Using Integrated Windows Authentication
This section describes a sample for using Integrated Windows Authentication with respect to Active Directory (AD).
To use Integrated Windows Authentication, configure the user’s externalUserName.
Also, assign an AD attribute value consisting of "(samAccountName) + '@' + (AD domain)" to externalUserName.
In this sample configuration, the AD userPrincipalName is assigned as the value of externalUserName for synchronization with the IIJ ID Service.
[ Reference ]
The following configuration files are provided as reference examples. Configure actual settings in accordance with your environment.
The "Issuer identifier of the upstream ID provider" in the sample config.yml file appears in "System" > "Upstream ID Provider Management" on IIJ ID Console.
config.yml sample
log:
loglevel: info
ad:
ldap:
server:
addresses:
- 127.0.0.1
user: 'CN=administrator,CN=Users,DC=example,DC=jp'
encryption: none
base_dn: 'DC=example,DC=jp'
filter:
user: 'memberOf:1.2.840.113556.1.4.1941:=CN=IIJ ID Service User Group,OU=OU1,DC=example,DC=jp'
group: 'memberOf:1.2.840.113556.1.4.1941:=CN=IIJ ID Service User Group,OU=OU1,DC=example,DC=jp'
cache_disabled: true
iid:
scim:
http:
proxy:
use: true
address: proxy.example.jp
port: 8080
user: iij-taro
attribute:
user:
default:
emails:
- primary: true
idTokenClaims:
issuer: (Issuer identifier of the upstream ID provider [example: https://asiif-000000000000a.iif.auth.iij.jp/op])
ad_bind:
externalId: objectGUID
userName: userPrincipalName
name:
familyName: sn
givenName: givenName
localNames:
familyName: msDS-PhoneticLastName
givenName: msDS-PhoneticFirstName
active:
- userAccountControl
- accountExpires
externalUserName: userPrincipalName
emails:
- value: mail
group:
ad_bind:
externalId: objectGUID
displayName: name
email: mail
secret.yml sample
ad:
ldap:
server:
password: ldap_password
iid:
scim:
token: scim_token
http:
proxy:
password: proxy_passwor