1. Outline for Active Directory Integration Functions
With user data in your Active Directly (hereinafter referred to as “AD”), you can easily manage your SKUID users. (I.e. create, update, and disable accounts as well as restrict access to certain SKUID groups.)
SKUID also offers its users a function that enables them to log in to SKUID with their AD email addresses and passwords.
User information is automatically synced whenever a new user is registered/disabled in AD, making your SKUID operation and ID management much easier.
2. Main Functions of AD Integration
2-1) User Management for SKUID
Automatic Registration/Disablement (Temporary Deletion)
SKUID automatically registers a user in AD when the user information corresponds to SKUID’s sync requirements. The user can use SKUID immediately after confirming their email address.
You can change the sync requirements flexibly, meaning that you can register all users at once or by security group incrementally. Please refer to Users Sync Requirements for details.
- When a user in AD no longer falls under the requirements or is disabled, the user’s status automatically becomes “Suspended” on SKUID, which immediately prohibits the user from using SKUID.
- If you delete a user object instead of disabling it in AD, the integration function is not able to detect this process, failing to change the user’s status to “Suspended” on SKUID. You need to disable a user in AD first in order to change the user’s status to “Suspended” on SKUID. (A new function to delete users with “Suspended” status is to be released soon.)
Linking the Existing SKUID Users to AD Users
You can link those users that have already been registered either manually or by uploading a CSV file to users in AD. The existing SKUID users and AD users to be synced with are automatically linked together if their email addresses match. When the existing users are not included in the targeted AD users for synchronization, the existing users will not be linked with AD. This enables you to manage them just as you did before.
- Even with the AD integration function installed, you can still create users unlinked to AD manually or by uploading a CSV file.
- If SKUID has a user who shares the same email address with an existing AD user when you first sync AD and SKUID, the user will be able to use their AD password or both their AD and SKUID passwords to log in. Should you wish to prohibit users from using their SKUID passwords, you can remove those users from the list in “Password Authentication” settings page.
Confirming Registered Users’ Email Addresses and Managing Invitations
You need to send invitation emails to users registered through the AD integration function to confirm their email addresses and also to invite them to SKUID. As for the timing, you can choose to either:
- Send invitations at the same time as syncing, or;
- Choose the users who have not received invitations yet on Administrator Panel and send them at any given time, instead of sending them along with synchronization.
How to Send Invitations When You Have Chosen the “Do not send invitations” Option
On Administrator Panel, go to Members, choose a user to send an invitation email to, and click “Re-invite member”.
If you wish to send invitations to multiple members at once, on Administrator Panel, list users with “Created” status by clicking “Status” button. These are the users who have not been invited yet. Then, tick the boxes next to the users whom you wish to send invitations to, and click “Send Invitation”.
Limiting SKUID Groups
By linking AD security groups to SKUID groups according to the sync requirements, you can control which SKUID groups users can join. When a user is added to a security group in AD, the user is automatically registered to the SKUID group that is linked to the security group. Likewise, the user is automatically removed from the SKUID group once they are out of the security group in AD.
- Please be aware that, when the user is out of a SKUID group, they can no longer use apps allocated to the group, and the credential information for the apps will be deleted.
Updating User Attributes
When user object attributes change in AD, the corresponding attributes in SKUID will also be updated. The targeted attributes are as follows:
Family name, first name, email address, department, phone number, postal code, prefecture/state, city, block number
Timing of Synchronization
Automated registration, automated disablement (temporary deletion), control over users’ affiliation to SKUID groups, and user attribution update are not processed in real time. Please note that this processing takes around ten minutes to a few hours, depending on your settings.
Source of User Information
As for users registered through the AD integration function or those linked to AD, the information in AD becomes the master source, and you will not have control over the following actions on the SKUID users:
- Changes in user attributes
- Disablement and deletion
- Control over users’ SKUID group affiliation
If you need to control the above, please update information in AD. You can update your sync settings to have control over users’ group affiliation.
2-2) Logging in to SKUID
Users on AD integration can log in to SKUID with their AD email addresses and AD passwords.
AD passwords are never remembered on SKUID. Users will be asked for their AD passwords every time they attempt to log in to SKUID, so the current AD passwords are always required.
Setting up SKUID Passwords
In addition to logging in with an AD password, you can set up a SKUID password as well, which enables you to still log in to SKUID when you are unable to access your AD. Generally, we recommend allowing only the administrator to use both SKUID and AD passwords and having general users use only AD passwords. However, you can still allow all users to set up their own SKUID passwords when you need to, for example, when authentication with AD passwords is temporarily not functioning.
When you grant permission a user to use a SKUID password, an email will be sent to the user’s email address with instructions on how to set up the password.
You can change your settings and choose either to:
- Automatically send out password reset emails to users when initial SKUID passwords are given to the users when registered manually, by uploading a CSV file, or through the AD integration function, or;
- Not assign SKUID passwords to the users.
2-3) Ideal Environment for AD Integration Function Performance
The AD integration function relies on your AD environment. The AD integration settings and utilization go most smoothly if the following applies to your environment:
- First names, last names, and email addresses are all set up for every user to be synced.
- No user shares the same email address.
- Users to be synced are grouped with the same members as in AD security groups.
Currently, you can change your sync requirements only by security group, but we are going to release a new feature that allows you to integrate users by OU (Organization Unit). Please contact our Sales should you wish to use the feature.
3. System Structure
We designed SKUID in a way that allows simple installation and operation for you. SKUID’s AD integration function is characterized by the following:
- SKUID does not access your environment externally.
- SKUID only reads data in AD and does not do any writing. SKUID does not require administrative privileges.
- Installation does not require special knowledge or software. (AD administrator should be able to install SKUID within a few hours.)
3-1) Software to Be Installed
In order to enable the AD integration function, you need to install our connector to your environment and allow it to access SKUID’s environment.
Notes on the Environment:
- Supported OS: Windows Server 2008 R2 / 2012 R2 / 2016 (Both English and Japanese)
- You need to allow the following two accesses in your environment:
TCP (Transmission Control Protocol)/DNS a-mq-ad.services.sku.id/Port 5671
TCP (Transmission Control Protocol)/DNS b-mq-ad.services.sku.id/Port 5671
- Currently, SKUID does not support access via proxy servers and requires an environment that allows direct access.
- SKUID must be installed on a Windows machine that is joined in a constantly operating domain. SKUID is commonly installed on a domain controller machine. (Memory consumption is less than 256MB.)
- Please use Google Chrome.
Preparation before Installation
Security Group Affiliation
Users to be synced are determined by who are in each security group. Please make sure the users to be synced belong to a targeted security group. The users to be synced are all of those in security groups specified in the sync requirements and those in groups under such security groups.
No Overlapped Email Addresses
Please make sure that, among the users to be synced, you do not have any user objects that share the same email address. If you have two or more user objects with the same email address, you will have an error during synchronization.
The following fields are required in SKUID, and must exist in user objects to be synced:
Family name, first name, email address
Creating an AD User That Runs LDAP Queries
When the connector runs LDAP queries in your environment, it runs the queries as an AD user. Please create a user whose user privilege is just “to read”.
- Please make sure the initial password does not require to be reset.
- If you activate periodic password changes, you will need to change the sync settings on SKUID every time the password is changed.
- You can change the AD settings after you apply for the AD integration function. Go to Administrator Panel and click Settings > Optional functionality > Settings for “Active Directory” to download the following:
1) Connector setting file
2) AD Connector
- The AD connector file is a zip file. In the machine you wish to install SKUID on, unzip the file on a path that does not include any space or Japanese characters. The directory after unzipping is shown below:
Copy the connector setting file into the same directory with the unzipped file in the previous step.
Note: The connector setting file includes credentials the SKUID connector uses. Please pay your utmost attention to handling of the file, for example, by not putting the file where anyone can have access to.
Double click the “install.bat” file, and install the connector.
Note: When .bat files do not start by double clicking, you can open the folder with cmd and run the .bat file you need.
- The connector is installed as a Windows service. Open Windows Services Manager and start “SKUID AD Connector”.
- On Administrator Panel, confirm that the connector is connected properly.
Note: If the connector history does not show up under the connector list after several minutes, please check that you are able to connect to [a-mq-ad.services.sku.id] and [b-mq-ad.services.sku.id] with [TCP Port 5671] on the computer you previously installed the connector on without a proxy server. If you still do not see the connector history under the connector list, zip “logs directory” in the directory and contact our Support.
Note: The connector sends a heartbeat message every 10 minutes. If you do not receive a heartbeat after more than 10 minutes, the connector’s status is abnormal.
About Redundancy of Connector
You can install one connector per machine. In order to have a redundant configuration, please install connectors on multiple machines with the same procedure.
- Open Windows Services Manager and stop the “SKUID AD Connector”.
When you run “uninstall.bat” in the directory, the Windows service will be uninstalled. Then, you can delete the directory remained in the file.
3-3) User Synchronization Settings
After installing the connecter and confirming the connection, you can change User Synchronization Settings. In User Synchronization Settings, you can change settings of the AD security groups to be synced as well as your domain, LDAP connection information, and linking between security groups and SKUID groups.
Note: Please change these settings either on Chrome or Firefox. Internet Explorer is not supported.
- Click “Settings” for “Active Directory”.
- Click “User Synchronization Settings”.
- The default setting is as shown below:
- Click “Add Domain” to set up the synchronization settings.
|Items||Required or not||Description|
|Diff sync period||Required||The default setting for differential synchronization intervals is 30 minutes.|
|Domain (Basic information about your domain)|
|Domain||Required||The name of your domain. E.g.) globalsign.com|
|Domain controller||Not required||The connector you install in your environment automatically selects a domain controller in DNS. If you wish to assign a specific domain controller, you can enter its name here. E.g.) dc1.example.com|
|Protocol||Required||Choose the protocol available in your environment. LDAPS that uses a self-signed certificate cannot be used.|
|Port||Required||Enter the value depending on which protocol you chose. In general, the default value 389 should be fine.|
AD user with read permission
|userBase||Required||Specify base for the AD user that runs LDAP queries. E.g.) DC=globalsign,DC=com|
DN for the AD user that runs LDAP queries or userPrincipalName. Generally, specifying DN is enough, but your environment might require userPrincipalName instead of DN. Please see 3-4) Confirmation for Connector Logs for more details.
Example of DN:
Example of userPrincipalName:
|userPassword||Required||AD password for the AD user that runs LDAP queries|
(This section is to link AD security groups to SKUID groups.)
|Label||Required||You can set an easy-to-understand label you would like.|
|Use Domain Users Group||Not required||If you turn this option on, every user in the domain will be synced.|
|AD Security Groups||Required||AD security groups to be synced. All users in these groups as well as all users in groups nested in these AD security groups will be the target of synchronization.You can assign multiple security groups.|
|SKUID Groups||Required||Please choose SKUID groups the users to be synced are assigned to. You can choose multiple SKUID groups. Please set up SKUID groups in advance since you can choose only from existing groups.|
|AD attributes for synchronization
(You can set up attributes mapping for AD user object and SKUID users. Multiple attributes can be set up for each field, and the first filled field will be used for synchronization.)
|First Name||Required||User object attribute to go with the user’s first name. E.g.) givenName|
|Last Name||Required||User object attribute to go with the user’s last name. E.g.) sn|
|Required||User object attribute to go with the user’s email address. E.g.) mail|
|Department||Not required||User object attribute to go with the user’s department.|
|Phone||Not required||User object attribute to go with the user’s phone number.|
|Zipcode||Not required||User object attribute to go with the user’s zipcode.|
|Prefecture||Not required||User object attribute to go with the user’s prefecture.|
|Municipality||Not required||User object attribute to go with the user’s municipality.|
|Address||Not required||User object attribute to go with the user’s home address.|
After filling all the required fields, click “Save”, which starts the user synchronization. Synchronization time will depend on the number of users to be synced, but it will take for a while. (About an hour for 500 users)
Note: Clicking “Save” repeatedly in the middle of synchronization could result in synchronization failure.
3-4) Confirmation for Connector Logs
If user synchronization is not functioning smoothly, you need to check connector logs first. The logs are stored in the directory named “logs” within the directory the connector is installed in. Since these are program logs, please contact us if they cannot be analyzed on your end, and we will ask you to provide your logs.
Known Error and Solutions
User synchronization settings have been done, and synchronization does not start even after a while. At the same time, you have “AcceptSecurityContext error, data 52e” in the log.
Please assign userPrincipalName instead of DN in “userDN” field under the “User” section of “User Synchronization Settings”.
Please contact our Support Center if you have any questions regarding setting up AD integration function. If you are using the free trial, please call us at 03-6370-6601.