Using Integrated Windows Authentication
This section describes a sample for using Integrated Windows Authentication with respect to Active Directory (AD).
To use Integrated Windows Authentication, configure the user’s externalUserName.
Also, assign an AD attribute value consisting of "(samAccountName) + '@' + (AD domain)" to externalUserName.
In this sample configuration, the AD userPrincipalName is assigned as the value of externalUserName for synchronization with the IIJ ID Service.
[ Reference ]
- The following configuration files are provided as reference examples. Configure actual settings in accordance with your environment.
- The "Issuer identifier of the upstream ID provider" in the sample config.yml file appears in "System" > "Upstream ID Provider Management" on IIJ ID Console.
- The domain section (string after @) in externalUserName of the IIJ ID User must consist of lowercase characters. When the domain section of the AD attribute value to be assigned consists of uppercase characters, also refer to "externalUserNameに指定するADサーバ内でのユーザ属性値が大文字の場合の対処方法を知りたい(統合Windows認証) (Japanese Only)."
| config.yml sample |
|---|
log: |
loglevel: info |
ad: |
ldap: |
server: |
addresses: |
- 127.0.0.1 |
user: 'CN=administrator,CN=Users,DC=example,DC=jp' |
encryption: none |
base_dn: 'DC=example,DC=jp' |
filter: |
user: 'memberOf:1.2.840.113556.1.4.1941:=CN=IIJ ID Service User Group,OU=OU1,DC=example,DC=jp' |
group: 'memberOf:1.2.840.113556.1.4.1941:=CN=IIJ ID Service User Group,OU=OU1,DC=example,DC=jp' |
cache_disabled: true |
iid: |
scim: |
http: |
proxy: |
use: true |
address: proxy.example.jp |
port: 8080 |
user: iij-taro |
attribute: |
user: |
default: |
emails: |
- primary: true |
idTokenClaims: |
issuer: (Issuer identifier of the upstream ID provider [example: https://asiif-000000000000a.iif.auth.iij.jp/op]) |
ad_bind: |
externalId: objectGUID |
userName: userPrincipalName |
name: |
familyName: sn |
givenName: givenName |
localNames: |
familyName: msDS-PhoneticLastName |
givenName: msDS-PhoneticFirstName |
active: |
- userAccountControl |
- accountExpires |
externalUserName: userPrincipalName |
emails: |
- value: mail |
group: |
ad_bind: |
externalId: objectGUID |
displayName: name |
email: mail |
| secret.yml sample |
|---|
ad: |
ldap: |
server: |
password: ldap_password |
iid: |
scim: |
token: scim_token |
http: |
proxy: |
password: proxy_passwor |