Configuring IGI AD authentication


Author(s): Adam Bulla | Created: 05 June 2020 | Last modified: 25 June 2022
Tested on: -

Configuring IGI AD authentication

In this guide, I will configure AD authentication for IGI, which seems, and is indeed a quite easy task, but at the same time, due to poor documentation and some pitfalls, might cause a lot of headache.

Assumptions

  • We will be using the built in OpenID Connect provider
  • This will be set up with an external AD to authenticate from

Prerequisites

OpenID Connect provider works for internal user store

This seems like an obvious point, but this is easier to test and fix before, if it is broke, than after setting up AD authentication.

Potential solutions in case OpenID auth does not work:

  • Firewall config:
    • 9443, 10443, 11443 ports enabled for management interface
    • 9343, 10443, 11443 ports enabled for management interface
  • Hostname unknown to IGI VA:
    • In case a DNS server is not set up for the VA, or its hostname is not resolved correctly, the OpenID authentication might fail, even if the client has the correct dns set up in their hosts file. This is becasue the internal OpenID connect itself also makes a connection, by hostname, to the respective interface.
    • Solution: edit IGI hosts file through the VA console
  • Dates not matching:
    • Current date and time values not matching (or not being close) between the VA, the DB, and the client machine, can also cause potential problems with OpenID authentication

Active Directory prerequisites

A User, with the necessary priviliges are needed for integrating with Active Directory,

The following information will be needed for Active Directory:

  • Hostname / IP address
  • Port
  • Principal DN & password
  • Base DN
    • The subtree, where IGI will look for users and groups
  • User Filter & Group filter
    • IGI will use these filters to search for groups and users during the authentication.
    • These must be parametrized with %v, which will be replaced by IGI for the account name / group name.
  • Group ID
    • How to retrieve group id from a group entity
    • Should be *:cn
  • User ID map
    • How to retrieve username from a user entity
    • Should be user:sAMAccountName
  • Group Member ID map
    • How to retrieve the group membership attribute
    • Should be memberOf:member
  • LMI Authorization group DN:
    • This should be the DN of a group, which will determine who can log in to the LMI console, and who can not.

IGI prerequisites

IGI has to be prepared in order to be usable by AD authentication. This means all accounts that are expected to be authenticated through AD must have their counterpart in IGI, with the necessary permissions set up.

Sidetrack about IGI authentication

IGI authentication is a bit unique, especially compared to ISIM. Separate domains are kept, one for managing active applications, workflows, permissions and everything application and user related, and another domain working as an admin domain. This is important from the authentication point of view, since IGI accounts are not uniform across the whole environment. In practice, this means that IGI accounts between these two domains provide access to different parts of the system.

Ideas domain (or application domain) is the part of IGI, that manages onboarded applications, permissions, users, workflows, reports, etc. IGI accounts in this domain provide access to the service center, and accounts only existing in the Ideas domain cannot access the Administrative Console.

On the contrary, Admin domain provides access to configure and manage the permissions and accounts needed for the Administrative Console, and the Local Management Interface.

Moreover, the two domains use the same UI looks, with the exception that for the Admin domain, only the Access Governance Core functionality is available, so distinguishing between them is not especially easy. Which domain is the currently active can be verified by checking the upper right part of the screen, where there is a DOMAIN / USERNAME info next to the HELP menu.

Configuring the AD authentication

To configure AD authentication follow these steps:

  • Log in to IGI VA webpage
  • Configure -> Manage Server Settings -> OpenID Connect Provider Configuration
  • Manage -> Administrator / Service Center User Registry
    • Administrator User Registry handles authentication of users to the VA management console and the Administration Console
    • Service Center User Registry handles authentication to the Service Center
  • Select Registry -> External User Registry
  • Select Ldap Type Microsoft Active Directory
  • Fill in the form gatheres as a prerequisite
  • Click Save Configuration
  • Click the Restart button on the OpenID Connect Provider Configuration screen
  • Navigate to the VA home page
  • Select the IBM Security Identity Governance and Intelligence server, and click restart
  • Log in to the IGI virtual machine console
  • Run lmi restart