Active Directory synchronization

The goal is to use Active Directory as an identity provider for Trustelem.

To do so, a connector, ADConnect, is installed on an Active Directory domain controller.

Using this connector, Trustelem synchronizes the users defined by Trustelem administrators.

flow-ad.png

1/ During the setup, ADConnect opens a websocket to Trustelem services using port 443.
Note: with the websocket, information is encrypted by TLS protocol and with an additional symmetric encryption.

2/ Trustelem sends the request of Active Directory users to ADConnect using the websocket.

3/ ADConnect asks the users to Active Directory using LDAPS.

4/ Active Directory sends the users to ADConnect using LDAPS.

5/ ADConnect sends the users to Trustelem services using the websocket

Note: the connector also does the authentication of Active Directory users:

Trustelem does not store any Active Directory password.

On your Windows Server, in « Active Directory Users and Groups »
  • Create a technical user (ex. connecteur@mycompany.com) with default privileges (read only) and a strong password, with no password update on next login and which never expires. setupad7.png
On Trustelem admin dashboard, « Directory » tab
  • Click on « Create » and select « Active Directory ». setupad1.png

  • Give a name to the new directory, and optionally a description.

  • Ensure « Use a connector » is checked.

  • Write down the synchronization ID, then click on « Save ». setup1_ad.png

On each AD domain controller (typically 2 or 3)