The following provides documentation on how to implement LDAP Authentication (only available on Enterprise plans). For directions on how to turn on Single Sign On Authentication start here.
In order to access the Formstack account owner's LDAP server, Formstack will need access to the LDAP hostname and port from our Formstack servers. If they require an IP address to open their firewall, you can use 220.127.116.11.
LDAP (Password Authentication Provider)
LDAP stands for Lightweight Directory Access Protocol and is a fairly standard protocol. To authenticate a user against LDAP, we simply use the username and password provided by the user to attempt to "bind" or connect to the LDAP server as that user. If we succeed, then the user is authenticated. LDAP also allows searching for user information once the user has been authenticated which is how we pull the user's email address and additional user information. Once Formstack has an email address, we search for the Formstack user and authenticate as that user. If a user is not found, the user information is used to create a new user under that account. When users are created this way, they have no account permissions and will need to be granted permission to Formstack resources.
LDAP requires the account owner to provide five different configuration options:
This setting is the hostname or IP address of the LDAP server.
This setting is the port on the provided LDAP Hostname that we should use to connect with. For a secure LDAP connection, this is typically port 636.
LDAP Base DN
This setting is used to target a specific "directory tree" on the LDAP server. DN here stands for Distinguished Name and is a unique identifier for the LDAP directory to use. Some LDAP configurations can have multiple directories on the same server and this allows us to select the correct one.
Below is an example of the format this setting follows. There is no default for this setting and it will need to be set by the account owner.
LDAP User DN
This setting is used to format the username provided by the authenticating user. DN here stands for Distinguished Name and the format will vary depending on the LDAP configuration.
Below is an example of the format this setting follows. There is no default for this setting and it'ss format could differ greatly for different LDAP implementations. Some LDAP implementations will require the LDAP Base DN be appended to this value to make the User DN an absolute DN as oppose to a relative DN. The :username value here will be replaced with the username of the authenticating user.
LDAP User Filter
This setting is used to search the LDAP server for user information once the user has authenticated. This is required because we need to find the user's email address to search for their Formstack user. LDAP filtering can be very powerful and this setting can be used to not only find the authenticated user, but also to narrow down the set of users who can authenticate through the authentication provider.
Below is an example of the format this setting follows. There is no default for this setting. The format should be fairly standard, but the username attribute that is filtered upon could differ greatly for different LDAP implementations. The :username value here will be replaced with the username of the authenticating user.