The Identity Provider specifies the pool of users to send requests to the API. These default Identity Providers are used when creating the Authentication Policy.

It can be accessed and managed by roles with the "Manage Authentication Services" authority, such as "Project Owner".

The picture below shows the user authentication connection settings with LDAP:


The fields used for user authentication connection settings with LDAP are shown in the table below.

Field

Description

Name

The LDAP/Active Directory Identity Provider name for the created Identity Provider.

DescriptionA description can be written to facilitate the management of the created LDAP/Active Directory Identity Provider.

LDAP Connection Pool Definition

The pool from which the LDAP connection will be obtained is selected or created.

LDAP Authentication Type

When creating an Identity Provider with LDAP/Active Directory, one of two methods can be used:

1-Simple Authentication: The username/password pair is sent to the LDAP server, it is checked whether there is such a user.

2-Advanced Authentication: By using the username/password pair, the user's memberships and privileges are used.

User Configuration Expression

Username Phrase is entered when Authentication Type is selected as Simple Authentication. The username in the request message is validated by replacing {{username}} in the following expression. Accordingly, you should enter the following expression in the request message to create the LDAP search criteria according to the structure of the username.

As an example, a user using the name user1 has the DN value oid={{username}},ou=People,dc=example,dc=com on the LDAP server.

Example-1: If the user name is "user1" in the request message, the expression should be written as: oid={{username}},ou=People,dc=example,dc=com.

Example-2: If the user name is "oid=user1" in the request message, the expression should be written as: {{username}},ou=People,dc=example,dc=com.

Example-3: If "oid=user1,ou=People,dc=example,dc=com" value comes in the request message, the expression should be written as: {{username}}

User Object Class Definition

User Class Definitions are created when Authentication Type is selected as Advanced Authentication.

Group Object Class Definition

Group Class Definition(s) are created when Authentication Type is selected as Advanced Authentication.


The picture below shows the advanced user authentication connection settings with LDAP by defining User Class Definition:


The fields used for User Class Definition from advanced settings in user authentication connection settings with LDAP are shown in the table below.

Field

Description

User Object Class Definition

The class name to be used to filter users is entered. Default value: inetOrgPerson.

Custom Filter Attribute

This is the filter value that can be used in addition to the filter in the connection when fetching users. For example: (&(objectCategory=Person)(sAMAccountName=*))

User Base DN Attribute

If there is value in this field, this Base DN is used when searching and loading users instead of the Base DN in the connection. If no value is provided, the Base DN on the connection prevails. For example: cn=users,dc=ad,dc=example,dc=com

Search Scope

This field specifies at what level on the base dn the search will be performed.

Full Name Attribute

Enter the name of the attribute that will be used to find the full name of the user. Default value: cn.

Login Name Attribute

The login name of the attribute to be used for the user's login to the system is entered. Default value: uid.

First Name Attribute

The name of the attribute that specifies the name of the user is entered. Default value: givenName.

Last Name Attribute

The name of the attribute that specifies the surname of the user is entered. Default value: sn.

E-mail Attribute

The name of the attribute that specifies the user's e-mail address is entered. Default value: mail.

Membership Attribute

The name of the attribute that specifies the group memberships of the user is entered. Its default value is isMemberOf.

Attributes To Fetch

When authentication is performed with LDAP, it indicates which information about the user will be retrieved in addition to the authentication.

When the Advanced Settings option is enabled on the Ldap Authentication Provider page, the "Attributes to Fetch" field appears. If the attributes entered in this field are present in the LDAP user, they will be retrieved along with their values and;

  • If the LDAP provider is used for JWT generation, these attributes and their values (excluding null values) are added as claims in the JWT.
  • If the LDAP provider is used with plaintext, basic, or digest authentication methods, these attributes and their values are added to the message context as custom variables. In this case, the key is prefixed with #clientLDAPAttribute#. For example, if the mail attribute is retrieved from LDAP, the key would be #clientLDAPAttribute#mail and the value would be "dummy@dummy.com".

The picture below shows the Group Class Definition settings:

The fields used for Group Class Definition from advanced settings in user authentication connection settings with LDAP are shown in the table below.

Field

Description

Group Object Class Name

The class name to be used to filter the groups is entered. Default value: groupOfUniqueNames.

Group Name Attribute

The name of the attribute holding the group name is entered. Default value: cn.

Member Attribute

Enter the name of the attribute holding the group members. Default value: uniqueMember.

Member Strategy

The method to be used to determine the group members is selected. Default value: USER DN. Values ​​it can take:

  • USER DN
  • USER LOGIN
  • NV PAIR
  • OU GROUP