Changes Coming Soon
We will be retiring support for LDAP in June of 2021. To utilize SSO to login into the Formstack platform after this date, please configure your identification provider for SAML 2.0. This does not apply to External Form Authentication, where CAS, LDAP, and Active Directory will remain active.
To prepare for a successful LDAP (Lightweight Directory Access Protocol) configuration on your Formstack Account, we have prepared a brief introduction and overview of our LDAP configuration including basic terminology and uses. LDAP may be used in conjunction with Single Sign-On (SSO) Authentication (only available on Enterprise plans)
Once you have gathered these details, you may proceed with your LDAP setup in your Formstack account following this guide. Before enabling LDAP on your Formstack Account, please familiarize and prepare the following authentication assets from your LDAP Service Provider. The integration configuration guide can be accessed here.
Be sure to thoroughly test your settings before confirming them. It’s also a good idea to provide an alternative login option until you have confirmed that these settings work as intended or as a back-up method.
In order to access the Formstack account owner's LDAP server, Formstack will need access to the LDAP hostname and port from our Formstack servers. If they require an IP address to open their firewall, you can use:
1. LDAP (Password Authentication Provider)
LDAP stands for Lightweight Directory Access Protocol and is a fairly standard protocol. To authenticate a user against LDAP, we simply use the username and password provided by the user to attempt to "bind" or connect to the LDAP server as that user. If we succeed, then the user is authenticated. LDAP also allows searching for user information once the user has been authenticated which is how we pull the user's email address and additional user information. Once Formstack has an email address, we search for the Formstack user and authenticate as that user. If a user is not found, the user information is used to create a new user under that account. When users are created this way, they have no account permissions and will need to be granted permission to Formstack resources.
LDAP requires the account owner to provide five different configuration options:
2. LDAP Hostname
This setting is the hostname or IP address of the LDAP server.
3. LDAP Port
This setting is the port on the provided LDAP Hostname that we should use to connect with. For a secure LDAP connection, this is typically port 636.
4. LDAP Base DN
This setting is used to target a specific "directory tree" on the LDAP server. DN here stands for Distinguished Name and is a unique identifier for the LDAP directory to use. Some LDAP configurations can have multiple directories on the same server and this allows us to select the correct one.
Below is an example of the format this setting follows. There is no default for this setting and it will need to be set by the account owner.
5. LDAP User DN
This setting is used to format the username provided by the authenticating user. DN here stands for Distinguished Name and the format will vary depending on the LDAP configuration.
Below is an example of the format this setting follows. There is no default for this setting and it'ss format could differ greatly for different LDAP implementations. Some LDAP implementations will require the LDAP Base DN be appended to this value to make the User DN an absolute DN as oppose to a relative DN. The :username value here will be replaced with the username of the authenticating user.
6. LDAP User Filter
This setting is used to search the LDAP server for user information once the user has authenticated. This is required because we need to find the user's email address to search for their Formstack user. LDAP filtering can be very powerful and this setting can be used to not only find the authenticated user, but also to narrow down the set of users who can authenticate through the authentication provider.
Below is an example of the format this setting follows. There is no default for this setting. The format should be fairly standard, but the username attribute that is filtered upon could differ greatly for different LDAP implementations. The :username value here will be replaced with the username of the authenticating user.
Custom SSO User Fields
Within your CAS configuration, you will also be presented with a Single Sign-On (SSO) Autofill plugin that allows your users to populate fields on your forms with information from a selected SSO Provider and populate in your CAS Authentication settings page in Formstack:
Custom Field Key: Locate the custom field is your CAS account and retrieve the field unique identifier or field key ID. Copy this from CAS and paste to your Formstack account.
Custom Field Label: Copy the field label from the CAS account and paste to your Formstack account.
To complete the SSO Auto-fill mappings, please follow the setup steps outlined here.