« Previous 1 2 3
Quick and easy SaaS provisioning for OpenLDAP
To Each His Own
Assigning Application Groups
To check whether you can see your OpenLDAP application groups, go to Directory | Groups and edit the entry that corresponds to your application by clicking on its name (Figure 10). Click the Manage apps button, and then use the Assign Applications to DropBoxBusinessUsers dialog (in this case) to select the application that is being assigned to this group.
Assigning an app to a group of confirmed Okta users is the final step in making this integration achieve a useful result. It should immediately provision those users in the app, and, depending on the app configuration, the users will receive activation email from the app itself and be able to start using it, with their sign-in method determined by the SWA/SSO choice made at the Okta application configuration stage. To revoke a user's access to the app, remove them from the LDAP group; to restore it, just re-add them. (You'll need to wait for the next scheduled Okta import in both cases, and you should receive email after every import that results in changes.)
Testing Your Integration
This integration has quite a number of moving parts and scope for unexpected outcomes. Given what's at stake – access to critical data and applications by people whose jobs will either depend on the access or, conversely, who should absolutely not have access at all – Table 1 runs through a comprehensive set of tests.
Table 1
Testing the Integration
Add a new user to your LDAP directory and assign them to application groups |
---|
Can they sign in to Okta with their LDAP password? |
Do they have access to the applications in their assigned groups (SWA or SSO as applicable)? |
Are they unable to sign in to applications in other groups? |
Reset a user's password. |
Does this immediately take effect on their Okta account and on their assigned apps? |
Remove a user from an application group |
Does this keep them from accessing only that application without affecting their access to other applications? |
Disable a user's app access flag |
Does this remove their access to all apps? (It should take effect on the next scheduled import.) |
Re-enable the app access flag |
Is the user's account restored along with access to their original data? (This behavior depends on the app itself.) |
Restart the server that runs the agent |
Do you receive notification email? |
Does integration continue working after a restart? |
Conclusion
Don't let your users suffer in a SaaS desert on account of directory management worries. By integrating your LDAP directory with cloud-based SaaS providers, you can achieve the dual aims of retaining control over your users' data and access to applications, while giving them the tools they want.
Infos
- phpLDAPadmin on SourceForge: https://sourceforge.net/projects/phpldapadmin/
- Architecture of Okta directory integration: https://www.okta.com/resources/whitepaper/ad-architecture/
- Okta Cloud Connect: https://okta.com/occ/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.