Changes Coming Soon
We will be retiring support for Active Directory in June of 2021. To utilize SSO to login into the Formstack platform after this date, please configure your identification provider for SAML 2.0. This does not apply to External Form Authentication, where CAS, LDAP, and Active Directory will remain active.
To prepare for a successful Active Directory (AD) configuration on your Formstack Account, we have prepared a brief introduction and overview of our Active Directory configuration including basic terminology and uses.
Once you have gathered these details, you may proceed with Active Directory setup in your Formstack account following this guide. Before enabling Active Directory (AD) on your Formstack Account, please familiarize and prepare the following authentication assets from your Active Directory Service Provider.
Be sure to thoroughly test your settings before confirming them. It’s also a good idea to provide an alternative login option until you have confirmed that these settings work as intended or as a back-up method.
Active Directory (Password Authentication Provider)
Active Directory is an enterprise level directory service that's offered by Microsoft. At this point, it's pretty much the standard user management system on Windows servers. Active Directory exposes many different interfaces to the user directory, but for now, we're using the LDAP interface it provides. This authentication provider is built on our LDAP authentication provider and provides convenient defaults when configuring it. Just like with LDAP, to authenticate a user against Active Directory, we simply use the username and password provided by the user to attempt to "bind" or connect to the Active Directory server as that user. If we succeed, then the user is authenticated.
Active Directory also allows searching for user information once the user has been authenticated which is how we pull the user's email address and additional user information. Once Formstack has an email address, we search for the Formstack user and authenticate as that user. If a user is not found, the user information is used to create a new user under that account. When users are created this way, they have no account permissions and will need to be granted permission to Formstack resources.
Just like our LDAP authentication provider, Active Directory requires the account owner to provide five different configuration options:
1. Active Directory Hostname
This setting is the hostname or IP address of the Active Directory server. Hostnames will generally contain only alphabetical characters (A-Z), numeric characters (0-9), the minus sign (-), and the period (.). Period characters are allowed only when they are used to delimit the components of domain style names.
2. Active Directory Port
Active Directory communications involve a number of ports, some of which are more familiar to network and security administrators than others. This setting is the port on the provided Active Directory Hostname that we should use to connect with.
For a secure Active Directory connection, this is typically port 636
3. Active Directory Base DN
The Base DN setting specifies the root for searches in the Active Directory. This setting is used to target a specific "directory tree" on the Active Directory server. DN here stands for Distinguished Name and is a unique identifier for the Active Directory directory to use. Some Active Directory configurations can have multiple directories on the same server and this allows us to select the correct one.
Below is an example of the format this setting follows. There is no default for this setting and it will need to be set by the account owner.
4. Active Directory User DN
This setting is used to format the username provided by the authenticating user. DN here stands for Distinguished Name. The format is fairly standard for Active Directory unless it's somehow been changed by the Active Directory administrators.
Below is an example of the format this setting follows. There is no default for this setting.The :username value here will be replaced with the username of the authenticating user. The DOMAIN value should be replaced by the appropriate Active Directory DOMAIN value.
5. Active Directory User Filter
This setting is used to search the Active Directory server for user information once the user has authenticated. This is required because we need to find the user's email address to search for their Formstack user. Active Directory filtering can be very powerful and this setting can be used to not only find the authenticated user but also to narrow down the set of users who can authenticate through the authentication provider.
Below is an example of the format this setting follows. There is no default for this setting.It's format should be fairly standard and the username attribute that is filtered upon is a standard username attribute for Active Directory. The :username value here will be replaced with the username of the authenticating user.
Custom SSO User Fields
Within your Active Directory configuration, you will also be presented with a Single Sign-On (SSO) Autofill plugin that allows your users to populate fields on your forms with information from a selected SSO Provider and populate in your Active Directory Authentication settings page in Formstack:
Custom Field Key: Locate the custom field is your Active Directory account and retrieve the field unique identifier or field key ID. Copy this from Active Directory and paste to your Formstack account.
Custom Field Label: Copy the field label from the Active Directory account and paste to your Formstack account.
To complete the SSO Auto-fill mappings, please follow the setup steps outlined here.