The following provides documentation on how to implement Active Directory Authentication in conjunction with Single Sign On (SSO) Authentication (only available on Enterprise plans). For directions on how to turn on Single Sign On Authentication start here.
Active Directory (Password Authentication Provider)
Active Directory is an enterprise level directory service that's offered by Microsoft. At this point, it's pretty much the standard user management system on Windows servers. Active Directory exposes many different interfaces to the user directory, but for now, we're using the LDAP interface it provides. This authentication provider is built on our LDAP authentication provider and provides convenient defaults when configuring it. Just like with LDAP, to authenticate a user against Active Directory, we simply use the username and password provided by the user to attempt to "bind" or connect to the Active Directory server as that user. If we succeed, then the user is authenticated.
Active Directory also allows searching for user information once the user has been authenticated which is how we pull the user's email address and additional user information. Once Formstack has an email address, we search for the Formstack user and authenticate as that user. If a user is not found, the user information is used to create a new user under that account. When users are created this way, they have no account permissions and will need to be granted permission to Formstack resources.
Just like our LDAP authentication provider, Active Directory requires the account owner to provide five different configuration options:
Active Directory Hostname
This setting is the hostname or IP address of the Active Directory server.
Active Directory Port
This setting is the port on the provided Active Directory Hostname that we should use to connect with. For a secure Active Directory connection, this is typically port 636.
Active Directory Base DN
This setting is used to target a specific "directory tree" on the Active Directory server. DN here stands for Distinguished Name and is a unique identifier for the Active Directory directory to use. Some Active Directory configurations can have multiple directories on the same server and this allows us to select the correct one.
Below is an example of the format this setting follows. There is no default for this setting and it will need to be set by the account owner.
Active Directory User DN
This setting is used to format the username provided by the authenticating user. DN here stands for Distinguished Name. The format is fairly standard for Active Directory unless it's somehow been changed by the Active Directory administrator.
Below is an example of the format this setting follows. There is no default for this setting.The :username value here will be replaced with the username of the authenticating user. The DOMAIN value should be replaced by the appropriate Active Directory DOMAIN value.
Active Directory User Filter
This setting is used to search the Active Directory server for user information once the user has authenticated. This is required because we need to find the user's email address to search for their Formstack user. Active Directory filtering can be very powerful and this setting can be used to not only find the authenticated user but also to narrow down the set of users who can authenticate through the authentication provider.
Below is an example of the format this setting follows. There is no default for this setting.It's format should be fairly standard and the username attribute that is filtered upon is a standard username attribute for Active Directory. The :username value here will be replaced with the username of the authenticating user.