When creating Identity Panel security roles, you must associate them to underlying security groups in your Active Directory.
- If you are using Active Directory Directory Services (AD DS) for authentication to Identity Panel, then you associate each role in Identity Panel to an existing AD DS security group.
- If you are using Identity Panel Azure Marketplace Edition or choose to secure your on-premise or OneDesign installation with Azure Active Directory (Azure AD) or Office 365 credentials, then you associate your Identity Panel security roles to an Azure AD security group.
- You choose the security group from the list dynamically generated within Identity Panel, making setup simpler (see Querying Groups below).
Because group names can change, Identity Panel associates each Identity Panel you role you create to the static objectSid in AD DS or the GUID in Azure AD, respectively. This prevents group renames from negatively affecting the security role function.
However, for convenience Identity Panel does copy the name of the group to the security role for display in the settings interface when you select it from the drop-down list.
Note: This means that if you rename a selected group in AD or Azure AD it will not have the name updated in the Identity Panel web console unless you specifically re-select it from the drop-down list. This will not affect the functionality as the Sid or GUID of the group will be the same even if the group has been renamed. Deleting a group from AD or Azure AD and creating a new one with the same name will however require it to be re-selected in the Identity Panel web interface (as the new group will have a different Sid or GUID).
Querying Groups
For the SaaS version of Identity Panel group names are queried from the AzureAD Graph API. To initiate a query you must type at least three letters. This will find groups with a name that starts with the typed value.
On-premise Identity Panel uses an LDAP query to find group names within AD DS. By default the LDAP string is constructed by the installer based on the domain the Identity Panel server is joined to.
In the unlikely case that you need to modify the LDAP string after installation, the LDAP string may be modified in C:\Program Files\SoftwareIDM\IdentityPanelWeb\Web\config.json. Only a single value may be entered, but it may point to any domain that allows integrated authentication from the IIS ApplicationPool account. To refresh and load changes made to config.json you must either do an IIS Reset or use Task Manager to end the IdentityPanel.exe process.
Changing the LDAP connection string will not affect any security roles that are already associated. It will only modify the search scope for the security roles dropdown list for future changes.
Local Groups
If you are using a non-domain joined server, or want to use local groups for authorization you may change the LDAP query string to: "WinNT://"
Article Tweeted @IdentityPanelKB on June 12, 2017
Comments
0 comments
Please sign in to leave a comment.