Configuring IIQ AD Pass Thru Authentication with Global Catalog using SSL

Today we’re going to walk through a how-to guide to help you configure IIQ Active Directory Pass Thru authentication using SSL.

There are some specific settings that are required for successful integration which are scattered across multiple documents. We’ve taken the time to compile and organize all the details in one place with required settings and their implications to make the process a little simpler for you.

  • Part 1: Intro to AD IIQ PassThru Authentication (feel free to jump ahead if you’re already familiar)
  • Part 2: Quick reference for configuration requirements for the successful pass thru setup
  • Part 3: Configuration/setting details and implications

Part 1:  Intro to AD IIQ PassThru Authentication

What is the AD IIQ PassThru Authentication?

This gives an ability to organization or their end users to login to SailPoint IIQ using their desktop / active directory credentials instead of using / managing local login/password within SailPoint.

Why use Global Catalog Server?

In a multi domain environment, it would be efficient to use global catalog because IIQ does not need to traverse through all the LDAP referrals returned for different domains during user login authentication.

Or you have a specific AD environment where you are facing challenges setting up AD PassThru without global catalog.

Part 2: Quick reference for configuration requirements for the successful pass thru setup

Configuration and Settings

Precondition:

  • Configured active directory application in IIQ
  • The basic connectivity with AD environment for your already setup AD application in IIQ is successful.

Very Important

– The attribute used for the correlation between IIQ and AD must be present on the Global Catalog. Please mind that global catalog only stores the subset of attributes. For example, if you are using employeeNumber then it is not available in Global Catalog by default (for help on adding the attribute in global catalog, read on).

All Configuration Details

SSL Certificate Import: You must import the global catalog server’s root certificate into JDK (which is running your server) keystore. For Tomcat and Sun JDK – you may be doing under $JAVA_HOME/jre/lib/security/cacerts

Additional Settings for PassThru using Debug Console:

Add following settings into AD definition anywhere (under <Map>)

<entry key=”useSSLForGC” value=”true”/>

Add following settings into System Configuration anywhere:

<entry key=”buildPartialROOnAuthentication” value=”true”/>

<entry key=”disablePassthroughAutoCreate” value=”true”/>

Configure Global Catalog in IIQ AD application:

Login as Admin > Open your active directory application > Settings Tab > Under the Global Catalog section & Configure the Global Catalog Host Name, Port, User Name and Password. If you have more than one domain then click on “Manage All Domains”

If you require help in finding out your Active Directory forest name and global catalog then it is given later in this blog.

Enable PassThru : Login as Admin and go to Global Settings > Login Configuration > Login Settings >  Pass Thru Application > Select you Active Directory Application.


Part 3: Configuration/setting details and implications
The Settings and Their Implications

<entry key=”useSSLForGC” value=”true”/>

This setting is required if you are using GC on SSL, even if you check the box “SSL” on the UI for global catalog, the above settings are mandatory.

<entry key=”disablePassthroughAutoCreate” value=”true”/>

This settings is required otherwise IIQ will create an identity if it does find a correlation. In some cases it may required but generally not.

<entry key=”buildPartialROOnAuthentication” value=”true”/>

This setting forces IIQ to build the partial Resource Object and thus result in performance improvements.

How to find global catalog server in Active Directory Environment:

You can use following powershell commands on the domain you are trying to find global catalogs:

Get-ADForest wintrust.wtfc | FL GlobalCatalogs

Get-ADDomainController | ft Name,IsGlobalCatalog

Hopefully this guide provides useful information to help you configure IIQ Active Directory Pass Thru authentication using SSL.

Bonus Information: A Wildcard SSL Certificate secures a domain name as well as unlimited subdomain names using a single certificate. Wildcard SSL certificates work like regular SSL certificates keeping the connection between your website and your customers browser secure.