Skip to main content
Version: 11.1

LDAP Configuration

note

The following steps are required only for the new installation of Insights.

The Insights team handles this as part of the upgrade procedure for upgraded customers.

Introduction

Through its support for the Lightweight Directory Access Protocol (LDAP), Resolve Insights gives the option of integrating with Microsoft Active Directory, which can serve as the master repository for storing information about Resolve Insights users.

To enable Insights login with your company LDAP/AD accounts, you need to configure Keycloak user federation with LDAP in several steps:

  1. Create an access group in your AD for the users with access to Insights and assign that group to those users. Create an account used by Keycloak to sync users and groups from your LDAP.
  2. Create an access group in Insights with the appropriate access roles.
  3. Configure LDAP user federation in Keycloak and sync the users and the groups. Map the roles to realm roles.
  4. Validate login and access

Step 1 - Create access groups and a user for Insights in your AD

These steps describe the general actions that are needed to allow users from your AD to access Insights.

  1. Create a new user group for the users who would have access to Insights.
    For example: If you want to give your users admin access to Insights, you can name the group "Insights_admins"
  2. Create a new read-only user that Keycloak will use to sync data from your AD.
    For example: Name the user "insights sync". The user is assigned by default to the Users group. The domain name is AD
  3. Assign the group to the users with access to Insights, including the user created in step 2.

Step 2 - Create an access group in Insights

To allow AD users to access the Insights, you need to create an access management group and assign the appropriate roles to it. The group's name should match the name of the AD group, created in "Step 1 > 1", so that the users and roles can be synced properly.

You can create multiple groups for multiple access roles in the application.

Step 3 - Configure LDAP user federation in Keycloak

To configure LDAP user federation, you must have a Keycloak master account. Please contact our support for assistance.

  1. Login to https://<NCE_MASTER_IP>/auth with the master account credentials.
  2. Select insights-realm from the realm context drop-down.
  3. Navigate to User federation menu.
  4. Select Add Ldap providers.

Configure the AD connection and user sync options. Most of the parameters in the sections are set by default.
Only the following settings need to be changed. All other settings remain with their default values.

  1. Select the UI display name of the connection, and how it will be displayed in Keycloak.
  2. Select Active Directory as Vendor.
  3. Enter the Connection URL to your AD host. Configure the LDAP URL by following the Server Administration Guide. For example: ldap://12.12.12.12
  4. Click Test connection to ensure the URL settings are correct.
  5. Select simple as Bind type.
  6. Enter the Bind DN and Bind credentials of the user that was created in "Step 1 > 2" to be used by Keycloak to sync users and access groups from your AD.
    For example: Bind DN=(CN=insights user,CN=Users,DC=ad,DC=com)
  7. Click Test authentication to ensure the bind user authentication is correct.
  8. Select READ_ONLY as Edit mode.
  9. Enter the Users DN.
    For example: (CN=Users,DC=ad,DC=com)
  10. Enter the User LDAP filter to sync only those users from your AD that should have access to Insights. We don't need to sync all AD users.
    For example: Set the following value to get only users assigned to the group created in "Step 1 > 1" ((&(objectClass=user)(memberOf=CN=Insights_admins,CN=Users,DC=ad,DC=com))
  11. Set the Import users toggle to ON.
  12. Set the Periodic change user sync toggle to ON.
  13. Set the Trust Email toggle to ON.
  14. Click Save to save the configuration.
  15. From the top-right corner, select Sync all users from the Actions drop-down list to sync the users from your AD to Keycloak. Compare the number of users in the confirmation message with the users who are members of the Insights group (created in "Step 1 > 1 and 3") in your AD.

Continue with syncing the user groups and map them to insights-realm roles in Keycloak. Most of the parameters in the sections are set by default.
Only the following settings need to be changed. All other settings remain with their default values.

  1. Navigate to the Mappers tab.
  2. Click Add mapper.
  3. Enter the mapper Name that will help you identify it. For example: Name the mapper ldap_roles_insights
  4. Select role-ldap-mapper from the Mapper type drop-down list.
  5. Enter the LDAP Roles DN.
    For example: (CN=Users,DC=ad,DC=com)
  6. Enter the LDAP filter to sync only those access groups from your AD that should have access to Insights. We don't need to sync all AD groups.
    For example: (&(objectClass=group)(memberOf=CN=Insights_admins,CN=Users,DC=ad,DC=com))
  7. Select LDAP_ONLY as Mode.
  8. Click Save.
  9. From the top-right corner, select Sync LDAP roles to Keycloak from the Actions drop-down list to sync the users from LDAP to Keycloak. Compare the number of users in the confirmation message with the users who are members of the Insights group in your AD.

Allow users to log in to Insights with their AD emails.

  1. Navigate back to the Mappers tab.
  2. Select the email mapper and open it.
  3. Change the LDAP Attribute to userPrincipalName.
  4. Click Save.
  5. From the top-right corner, select Sync all users from the Actions drop-down list to sync the users from AD to Keycloak.

Step 4 - Log in to Insights

The last step is to validate that your AD is properly synced with Insights and the users can log in with their company emails.

Navigate to the Insights UI at https://<NCE_MASTER_IP> and log in with your AD account.