How to set up Active Directory as a security provider

Audience: System administrators installing and configuring Sapho Server

Sapho uses AD Groups to secure access to micro apps. To configure AD Security, you need the LDAP URL of the primary AD server. You also have the option to add the LDAP URL of a secondary (backup) AD server. You will also need a username and password of a user account with browse privileges to your Active Directory hierarchy.

Active Directory configuration options in Sapho

  • Security Provider Name: Enter the name that will show up in your list of configured Security Providers (i.e. Your company’s Active Directory).
  • Access Tool: Select Yes if you want to configure an AD Group to manage access to Sapho Builder.
  • Access Apps: Select Yes if you want to configure AD Groups with access to the micro apps created in Sapho Builder. For example, you could set up groups for "Employees" and "Managers" that allows both groups to view your Home app, but only allows the managers to access a micro app that allows them to release purchase orders.
  • URL: The LDAP URL pointing to your primary Active Directory server. This will include a reference to the parent DN, i.e. ldap://ad.arrakis.sapho.com/DC=arrakis,DC=sapho,DC=com
    • You can also limit the results to a specific Organizational Unit within AD, i.e. ldap://ad.arrakis.sapho.com/OU=SF%20Users,OU=Demo%20Groups,DC=arrakis,DC=sapho,DC=com
      Please note that any spaces (" ") in the group names must be replaced with "%20".
  • Failover URL: A backup Active Directory server can be entered if you have one available in your network.
  • Username: The username of a user account in your Active Directory server with browse privileges of users and groups. The username may need to be prefixed with the domain name (e.g. ARRAKIS\sapho).
  • Password (and Retype Password): The password of the user account that you are connecting to Active Directory.
    • Username and Password values are encrypted before we store them in the Sapho Metadata database.

Provisioning apps with access

Once your Active Directory server is connected, you can grant security groups access to your micro apps in Micro Apps with Access.

The security groups that are available will depend on the depth of the BaseDN entered in the LDAP URL.

Set advanced configuration settings for different LDAP implementations

If you’re running a different LDAP implementation than the standard out-of-the-box Microsoft Active Directory setup, your implementation might have different object attributes’ names and structure. In order to make your implementation compatible with a Sapho security provider, you need to fill in the fields under Advanced Configuration on the security provider detail page.

Here are the fields you will need to fill in:

Authenticate User & Get User Details

  • User Search: An LDAP search query to fetch a user by login name, used when a user logs into Sapho. The {usernameAttribute} parameter is automatically pulled based on the User Name Attribute field (see below). The {username} parameter is automatically pulled based on the Username input field in Sapho’s login form.
  • User ID Attribute: The name used in your Active Directory instance for the unique user ID attribute.
  • Firstname Attribute: The name used in your Active Directory instance for a user’s first name attribute.
  • User Name Attribute: The name used in your Active Directory instance for a user’s login name attribute.
  • Email Attribute: The name used in your Active Directory instance for a user’s email address attribute.
  • Lastname Attribute: The name used in your Active Directory instance for a user’s last name attribute.
  • User Group Name Attribute: The name used in your Active Directory instance for a user’s attribute that stores the list of groups the user belongs to.
  • Group User Name Attribute: The name in your Active Directory instance for a group’s attribute that stores the list of users belonging to a group.
  • User Primary Group Id Attribute: The name used in your Active Directory instance for a user’s default group attribute. (User Group Name Attribute doesn’t list this group.)
  • Group Name Search: An LDAP search query to fetch a group by name. The {groupName} parameter is automatically pulled based on the Group Name Attribute field (see below).

List User Groups (fallback Get User Details)

Some of the LDAP implementations do not recognize User Group Name Attribute (see above) so here’s a fallback solution:

  • User Groups Search: An LDAP search query used to find whether a user that tries to log in belongs to any defined groups. The {userAuthAttribute} parameter is automatically pulled based on the User Auth Attribute field (see below).
  • User Auth Attribute: The name used in your Active Directory instance for a user’s unique ID attribute that will be used as a parameter in User Groups Search (see above).

List Provider Groups

  • Group Search: An LDAP search query used to list all groups.
  • Group Security Id Attribute: The name used in your Active Directory instance for a group’s primary ID attribute.
  • Group Unique Id Attribute: The name used in your Active Directory instance for a group’s unique ID attribute.
  • Group Name Attribute: The name used in your Active Directory instance for a group’s name attribute.