create two collector for Identity Steven...
>
> Collector for Identity > HR Software
> Collector for Account > Active Directory
>
>

Greetings,
Okay. What I outlined and the questions I asked still hold true in
that case as well.

"
By default the matching attribute is dn, unless you changed the setting
in configutil. Depending upon what value from your HR Identity Collector
into the necessary fields could then cause a problem.
-If the attribute is not the actual dn value that OSP is getting from
the LDAP source
-If the attribute does not math the case.
"

Revised Questions:
a) What is the actual Identity Collector you are using (CSV, Azure,
JDBC, RACF, SalesForce,SAP HR, SAP User, ServiceNow, SharePoint)? If it
is JDBC, which one?

b) What do you have mapped into the ID Gov attribute "User ID from
Source" in the collector?

b) What do you have mapped into the ID Gov attribute "LDAP Distinguished
Name" in the collector?

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
sosix Trusted Contributor.
Trusted Contributor.

Re: SSO in IG with LDAP-AD

stevewdj;2493987 wrote:
On 1/18/19 2:54 PM, sosix wrote:
>
> I dont create two collector for Identity Steven...
>
> Collector for Identity > HR Software
> Collector for Account > Active Directory
>
>

Greetings,
Okay. What I outlined and the questions I asked still hold true in
that case as well.

"
By default the matching attribute is dn, unless you changed the setting
in configutil. Depending upon what value from your HR Identity Collector
into the necessary fields could then cause a problem.
-If the attribute is not the actual dn value that OSP is getting from
the LDAP source
-If the attribute does not math the case.
"

Revised Questions:
a) What is the actual Identity Collector you are using (CSV, Azure,
JDBC, RACF, SalesForce,SAP HR, SAP User, ServiceNow, SharePoint)? If it
is JDBC, which one?

b) What do you have mapped into the ID Gov attribute "User ID from
Source" in the collector?

b) What do you have mapped into the ID Gov attribute "LDAP Distinguished
Name" in the collector?

--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus


My config in IG:

Collector for Identity > HR Software // Using JDBC PostgreSQL // my key is registry "rut_empleado", save ID credentials employee
Collector for Account > Active Directory // AD windows server // my key is atributte "EmployeedID", save ID credentials employee


And when publish my identity and account, i see identity with account AD associate becouse i mapped "rut_empleado" with "employeedID" in mattching process.


Where i can found b) and b) question?

Thanks Steven!!!
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: SSO in IG with LDAP-AD

On 1/18/19 3:54 PM, sosix wrote:
>
> stevewdj;2493987 Wrote:
>> On 1/18/19 2:54 PM, sosix wrote:
>>>
>>> I dont create two collector for Identity Steven...
>>>
>>> Collector for Identity > HR Software
>>> Collector for Account > Active Directory
>>>
>>>

>> Greetings,
>> Okay. What I outlined and the questions I asked still hold true in
>> that case as well.
>>
>> "
>> By default the matching attribute is dn, unless you changed the setting
>> in configutil. Depending upon what value from your HR Identity Collector
>> into the necessary fields could then cause a problem.
>> -If the attribute is not the actual dn value that OSP is getting from
>> the LDAP source
>> -If the attribute does not math the case.
>> "
>>
>> Revised Questions:
>> a) What is the actual Identity Collector you are using (CSV, Azure,
>> JDBC, RACF, SalesForce,SAP HR, SAP User, ServiceNow, SharePoint)? If it
>> is JDBC, which one?
>>
>> b) What do you have mapped into the ID Gov attribute "User ID from
>> Source" in the collector?
>>
>> b) What do you have mapped into the ID Gov attribute "LDAP Distinguished
>> Name" in the collector?
>>
>> --
>> Sincerely,
>> Steven Williams
>> Principal Enterprise Architect
>> Micro Focus

>
> My config in IG:
>
> Collector for Identity > HR Software // Using JDBC PostgreSQL // my key
> is registry "rut_empleado", save ID credentials employee
> Collector for Account > Active Directory // AD windows server // my key
> is atributte "EmployeedID", save ID credentials employee
>
>
> And when publish my identity and account, i see identity with account AD
> associate becouse i mapped "rut_empleado" with "employeedID" in
> mattching process.
>
>
> Where i can found b) and b) question?
>
> Thanks Steven!!!
>
>

Greetings,
Being able to login has nothing to do with the ID and Account
matching. I has everything to do with Identity (in the Catalog)
matching to the Auth Source information that OSP is providing.

I believe it would be best for you to open a Service Request so that
Backline Support can have a call with you and I so that I can explain
this more.


--
Sincerely,
Steven Williams
Principal Enterprise Architect
Micro Focus
0 Likes
Knowledge Partner
Knowledge Partner

Re: SSO in IG with LDAP-AD

On 1/18/2019 4:44 PM, Steven Williams wrote:
> On 1/18/19 3:54 PM, sosix wrote:
>>
>> stevewdj;2493987 Wrote:
>>> On 1/18/19 2:54 PM, sosix wrote:
>>>>
>>>> I dont create two collector for Identity Steven...
>>>>
>>>> Collector for Identity > HR Software
>>>> Collector for Account > Active Directory
>>>>
>>>>
>>> Greetings,
>>> Okay.  What I outlined and the questions I asked still hold true in
>>> that case as well.
>>>
>>> "
>>> By default the matching attribute is dn, unless you changed the setting
>>> in configutil. Depending upon what value from your HR Identity Collector
>>> into the necessary fields could then cause a problem.
>>> -If the attribute is not the actual dn value that OSP is getting from
>>> the LDAP source
>>> -If the attribute does not math the case.
>>> "
>>>
>>> Revised Questions:
>>> a) What is the actual Identity Collector you are using (CSV, Azure,
>>> JDBC, RACF, SalesForce,SAP HR, SAP User, ServiceNow, SharePoint)?  If it
>>> is JDBC, which one?
>>>
>>> b) What do you have mapped into the ID Gov attribute "User ID from
>>> Source" in the collector?
>>>
>>> b) What do you have mapped into the ID Gov attribute "LDAP Distinguished
>>> Name" in the collector?
>>>
>>> --
>>> Sincerely,
>>> Steven Williams
>>> Principal Enterprise Architect
>>> Micro Focus

>>
>> My config in IG:
>>
>> Collector for Identity > HR Software // Using JDBC PostgreSQL // my key
>> is registry "rut_empleado", save ID credentials employee
>> Collector for Account > Active Directory  // AD windows server // my key
>> is atributte "EmployeedID", save ID credentials employee
>>
>>
>> And when publish my identity and account, i see identity with account AD
>> associate becouse i mapped "rut_empleado" with "employeedID" in
>> mattching process.
>>
>>
>> Where i can found b) and b) question?
>>
>> Thanks Steven!!!
>>
>>

> Greetings,
>    Being able to login has nothing to do with the ID and Account
> matching.  I has everything to do with Identity (in the Catalog)
> matching to the Auth Source information that OSP is providing.
>
> I believe it would be best for you to open a Service Request so that
> Backline Support can have a call with you and I so that I can explain
> this more.


I think another way of looking at what Steve is saying is:

Identity - some ID Value.
Authentication source - needs to have the same value (so you can
actually login and map the logged in user to the Identity in IG).
Accounts - how do you link the Account collected (from AD in your case)
to the Identity (from HR SQL)?



0 Likes
sosix Trusted Contributor.
Trusted Contributor.

Re: SSO in IG with LDAP-AD

geoffc;2494029 wrote:
On 1/18/2019 4:44 PM, Steven Williams wrote:
> On 1/18/19 3:54 PM, sosix wrote:
>>
>> stevewdj;2493987 Wrote:
>>> On 1/18/19 2:54 PM, sosix wrote:
>>>>
>>>> I dont create two collector for Identity Steven...
>>>>
>>>> Collector for Identity > HR Software
>>>> Collector for Account > Active Directory
>>>>
>>>>
>>> Greetings,
>>> Okay.Â* What I outlined and the questions I asked still hold true in
>>> that case as well.
>>>
>>> "
>>> By default the matching attribute is dn, unless you changed the setting
>>> in configutil. Depending upon what value from your HR Identity Collector
>>> into the necessary fields could then cause a problem.
>>> -If the attribute is not the actual dn value that OSP is getting from
>>> the LDAP source
>>> -If the attribute does not math the case.
>>> "
>>>
>>> Revised Questions:
>>> a) What is the actual Identity Collector you are using (CSV, Azure,
>>> JDBC, RACF, SalesForce,SAP HR, SAP User, ServiceNow, SharePoint)?Â* If it
>>> is JDBC, which one?
>>>
>>> b) What do you have mapped into the ID Gov attribute "User ID from
>>> Source" in the collector?
>>>
>>> b) What do you have mapped into the ID Gov attribute "LDAP Distinguished
>>> Name" in the collector?
>>>
>>> --
>>> Sincerely,
>>> Steven Williams
>>> Principal Enterprise Architect
>>> Micro Focus

>>
>> My config in IG:
>>
>> Collector for Identity > HR Software // Using JDBC PostgreSQL // my key
>> is registry "rut_empleado", save ID credentials employee
>> Collector for Account > Active DirectoryÂ* // AD windows server // my key
>> is atributte "EmployeedID", save ID credentials employee
>>
>>
>> And when publish my identity and account, i see identity with account AD
>> associate becouse i mapped "rut_empleado" with "employeedID" in
>> mattching process.
>>
>>
>> Where i can found b) and b) question?
>>
>> Thanks Steven!!!
>>
>>

> Greetings,
> Â*Â* Being able to login has nothing to do with the ID and Account
> matching.Â* I has everything to do with Identity (in the Catalog)
> matching to the Auth Source information that OSP is providing.
>
> I believe it would be best for you to open a Service Request so that
> Backline Support can have a call with you and I so that I can explain
> this more.


I think another way of looking at what Steve is saying is:

Identity - some ID Value.
Authentication source - needs to have the same value (so you can
actually login and map the logged in user to the Identity in IG).
Accounts - how do you link the Account collected (from AD in your case)
to the Identity (from HR SQL)?



Hi,

I link Account with Identity with atributte "EmployeedID" is the same un HR software (DB PostgreSQL) "rut_empleado" registry in table.

Verify associated with identity example and collect account correctly! but i login with sAMaccountname and IG said "not mapped permission" (before, i asign permission for identity)

Sorry for my english 🙂
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.