Administration Guide

Enabling LDAP Authentication

A common use of LDAP (Lightweight Directory Access Protocol) is to provide a central place to store usernames and passwords. Using LDAP authentication in Alloy Navigator Express enables you to consolidate the credentials for all of your users in a single identity store, eliminating the need to remember additional sets of credentials for users and simplifying the task of creating and maintaining Alloy Navigator Express accounts for administrators.

In Alloy Navigator Express, LDAP authentication works as follows:

  1. On the sign-in page of a web application (the Web App, Mobile App, or the Self Service Portal), users are required to type in their credentials that consist of a login name and password.

    IMPORTANT: Users must specify their login name in this format: DOMAIN\username.

  2. The web application searches Domain Credentials records set up in the Alloy Navigator Express by the entered DOMAIN name. If the corresponding Domain Credentials record exists, the application uses the connection information stored there to look up the user account in the specified directory service container.

  3. If that is successful, i.e. the corresponding user account exists and is active:

    • The Web App or Mobile App queries the Alloy Navigator Express database to see whether that user has a Technician account. If a matching Technician account exists and is active, the web application lets the technician in.

    • The Self Service Portal simply lets the user in. If the user's domain (container) is in the list of "trusted" containers, the user can sign in to the Self Service Portal without an Alloy Navigator Express account. For other containers, the Self Service Portal first checks whether the user has a matching SSP Customer account in the Alloy Navigator Express database.

To enable LDAP authentication , you must set up Domain Credentials records in the Services > Active Directory Integration > Domain Credentials section of the Settings App. Alloy Navigator Express web applications will use information from those records to connect to the specified directory services to authenticate users.

FOR ALLOY NAVIGATOR  EXPRESS CLOUD (SAAS) HOSTED SOLUTION: For secure LDAP connection over SSL (LDAPS), use a trusted SSL certificate signed by a public Certificate Authority (CA). Alloy hosted solution does not support LDAPS connections secured with self-signed certificates.

FOR ALLOY NAVIGATOR  EXPRESS  ON-PREM SOLUTION: For secure LDAP connection over SSL (LDAPS), use a trusted SSL certificate signed by a public Certificate Authority (CA). You can also use a certificate signed by a private CA or a self-signed certificate; however it will require you to configure the servers hosting the Automation Server and Alloy web applications to trust your certificate.

To add a Domain Credentials record:

  1. Click New to reveal the Domain Credentials window.

  2. In the Domain field, enter the name of your directory service (for example, JumpCloud). If you are connecting to a remote Active Directory domain, enter the domain name.

    Alloy Navigator Express will use that name to match user credentials against it, so make sure that you provide the exact name used in your network.

  3. IMPORTANT: To sign in to the Web App, Mobile App, or Self Service Portal, users are required to provide their usernames in this format: DOMAIN\UserName, where DOMAIN is the name that you specify in the Domain field here. Technicians must have Technician accounts in Alloy Navigator Express that match their DOMAIN\UserName usernames. For Self Service Portal users, SSP customer accounts in Alloy Navigator Express are not required.

  4. In the Server Name field, enter the name or IP address of your LDAP server (for example, ldap.jumpcloud.com). For an Active Directory domain, enter the name or IP address of a domain controller.

  5. Under Directory Service, choose what you want to connect:

    • Active Directory - for connection to an Active Directory domain.

    • LDAP Server - for connection to the LDAP server using simple bind authentication. In the Users DN field below, enter a distinguished name (DN) for your Users container. This is the organizational unit where the directory service stores user information.

      For example, integration with JumpCloud requires a string in the following format:
      ou=Users,o=<organizationId>,dc=jumpcloud,dc=com,
      where o=<organizationId> is the ID that uniquely identifies your organization in the JumpCloud directory. For example:
      ou=Users,o=5f6cf0506fb08c77c1ee69fa,dc=jumpcloud,dc=com.

  6. In the User Name field, enter a username or user ID, depending on how your directory service identifies users, for an account with enough permissions to read user information. In the Password field, enter the password.

  7. If you want to enable secure TLS-encrypted connection, select the Secure Connection check box. Note that the default Port value has been changed to 636.

  8. In the Port field next to the Server Name field, change the default port number, if needed.

  9. Click Test Connection to test the specified connection information.

    FOR SECURE CONNECTION TO LDAP SERVER: If the TLS connection request fails, consider applying the steps from Microsoft Knowledge Base Article 2275950. The article suggests creating a registry subkey on the computer that establishes TLS-encrypted connection (i.e. on the Automation Server computer and the IIS server computer):

    1. Start Registry Editor.
    2. Locate the following subkey in the registry:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP
    3. Create a new REG_DWORD value that is named UseHostnameAsAlias, and set the value to anything other than zero. For example, 1.
    4. Exit Registry Editor, and then restart the computer.

  10. Click OK to save your changes.

What do you want to do?

After you have integrated your directory service with Alloy Navigator Express and tested your connection, you will need to set up LDAP authentication for users. Use the table below as a reference for information required to perform different actions related to this task.

Action Instructions

Allow technicians to sign in to the Web App and Mobile App using their current credentials

Create a matching Technician account for every technician who needs access. Accounts must use Windows authentication, their login names must be in the DOMAIN\UserName format, the DOMAIN name must match the name specified in the Domain Credentials record. For details, see Creating and Maintaining Technician Accounts.

Configure the Web App for Standard authentication and instruct technicians to sign in to the Web App and Mobile App using their accounts, in this format: DOMAIN\UserName.

Allow customers and internal users to sign in to the Self Service Portal using their current credentials

Set up continual user synchronization by creating a synchronization job under Services > Active Directory Integration > Synchronization. The job will sync user data from the directory service and create matching SSP Customer accounts for all users automatically. For details, see Configuring Active Directory Synchronization Jobs.

IMPORTANT: The default mapping for synchronization jobs uses user attributes from Microsoft Active Directory. Directory services other than Microsoft Active Directory may use different attributes. For example, see user attributes available in JumpCloud. We recommend that you copy the default mappings, and then manually modify the service attributes. For details, see Configuring Active Directory Data Mapping.

NOTE: When you need to modify a Domain Credentials record (for example, enable secure connection), remember to also modify the corresponding Active Directory Synchronization job. Otherwise, it may fail to run. To modify the job, either choose the updated Domain Credentials record again, or edit the LDAP path to its container.

Allow customers and internal users to sign in to the Self Service Portal using their current credentials, without Alloy Navigator Express accounts

Navigate to Customization > Self Service Portal > LDAP Authentication and enable LDAP authentication for the containers that the Self Service Portal could trust.

For details, see Setting up LDAP Authentication for SSP.