Symantec App Center provides a simple local Identity Provider (IDP) as a standard part of App Center and Content Center. It is easy to use and requires no integration, so it is ideal for small user environments such as trials. However, for production environments, almost all implementations are likely to require integration with external IDP‟s.
When using an external IDP, you get the advantage of centralized user management, as well as easily tying into an
established corporate identity framework. When enabled, this allows regular users as well as administrators to authenticate to App Center using the external identity provider.
Basic configuration of AD/LDAP is accomplished by a step-by-step flow. This section will walk you step-by-step through AD/LDAP configuration. This section assumes that you already have AD Domain Controllers (DCs) (or other IDP) with LDAP enabled.
If you plan on using AD/LDAP groups within App Center, the best practice is to create the needed groups within App Center before starting the AD/LDAP configuration process. You can always add more group mappings later, but having the initial set of groups already created in App Center makes configuration more straightforward.
Often the corporate IDP has many more groups (hundreds or thousands) than are required for implementing app or device policy. To make group management less cumbersome, App Center imports AD/LDAP groups and allows you to map these AD/LDAP groups to App Center groups. In the end, AD/LDAP groups can be used to drive policy, and App Center is much easier to manage.
To add groups to App Center, use the “Add New Group” button on the “Users” tab.
Server Configuration
To start the configuration process, use the “Sever Configuration” sub-panel.
You will need to enter the server URI (URL), and also the administrator user name/password. Symantec recommends that you create an external-IDP account with only enough privilege to perform the needed LDAP queries, and then use the user name/password from that external-IDP account in this form. Symantec also recommends that you always use SSL.
App Center will attempt to automatically verify the connection whenever this form is changed. After the green light indicates that the connection is verified, press the “Save” button.
Authentication Options
After the server connection has been configured, the next step is to configure authentication options. To do this, use the
“Authentication Options” sub-panel.
Enter the search base DN. For our test DC, the correct string is:
OU=employees, OU=Domain Controllers, DC=nukona, DC=com
The value of the search base DN is driven by the setup of you IDP, which will be different.
Enter user name, first name, last name and email attributes names. The defaults presented are typical for AD. After all is entered, you will want to perform a test authentication before moving forward. Unlike the test that was performed during server configuration, this is a simulation of an actual end-user authentication. Click the “Test” button, enter an end-user user name and password, then click the “Test” button on the dialog box.
If all has been configured correctly, you will see a green light and “authentication verified” displayed at the bottom of the panel.
Click “Save” and move to the “Group Options” sub-panel.
Group Options
If you want AD/LDAP groups to drive policy within App Center, then you need to import LDAP groups and then map some of the LDAP groups to App Center groups. On the “Group Options” sub-panel, specify the search base DN, group attribute type and group type. For our test DC, the correct search base DN is:
OU=employees, OU=Domain Controllers, DC=symantec, DC=com
This value will be different for your DC. After the form is completed, App Center will perform a query and load the list of attributes.
You will see the LDAP groups on the left-hand side. If you want to map groups, select the corresponding App Center groups on the right-hand side, and click
“Save.”
Subgroups by OU
If you are using Active Directory as your external IDP, you can create subgroups.
You can add one level of subgroups to any mapped OU from AD to organize your users. Though the subgroup functionality is limited, it creates a way to mimic the AD tree locally.
Note that you cannot create subgroups in subgroups. Only one level of subgroups is allowed.
In the screenshot to the right, you can see how you can select groups and/or subgroups throughout the console once subgroups are created.
Enable IDP
You are almost done! After configuring group options and clicking “Save”, you are brought back to the “External Identity Provider” panel. Click “Enable IDP”.
The App Center internal IDP still plays a role, even when an external IDP is enabled. All authentications are processed against the external IDP first, and then against the internal IDP in the case of failure.
It is critical to have administrative accounts configured within the App Center IDP, even when relying on an external IDP for authentications. In the event that the external IDP is malfunctioning or otherwise unavailable, the administrative accounts in the local IDP will allow you administrative access to App Center.