Symantec App Center supports using Active Directory as an external identity provider (IDP). It also supports using Active Directory through LDAP as an external IDP. In fact, App Center supports any other type of IDP that exposes an LDAP interface. You can integrate App Center with Active Directory/LDAP and use it as the source to authenticate users to access the Admin Console, the End-User Portal, the App Center App, and any wrapped apps that require authentication.
Active Directory/LDAP also supports single sign-on for wrapped apps.
See“Creating app policies that allow for single sign-on”on page 80.
This workflow assumes you have met the following prerequisites:
■ Roles and groups are set up.
You should set up your roles and groups in App Center before you configure your identity provider (IDP) so that when you configure the IDP, you can map users to the App Center groups that you created. Thereafter, you can create, delete, or modify roles and groups as needed.
See“Creating roles and groups”on page 27.
■ Active Directory or LDAP (whichever you intend to use for your IDP) already exists within your organization.
■ This workflow assumes that you already have AD domain controllers (DCs) (or other IDP) with LDAP enabled.
■ To complete this workflow, you need the server URI (URL) and the Bind User name and password. Symantec recommends that you create an external IDP account with only enough privilege to perform the needed LDAP queries. You don't need an administrator user, but you do need a Bind User that is able to execute queries against users and groups. Then use the user name and password from that external IDP account in this configuration.
■ If you intend to use Active Directory/LDAP groups within App Center, the best practice is to create the needed groups within Active Directory/LDAP before you configure Active Directory/LDAP as the IDP.
Create corresponding Active Directory/LDAP security groups specifically for App Center that you can map to App Center groups. You can always add more group mappings later, but having the initial set of groups already created in App Center makes configuration more straightforward. Often the corporate IDP has many more groups (hundreds or thousands) than are needed to implement app or device policy. To make group management less cumbersome,
App Center imports Active Directory/LDAP groups and lets you map these Active Directory/LDAP groups to App Center groups. In the end, Active Directory/LDAP groups can be used to drive policy, which can be much easier to manage through App Center.
The workflow to configure Active Directory/LDAP as an external IDP is as follows:
■ Set up the server configuration.
See“To set up the server configuration for Active Directory/LDAP”on page 55.
■ Configure the authentication options.
Active Directory/LDAP and App Center have slightly different naming conventions to identify the same attributes. For example, App Center has an attribute EMailAddress, which contains the user's full email address. In Active Directory, the same value uses the attribute mail. Your Active Directory/LDAP implementation may vary slightly. However, these are the same attributes — they just use a different moniker. App Center requires four attributes:
Username, FirstName, LastName, and EMailAddress.
You can map any attribute from Active Directory/LDAP to the App Center's Username attribute, but the data for that attribute must be unique. For example, you would not want to map the sn attribute in Active Directory to the App Center Username attribute, because you are likely to have more than one person with the same last name.
Depending on your corporate policy, your employees may be assigned user names that they use to log onto your corporate network. So your Active Directory/LDAP configuration would already have a user name attribute (in more recent versions of Active Directory, this attribute is: sAMAccountName).
So you can map this attribute to the App Center's Username attribute.
Otherwise, you might want to use the email address attribute (in Active Directory, this attribute is: mail) since this attribute typically contains unique values.
See“To configure the authentication options for Active Directory/LDAP”
on page 55.
■ Specify group options.
If you want Active Directory/LDAP groups to drive policy within App Center, then you need to import LDAP groups and then map some of the LDAP groups to App Center groups.
See“Specify group options for Active Directory/LDAP”on page 56.
■ Enable the external IDP.
See“Enable the external IDP”on page 57.
To set up the server configuration for Active Directory/LDAP 1 In the Admin Console, click Settings > Server Configuration.
2 Click the Type drop-down menu and select Active Directory or LDAP.
3 In the Server URI field, type the server URI address.
Note that SSL is enabled by default. Symantec recommends that you use the default setting.
4 In the Username field, type a valid Bind User name that has access to the Server URI that you specified.
5 In the Password field, type the password.
6 Click Save.
To configure the authentication options for Active Directory/LDAP 1 On the center pane, click Authentication Options.
2 In the Search Base DN field, type the search base distinguished name for the active directory that you are using.
For example: OU=employees, OU=Domain Controllers, DC=acme DC=co 3 In the Username Attribute field, type the Active Directory/LDAP attribute
that corresponds with the App Center's Username attribute.
The default value is sAMAccountName.
4 In the First Name Attribute field, type the Active Directory/LDAP attribute that corresponds with the App Center's FirstName attribute.
The default value is givenName.
5 In the Last Name Attribute field, type the Active Directory/LDAP attribute that corresponds with the App Center's LastName attribute.
The default value is sn.
6 In the Email Attribute field, type the Active Directory/LDAP attribute that corresponds with the App Center's EMailAddress attribute.
7 Click Test to test that your integration with Active Directory/LDAP works.
8 Type an end user's name and password and click Test again.
If the test was successful, a green light and the words “authentication verified”
appear at the bottom of the page.
9 If the test is successful, click Save.
Specify group options for Active Directory/LDAP 1 On the center pane, click Group Options.
2 To enable user groups, check Enable User Groups.
3 To allow only those users who are a part of a group access App Center, click Allow only mapped group members to authenticate to App Center.
4 In the Search Base DN field, type the search base distinguished name that you want to use.
For example: OU=employees, OU=Domain Controllers, DC=acme, DC=co 5 In the Group Type Attribute field, type the group type attribute.
6 In the Group Type field, specify the group type.
7 To map groups, under Group Mappings in the Group Search Criteria field, type the group search criteria.
Note the syntax as follows: (CN=group_name) You must include the parenthesis.
8 Check all of the boxes to the right of the Group Search Criteria to select the App Center groups to which the members of the Active Directory/LDAP group belong.
9 To test that your group mapping works, click Test.
If the test is successful, the message "Found groups within search base"
appears.
10 (Optional) To add new Group Search Criteria, click Add New Mapping and repeat steps7through9.
11 (Optional) To delete a Group Search Criteria, click Delete.
12 To create subgroups for your organization units, under Subgroups by OU, do the following:
■ In the OU column, type the name of the organizational unit.
■ In the Subgroup Name column, type the name for the subgroup.
13 (Optional) To delete a subgroup, click Delete.
14 (Optional) To add a new subgroup, click Add New Subgroup OU and repeat step12.
15 Click Save.
You are automatically returned to the External Identity Provider page.
Enable the external IDP
◆ On the Settings > External Identity Provider page, click Enable IDP.
Now you are ready to enroll your users in App Center.
See“Enrolling users using your external identity provider”on page 69.