Google LDAP (or any Cloud Directory) for Identity source

Hi,

The current available options for Safeguard identity and authentication providers are:

-Active Directory
-LDAP (this supports OpenLDAP 2.4 only)
-External Federation
-Radius (use as a secondary authentication provider)
-Radius as Primary (use as a primary authentication provider)
-FIDO2
-OneLogin MFA

Reference:
https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/7.1/administration-guide/45#TOPIC-1918157

Thanks!

Hi,

Thanks for the response. I just want to clarify this. Are you saying that for the LDAP option, the only cloud directory it can work with is OpenLDAP 2.4? It wont work for Google LDAP?

Hi, 

What I found is that SPP supports OpenLDAP 2.4 only when using the LDAP option correct.

I am not sure how Google LDAP is implemented but if it does not support OpenLDAP 2.4 then it will likely not work.

SPP also supports External Federation which is how we currently integrate with for example Azure AD.

Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated authentication with many different STS servers and services, such as Microsoft's AD FS. Through the exchange of the federation metadata, you can create a trust relationship between the two systems. Then, you will create a Safeguard for Privileged Passwords user account to be associated with the federated account. When an end user logs in, they will be redirected to the external STS to enter their credentials and perform any two-factor authentication that may be required by that STS. After successful authentication, they will be redirected back to Safeguard for Privileged Passwords and logged in.

So this could be another way to configure authentication via external federation rather than LDAP.

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/7.1/administration-guide/137#TOPIC-1918525

Thanks!

Hi, 

What I found is that SPP supports OpenLDAP 2.4 only when using the LDAP option correct.

I am not sure how Google LDAP is implemented but if it does not support OpenLDAP 2.4 then it will likely not work.

SPP also supports External Federation which is how we currently integrate with for example Azure AD.

Safeguard for Privileged Passwords supports the SAML 2.0 Web Browser SSO Profile, allowing you to configure federated authentication with many different STS servers and services, such as Microsoft's AD FS. Through the exchange of the federation metadata, you can create a trust relationship between the two systems. Then, you will create a Safeguard for Privileged Passwords user account to be associated with the federated account. When an end user logs in, they will be redirected to the external STS to enter their credentials and perform any two-factor authentication that may be required by that STS. After successful authentication, they will be redirected back to Safeguard for Privileged Passwords and logged in.

So this could be another way to configure authentication via external federation rather than LDAP.

https://support.oneidentity.com/technical-documents/one-identity-safeguard-for-privileged-passwords/7.1/administration-guide/137#TOPIC-1918525

Thanks!

Hi,

Yup, I already configured the external federation. But I was thinking of setting up LDAP so that it can be an IdP for SPP, and we can pick up the users from Google LDAP. 

Ah ok, that makes sense. The way this use case currently works for Azure AD is via our Starling Cloud service where you can integrate Azure AD in Starling and then use Starling as the Identity provider which can pull the users from Azure AD that way but that is also limited to Azure AD at the moment.

So I am testing this out currently. Google LDAP requires that the base dn is sent out to it. The Base DN field is not showing in the LDAP configuration page. Is there a way to send out the Base DN in the configuration page? The LDAP Config page only has Network address, Service Account DN, and Service Account password.

There is no option to specify the Base DN when adding the LDAP provider. 

You can raise a support request for an enhancement to add support for Google LDAP as an Identity provider for consideration in a future release of SPP.

Thanks!