WSO2 Identity Cloud provides single sign-on (SSO) capabilities for the applications in an organization so that the users of the organization can use all the applications seamlessly without having to sign in to each and every application separately. You can connect the on-premise user store of the organization directly to WSO2 Identity Cloud to enable this.
An outbound agent is used to connect the organization's local LDAP to WSO2 Identity Cloud. This allows the organization to give application access (with SSO) for users in the LDAP, without sharing the credentials of the LDAP with WSO2 Identity Cloud.
Important! Java 1.8 or a later version is required to run the agent. Ensure that the correct Java version is installed in your server.
- Sign up and log into WSO2 Identity Cloud.
Click on the menu bar on the top left corner.
Click Directories from the left menu.
The following screen is displayed. Click the Connect my LDAP to Cloud button.
This takes a few seconds to complete and it begins downloading the agent file. This performs some backend operations in Identity Cloud that is required to connect to the on-premise user store and you are redirected to the following screen.
Note: If you are unable to download the agent, click DOWNLOAD AGENT to explicitly download the agent.
Unzip the downloaded agent file. Open the
<AGENT_HOME>/conf/userstore-config.xmlfile and do the required changes to point to your LDAP (or any other LDAP you require access to).Click to view a sample userstore-config.xml fileClick to view descriptions of the key properties you use to configure the on-premise user stores
The following table provides descriptions of the key properties in the
userstore-config.xmlfile you use to configure on-premise user stores.
Connection URL to the user store server. In the case of default LDAP in Carbon, the port is specified in the
carbon.xmlfile, and a reference to that port is included in this configuration.
The username used to connect to the database and perform various operations. This user does not have to be an administrator in the user store or have an administrator role in the WSO2 product that you are using, but this user MUST have permissions to read the user list and users' attributes and to perform search operations on the user store. The value you specify is used as the DN (
Distinguish Name) attribute of the user. This property is mandatory.
Password for the
Filtering criteria for listing all the user entries in the user store. This query or filter is used when doing search operations on users. In this case, the search operation only provides the objects created from the specified class. This query is the same as listing out all the available users in the management console.
DN of the context or object under which the user entries are stored in the user store. In this case, it is the "users" container. When the user store searches for users, it will start from this location of the directory.
Different databases have different search bases.
Filtering criteria used to search for a particular user entry.
The attribute used for uniquely identifying a user entry. Users can be authenticated using their email address, UID, etc.
The name of the attribute is considered as the username.
Specifies whether the underlying user store allows empty groups to be created. In the case of LDAP in Carbon, the schema is modified such that empty groups are allowed to be created. Usually LDAP servers do not allow you to create empty groups.
DN of the context under which user entries are stored in the user store.
Filtering criteria for listing all the group entries in the user store. Groups are created in LDAP using the "
groupOfName" class. The group search operation only returns objects created from this class.
Filtering criteria used to search for a particular group entry.
Attribute used for uniquely identifying a user entry. This attribute is to be treated as the group name.
Attribute used to define members of groups.
To start the agent, you run the script wso2agent.sh (on Linux/Mac OS) or wso2agent.bat (on Windows) from the bin folder. The agent asks for an installation token while starting up. Provide the installation token you see in step 4 of this tutorial and press enter.
Once the agent successfully connected to Identity Cloud, a confirmation message is displayed on the command line.
You can further verify this by checking the Identity Cloud UI. It shows your agent is connected successfully to the Identity Cloud.
Your user-store is ready and now you can use the credentials of users in the connected LDAP to log in to the user portal and configure single sign-on for your configured application.You can connect multiple agents (only two at the moment) to cloud to achieve high availability for outbound agent.