Identity Sources

Identity sources allow the Liquit system to synchronize with different identity providers.

alt text

You'll see a list of all configured Identity sources. By default, the 'LOCAL' Identity source is configured and enabled. This is where the default admin account resides. From here you can do all tasks related to your Identity sources.

Add new Identity source


To add a new Identity source, click on 'Add' in the menu bar.

alt text
The initial pop-up window asks you to specify the type of Identity provider

Liquit currently supports Active Directory, Azure AD and eDirectory as Identity providers.

Active Directory


The Active Directory Identity source allows the Liquit system to synchronize user and group information from your corporate Active Directory.

alt text
To add an Active Directory as Identity provider, select 'Active Directory' in the 'Type' selection window and click 'Next'

alt text

The details pane has the following options:

  • Name
    The friendly name for this Identity source in the system.

  • Enabled
    Tick this box to enable the Identity provider.

  • Hidden
    If you tick this box, the Identity provider will be hidden from selection on the logon screen. You can still use it to login, but you'll have to enter your account in the form of <Name of provider>\<account name>.

Next up are the Settings for the Active Directory connection.

alt text

There are a number of options here:

  • Username
    The account name used to connect to Active Directory. This can be specified in the following formats:
    • UPN
      User Principle Name - john.doe@acme.corp
    • Windows Authentication
      Windows Authentication Scheme - ACME\John
    • SAM
      SAM Account Name - John
  • Password
    The password for the specified account.
  • Secure
    Tick this box to use SSL.
  • Photos
    What to do with photo's:
    • None
      Don't use photo's at all
    • Query
      When photo's need to be displayed, Liquit will query AD for the data
    • Cache
      Liquit will cache the AD photo data on the Liquit server
  • Modifications
    Should we allow modifications:

    • None
      Don't allow any modifications.
    • Password
      Allow users to change their AD password from within Liquit.
    • Enabled
      Allow all modifications, ie. Group Memberships, passwords, etc.
  • ID Attribute The attribute where packages will be assigned to, you can choose to assign packages to:

    • sAMAccountName

    The account logon name

    • objectGUID

    The unique identifier for an AD object, the objectGUID property never changes, even if the object is renamed or moved.

Note

Once you create the new identity source you will not be able to change the ID Attribute value.

Clicking 'Next' will present you with the summary screen.

alt text
Ticking the box will take you directly to your newly created Active Directory Identity source

Edit Active Directory Identity Source


alt text
The details of your newly created Active Directory Identity source

alt text
On the 'Settings' tab you'll see the settings we specified during creation

alt text
The 'Servers' tab is still empty

AD Servers - Identity Source


To make this Identity source functional, we'll need to add at least one server. Click on 'Add Server' to do this.

alt text
The initial server add pop-up window

The settings are:

  • Name
    Friendly name to identify this server.
  • Address
    Hostname or IP address on which to connect.
  • Port
    Port to connect to. Defaults to 389. Set to 636 for SSL.

Click on 'Confirm' to add the server to the list.

Note

Servers will be tried in a ordered fashion. If the server on the top of the list is somehow unreachable, the next one will be tried.

Note

If you specify the domain name in the server address, DNS will be used to obtain a server to authenticate to, just as your domain joined workstation would.

AD Single Sign On (SSO)


Next is the SSO (Single Sign On) option.

alt text

For SSO you can select out of the following options:

  • None
    Disable SSO.
  • NTLM
    Use NTLM for SSO. This requires the Liquit Workspace server to be joined as a member to a trusted domain. Also, the name of the 'Identity source' needs to match the NetBIOS name of the AD domain.
  • oAuth 2.0
    Use Open Authentication 2.0

For more information about configuring SSO please see the corresponding page.

AD Contexts


Next we can specify the context under the 'Contexts' tab. By default, this will be empty. We click on 'Add Context' to add our context.

alt text
The initial 'Context Add' pop-up window

The options to add a context are the following:

  • Context
    Enter a context (in LDAP notation) or use the browse button to select it.
  • Scope
    The scope option has two settings:
    • Base
      Selecting this option will only search the context at that level (Not recursive).
    • Subtree
      This will recursively search this context and anything below it.
  • Users
    Tick this box to enable searching for Users within this context.
  • Groups
    Tick this box to enable searching for Groups within this context.

After specifying your settings, click 'Confirm' to add this context with it's entered settings to the list.

AD Filters


You can specify filters to determine what will be synchronized from the AD backend.

alt text

  • Require E-mail
    Ticking this box will require the users to have a non-empty e-mail attribute for them to be synchronized.
  • Group
    Here you can select a group for which membership is required to be synchronized to the Liquit system.

AD Authenticator


alt text

The 'Authenticator' tab allows you to specify an Authenticator which will always be used by this backend.

  • Enable authenticator
    Tick the box to enable an authenticator for this backend.
  • Authenticator
    Select an already created authenticator from the list.
  • Prefix
    A prefix to be used by the authenticator.
  • Suffix
    A suffix to be used by the authenticator.

eDirectory


The eDirectory Identity source allows the Liquit system to synchronize user and group information from your eDirectory tree.

alt text
To add an eDirectory tree as Identity provider, select 'eDirectory' in the 'Type' selection window and click 'Next'

alt text

The details pane is identical to an Active Directory connection and has the following options:

  • Name
    The friendly name for this Identity source in the system.

  • Enabled
    Tick this box to enable the Identity provider.

  • Hidden
    If you tick this box, the Identity provider will be hidden from selection on the logon screen. You can still use it to login, but you'll have to enter your account in the form of <Name of provider>\<account name>.

alt text

The options are similar to the AD options:

  • Username
    The account name used to connect to eDirectory. This can be specified in the following formats:
    • LDAP
      LDAP notation - CN=John,OU=Users,O=ACME
    • CN
      Cannonical Name - John
  • Password
    The password for the specified account.
  • Secure
    Tick this box to use SSL.
  • Photos
    What to do with photo's:
    • None
      Don't use photo's at all.
    • Query
      When photo's need to be displayed, Liquit will query eDirectory for the data.
    • Cache
      Liquit will cache the eDirectory photo data on the Liquit server.
  • Modifications
    Should we allow modifications:
    • None
      Don't allow any modifications.
    • Password
      Allow users to change their eDirectory password from within Liquit.
    • Enabled
      Allow all modifications, ie. Group Memberships, passwords, etc.

Clicking 'Next' will present you with the summary screen

alt text
Ticking the box will take you directly to your newly created eDirectory Identity source

Edit eDirectory Identity Source


alt text
The details of your newly created eDirectory Identity source

alt text
On the 'Settings' tab you'll see the settings we specified during creation

alt text
The 'Servers' tab is still empty

eDirectory Servers - Identity Source


To make this Identity source functional, we'll need to add at least one server. Click on 'Add Server' to do this.

alt text
The initial server add pop-up window

The settings are:

  • Name
    Friendly name to identify this server.
  • Address
    Hostname or IP address on which to connect.
  • Port
    Port to connect to. Defaults to 389. Set to 636 for SSL.

Note

The connection is LDAP based, so don't enter the NCP port number (524).

Click on 'Confirm' to add the server to the list.

Note

Servers will be tried in a ordered fashion. If the server on the top of the list is somehow unreachable, the next one will be tried.

eDirectory Single Sign On (SSO)


Next is the SSO (Single Sign On) option.

alt text

For SSO to eDirectory you can select out of the following options:

  • None
    Disable SSO.
  • oAuth 2.0
    Use Open Authentication 2.0

Note

The steps for configuring eDirectory for oAuth 2.0 our outside the scope of this document. Please refer to the Novell Documentation for this.

eDirectory Contexts


Next we can specify the context under the 'Contexts' tab. By default, this will be empty. We click on 'Add Context' to add our context.

alt text
The initial 'Context Add' pop-up window

The options to add a context are the following:

  • Context
    Enter a context (in LDAP notation) or use the browse button to select it.
  • Scope
    The scope option has two settings:
    • Base
      Selecting this option will only search the context at that level (Not recursive).
    • Subtree
      This will recursively search this context and anything below it.
  • Users
    Tick this box to enable searching for Users within this context.
  • Groups
    Tick this box to enable searching for Groups within this context.

After specifying your settings, click 'Confirm' to add this context with it's entered settings to the list.

eDirectory Filters


You can specify filters to determine what will be synchronized from the eDir backend.

alt text

  • Require E-mail
    Ticking this box will require the users to have a non-empty e-mail attribute for them to be synchronized.
  • Group
    Here you can select a group for which membership is required to be synchronized to the Liquit system.

eDirectory Authenticator


alt text

The 'Authenticator' tab allows you to specify an Authenticator which will always be used by this backend.

  • Enable authenticator
    Tick the box to enable an authenticator for this backend.
  • Authenticator
    Select an already created authenticator from the list.
  • Prefix
    A prefix to be used by the authenticator.
  • Suffix
    A suffix to be used by the authenticator.

Azure AD


The Azure AD Identity source allows the Liquit system to synchronize user and group information from Azure AD.

Manage - Identity sources - Add - Type - Azure AD
To add an Azure AD tree as Identity provider, select 'Azure AD' in the 'Type' selection window and click 'Next'

Manage - Identity sources - Add - Details - Azure AD

The details pane is identical to an Active Directory connection and has the following options:

  • Name
    The friendly name for this Identity source in the system.

  • Enabled
    Tick this box to enable the Identity provider.

  • Hidden
    If you tick this box, the Identity provider will be hidden from selection on the logon screen. You can still use it to login, but you'll have to enter your account in the form of <Name of provider>\<account name>.

Manage - Identity sources - Add - Settings - Azure AD

There are a number of options here:

  • Client ID

Your client ID is generated when you create the application in Azure AD

Note

In the new Azure Portal which is found on https://portal.azure.com the Client ID is refered to as: Application ID

  • Key

Provide the key you create corresponding to the application in the Azure AD

  • Token URI

Here you can povide the url of the token URI which is constructed as follows:

https://login.microsoftonline.com/< Tennant ID >/oauth2/token

You can use the GUID for your Tennant or use your onmicrosoft.com for the tennantID, like the example below.

https://login.microsoftonline.com/liquit.onmicrosoft.com/oauth2/token
  • Authorization URI

Here you can povide the url of the authorization URI which is constructed as follows:

https://login.microsoftonline.com/< Tennant ID >/oauth2/authorize

You can use the GUID for your Tennant or use your onmicrosoft.com for the tennantID, like the example below.

https://login.microsoftonline.com/liquit.onmicrosoft.com/oauth2/authorize
  • Logout URI

Here you can povide the url of the logout URI which is constructed as follows:

https://login.microsoftonline.com/< Tennant ID >/oauth2/logout?post_logout_redirect_uri=< redirection URL >

You can use the GUID for your Tennant or use your onmicrosoft.com for the tennantID, like the example below.

https://login.microsoftonline.com/liquit.onmicrosoft.com/oauth2/logout?post_logout_redirect_uri=https%3A%2F%2Fliquit.com%2F

Note

The Redirection URL needs to be encoded to work properly.

  • Photos

What to do with photo's: * None
Don't use photo's at all. * Query
When photo's need to be displayed, Liquit will query Azure AD for the data.

  • Reply Url in Azure Active Directory

To let the Azure AD successfully connect to Liquit it is necessary to provide a reply url, the reply url is as following:

    https://<Liquit FQDN>/api/auth/token/end

Manage - Identity sources - Add - Reply URL