Managing Domain Credentials
Introduced in 2022.1
Alloy Navigator Express helps you leverage LDAP authentication and continual user synchronization for remote Active Directory domains and directory services other than Microsoft Active Directory, such as JumpCloud, Okta, OneLogin, AWS Directory Service, and others.
A common use of LDAP (Lightweight Directory Access Protocol) is to provide a central place to store usernames and passwords. Using LDAP authentication in Alloy Navigator Express enables you to consolidate the credentials for all of your users in a single identity store, eliminating the need to remember additional sets of credentials for users and simplifying the task of creating and maintaining Alloy Navigator Express accounts for administrators.
In Alloy Navigator Express, LDAP authentication works as follows:
-
On the sign-in page of a web application (the Web App, Mobile App, or the Self Service Portal), users are required to type in their credentials that consist of a login name and password.
IMPORTANT: Users must specify their login name in this format:
DOMAIN\username
. -
The web application searches Domain Credentials records set up in the Alloy Navigator Express by the entered
DOMAIN
name. If the corresponding Domain Credentials record exists, the application uses the connection information stored there to look up the user account in the specified directory service container. -
If that is successful, i.e. the corresponding user account exists and is active:
-
The Web App or Mobile App queries the Alloy Navigator Express database to see whether that user has a Technician account. If a matching Technician account exists and is active, the web application lets the technician in.
-
The Self Service Portal simply lets the user in. If the user's domain (container) is in the list of "trusted" containers, the user can sign in to the Self Service Portal without an Alloy Navigator Express account. For other containers, the Self Service Portal first checks whether the user has a matching SSP Customer account in the Alloy Navigator Express database.
-
To enable LDAP authentication , you must set up Domain Credentials records in the Services > Active Directory Integration > Domain Credentials section of the
To add a Domain Credentials record:
-
In Admin Center, go to Users & Security > SSO Providers and click New > Domain to open the Domain Credentials form.
-
In the Domain field, enter the name of your directory service (for example,
JumpCloud
). If you are connecting to a non-trusted Active Directory domain, enter the domain name.Alloy Navigator Express will use that name to match user credentials against it, so make sure that you provide the exact name used in your network.
-
In the Server Name field, enter the name or IP address of your LDAP server (for example,
ldap.jumpcloud.com
). For an Active Directory domain, enter the name or IP address of a domain controller. -
Under Directory Service, choose what you want to connect:
-
Active Directory - for connection to an Active Directory domain.
-
LDAP Server - for connection to the LDAP server using simple bind authentication. In the Users DN field below, enter a distinguished name (DN) for your Users container. This is the organizational unit where the directory service stores user information.
For example, integration with JumpCloud requires a string in the following format:
ou=Users,o=<organizationId>,dc=jumpcloud,dc=com
,
whereo=<organizationId>
is the ID that uniquely identifies your organization in the JumpCloud directory. For example:ou=Users,o=5f6cf0506fb08c77c1ee69fa,dc=jumpcloud,dc=com
.
-
-
In the User Name field, enter a username or user ID, depending on how your directory service identifies users, for an account with enough permissions to read user information. In the Password field, enter the password.
-
If you want to enable secure TLS-encrypted connection, select the Secure Connection check box. Note that the default Port value has been changed to
636
. -
In the Port field next to the Server Name field, change the default port number, if needed.
-
Click Test Connection to test the specified connection information.
FOR SECURE CONNECTION TO LDAP SERVER: If the TLS connection request fails, consider applying the steps from Microsoft Knowledge Base Article 2275950. The article suggests creating a registry subkey on the computer that establishes TLS-encrypted connection (i.e. on the Automation Server computer and the IIS server computer):
- Start Registry Editor.
- Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LDAP - Create a new REG_DWORD value that is named UseHostnameAsAlias, and set the value to anything other than zero. For example, 1.
-
Exit Registry Editor, and then restart the computer.
-
Click OK to save your changes.
IMPORTANT: To sign in to the Web App, Mobile App, or Self Service Portal, users are required to provide their usernames in this format: DOMAIN\UserName
, where DOMAIN
is the name that you specify in the Domain field here. Technicians must have Technician accounts in Alloy Navigator Express that match their DOMAIN\UserName
usernames. For Self Service Portal users, SSP customer accounts in Alloy Navigator Express are not required
What do you want to do?
After you have integrated your directory service with Alloy Navigator Express and tested your connection, you will need to set up LDAP authentication for users. Use the table below as a reference for information required to perform different actions related to this task.
Action | Instructions |
---|---|
Allow technicians to sign in to the Web App and Mobile App using their current credentials |
Create a matching Technician account for every technician who needs access. Accounts must use Windows authentication, their login names must be in the Configure the Web App for Standard authentication and instruct technicians to sign in to the Web App and Mobile App using their accounts, in this format: |
Allow customers and internal users to sign in to the Self Service Portal using their current credentials |
Set up continual user synchronization by creating a synchronization job under Services > Active Directory Integration > Synchronization. The job will sync user data from the directory service and create matching SSP Customer accounts for all users automatically. For details, see Creating or modifying Active Directory Synchronization jobs. IMPORTANT: The default mapping for synchronization jobs uses user attributes from Microsoft Active Directory. Directory services other than Microsoft Active Directory may use different attributes. For example, see user attributes available in JumpCloud. We recommend that you copy the default NOTE: When you need to modify a Domain Credentials record (for example, enable secure connection), remember to also modify the corresponding Active Directory Synchronization job. Otherwise, it may fail to run. To modify the job, either choose the updated Domain Credentials record again, or edit the LDAP path to its container. For details, see To create or modify an Active Directory Synchronization job. |