Getting Ready to Install the ADC

Getting Ready to Install the ADC

The ADC reads some of its configuration details from the Active Directory configuration settings on your My1Login web account.  This configuration needs to be setup prior to installing the ADC.

The ADC may be configured to monitor one, or more, trees of AD containers; synchronising the OUs, security groups and users within these trees.  Only enabled users, who are members of OUs or groups within the monitored trees, may access the My1Login system.

These trees are specified in the Domain Query Roots attribute on the Web App with the DN(s) of the roots of the tree(s) you wish to monitor.
You can change what is synchronised at any time.  When initially rolling out My1Login it is recommended to monitor a small OU to get familiar with how the system works prior to doing a full roll out.

The following example domain structure is used to illustrate how this works.


Example 1

The ADC could be configured to sync the root Glasgow OU and it would then synchronise all OUs and groups under that OU (Accounts, AWS, Glasgow and Research and Development).

The Domain Query Roots value for this is:

OU=Glasgow,DC=dev,DC=my1login

Example 2
Alternatively, you may just wish to monitor the AWS and Accounts OUs and the OUs and groups under them. 

To specify multiple DNs in the Domain Query Roots field put brackets around each DN

(OU=AWS,OU=Glasgow,DC=dev,DC=my1login)(OU=Accounts,OU=Glasgow,DC=dev,DC=my1login)

Example 3
Or you may simply just want to monitor the AWS Administrators group (under the AWS OU).

CN=AWS Administrators,OU=AWS,OU=Glasgow,DC=dev,DC=my1login

1.2         Web App Configuration

To configure your My1Login account:

  1. Log into My1Login using the Owner’s account (the one used when signing up for the service)
  2. Click on the Administration link at the top right of the vault screen.
  3. Click on the Users option in the left-hand menu.
  4. Give AD Configure permissions to your user:

  1. Click on the Edit link to the right of your user
  2. Click on the Account Roles tab

 
    1. Click the Add Role button
    2. Select Active Directory Sync
    3. Click Save Changes     

  You will now need to log out and back in again to pick up this new permission.
  1. Select the Active Directory option under Users.
  2. Select Create Account Directory button on the right-hand panel.

1.2.1 Complete the fields, using your own data, as follows:

  1. Directory Sync Type
    1. Select “Agent Push V2”
  2.  Active Directory Connector URL
    1. Enter the schema (https), fully qualified hostname and port to the ADC server.
    2. E.g. https://myserver.domain.local:47810
  3. Domain Query Roots
    1. Enter the DN(s) of the trees you wish to synchronise.
  4. Domain Controller Hostname/IP
    1. The hostname or IP address of your domain controller.
  5. Domain to Monitor
    1. The DNS name of your domain.
    2. E.g. domain.local
  6. BaseDN
    1. Normally the same as domain root.
    2. This is used to define the scope for the real-time monitoring of user changes.  Limiting this to a specific OU reduces the work done by the ADC but risks missing changes to users that are owned by other OUs.
    3. E.g. DC=domain,DC=local
  7. Active
    1. Tick this box to enable the ADC.
  8. Upload User Attribute Changes
    1. Tick this box.
    2. This feature will be required to be cleared when users are allowed to update their attributes on their My1Login account (otherwise the users’ changes would be overwritten by the domain values). 


Example 1 (where the ADC server is also the domain controller).


 




    • Related Articles

    • How the Active Directory Connector (ADC) works

      How the Active Directory Connector (ADC) works The My1Login Active Directory Connector (ADC) extends your AD domain into the My1Login cloud Identity registry enabling seamless single sign on to the My1Login system. The ADC supports bi-directional ...
    • ADC Installation Requirements

      Download our handy ADC checklist at the bottom of this page! The ADC is installed on a server within your network, it is not necessary, or recommended, for this server to be the domain controller. When supporting seamless SSO the ADC acts as a local, ...
    • Troubleshooting: The Active Directory Connector (ADC)

      If you are experiencing unexpected behaviour with your ADC, here are some quick checks you can perform: Check that the ADC is switched on and running Have you restarted the ADC? Is there an active internet connection on the server that is hosting the ...
    • Load Balancing Multiple Active Directory Connectors

      Load balancers distributes traffic across multiple servers and ADCs. The purpose is to provide a balanced service across its pool of servers and increasing resiliency. My1Login ADCs can be installed across multiple domain controllers in this pool of ...
    • Troubleshooting: A user is unable to login to My1Login

      If a user is unable to login to My1Login, below are a simple set of checks to troubleshoot. Valid User: Check the user is registered with an account associated with your company. This could be either an email account or an Active Directory account. ...