IDManager Feature Request - AD Groups

  • 4
  • Idea
  • Updated 3 years ago
  • Implemented
I would like to formally request that the AD integration tie-in portion of ID Manager also provide a provision to authenticate a specific group in the directory. I.E. if I enable the directory integration currently, anyone with a domain account will be allowed to create a guest ( in our environment 4500+users). We would like to limit this to a group that includes for example front desk personnel, remote site admins, etc. I'm in the hopes that I'm not the only one that has asked for this.

Cheers,

Matt
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
  • hopeful

Posted 4 years ago

  • 4
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
Anybody else see any request/demand for this?>?
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Matthew,
This is a good idea that we want to implement.

I almost marked this as PLANNED instead of Under Consideration, but I wasn't able to get a target timeframe from that team yet.
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
Ok, Please keep us posted!
Photo of Roberto Casula

Roberto Casula, Champ

  • 231 Posts
  • 111 Reply Likes
I already submitted this as a feature request (on behalf of a number of my customers) the day I was shown an early beta of the first release of IDM along with about a dozen other requests, including for a web services API which would allow such automation and more.
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
This is actually getting fierce push-back from our upper management and stalling the guest portion of our deployment. They're concerned any random employee will be able to create a guest of various security parameters/schedules (i.e. if they realize the different settings for different user type contractor, vendor, etc.) or supplement there personal data plans, etc. In our HQ this may not be a huge factor as guest traffic is routed out a separate internet pipe, however this comes into play largely in the WAN and remote sites. Segmentation to AD groups could allow for example any employee to create a simple guest restricted to a short period of time with internet only access, while a lobby attendant or Manager can have access to the various users who may have a different security policy, schedule etc. to at least somewhat cut back on illegitimate use.
Photo of Smitty

Smitty

  • 37 Posts
  • 3 Reply Likes
I also like this idea.  For my test I am leaving it open for anybody with a domain account can create a guest...but restricting that by AD group would be great.  I thought about creating separate users for each receptionist or manager...but I don't want to have to manage that many more accounts and passwords inside ID Manager if I don't have to.  The other issue with that is I am creating a bunch of Guest Types with different expiration options.  I would like to restrict those...but once I create them...anybody can create a guest with a long expiration.  I don't want some of those people to be able to create all of those guest types.  Of course...I also can't manually extend an account which would also help with this issue.
(Edited)
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
Any updates in this regard?
Photo of John Hanay

John Hanay

  • 38 Posts
  • 8 Reply Likes
Thank you for your perseverance and patience.  This has been entered as a feature in our development system and we are tracking this for a future release.
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
Thank you John Hanay. This is still holding us back from going global @ ~500 sites with aerohive for guest, please keep us posted.
Photo of John Hanay

John Hanay

  • 38 Posts
  • 8 Reply Likes
We recently added SAML/SSO support using ADFS for ID Manager. This basically allows you to create a policy in the claims to restrict guest account creation to a subset of the employees. The capability should allow you to achieve your desired result.
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
@John Hanay - Is there documentation anywhere for this? I've tried the usual places, techdocs, support portal, etc.  or if you could provide whom I should get in touch with to get this implemented.

Thank you in advance.
Photo of John Hanay

John Hanay

  • 38 Posts
  • 8 Reply Likes
ADFS Setup for IDM:
 
Get the configuration file:
·       Log into ID Manager

·        Go to: Configuration.

·        Select: ID Manager Settings->Employee Sponsorship

·        Select: SAML

·        Click: IDM SP Metadata->”Click here to download”

·        Save the XML file to ADFS server.

 
Create new trust on ADFS server.
·        Open ADFS 2.0 Management.

·        Select Trust Relationships->Relying Party Trusts.

·        Select Add Relying Party Trust from Actions panel and start the wizard.

·        Click Next.

·        Select Import data about the replying party form a file and select the downloaded XML file.

·        Name the new trust and select all default settings to finish the Wizard.

·        This will Permit All AD users to use ADFS authenticate IDM.

·        Open the following page on ADFS server:

·        https://serverhostname/FederationMetadata/2007-06/FederationMetadata.xml

·        Save it as a XML file.

 
Complete the SAML setting.
·        Go back to IDManager, go to the same page:

·        Configuration: ID Manager Settings->Employee Sponsorship->SAML

·        Copy and Paste all content of the XML file from ADFS server.
(Note: Make sure the XML data does not contain extraneous characters ie, quotes since some browsers will add this.)

·        Copy the link at the beginning of XML file which is behind “entityID=”, past it to “Idp Entity ID*” box.

·        Click Save.

 
Test SSO
·        Copy the Single Sign-on Entry from the same page

·        Open a new browser and paste the link.

·        It should automatically redirect to your SSO page  and ask user name and password.

·        Type AD user name and password to login.

·        If successfully login, it should redirect back to the ID Manager Welcome page

·        If not, the error message will be something like “blank SAML’.

 
Limit users in a specific group can be authenticated to IDM.
·        Create a User Group on AD and put all users who should be able to use IDM ADFS functions.

·        On ADFS server, open ADFS Management, select Replying Party Trusts.

·        Right click the IDM trust, select Edit Claim Rules...

·        Select Issuance Authorization Rules. Add Rule.

·        Name the new rule, select Incoming claim type as “Group SID”, browse the proper group created for test, select “Permit access to users with this incoming claim”. Click OK to finish the rule setting.

·        Remove the default Allow All Users rule.

·        Test again.

(Edited)
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
Question in regards to this.. Can we have multiple claim rules in order to map two different IDM groups? I see the "EMPLOYEE GROUPS" in idm and tried to create a new one and match on AD group, but  SSO keeps dropping back to the "Default group"
Photo of Matthew Rudkowski

Matthew Rudkowski

  • 38 Posts
  • 2 Reply Likes
Just thought I would respond. Finally got around to implementing this and it is working well thus far. After some further testing we will be rolling out globally and report back.