Skip to content

Authentication Providers

Authentication providers are used by the CyberEdge to access network resources such as user and group information. The following provider services are supported:

  • Microsoft Active Directory
  • Microsoft Azure SSO
  • OpenLDAP
  • Local Directory
  • Google Cloud Identity
  • Google SSO

Microsoft Active Directory

Microsoft Active Directory is the most common directory service. Outlined below is the process and available options to configure a MS Active Directory provider:

  1. Go to Authentication > Providers > Add

  2. Add an Active Directory Provider:

    • Name: Provide a name for your Authentication Provider. This object will be available throughout the user interface when configuring authentication.
    • Domain Name: The domain name for your Active Directory server
    • Controller: The host name or IP address of your Active Directory server
    • Port: The port to be used for LDAP queries. Default 389
    • Communication Timeout: The period of time, in seconds, before giving up on the LDAP query. Default: 10 Seconds
    • Bind User: The username of the bind user account
    • Bind Password: The password of the bind user account
    • Use TLS: Interact with the Active Directory server using TLS
    • Validate TLS: Validate the certificate when a connection is made to the Active Directory service
    • Retrieve Nested Groups: Add recursive lookups to return nested groups from Active Directory. Note: recursive lookups on large Active Directories can create performance impacts
    • User Authentication Attributes: Authenticate the user utilizing SAM (Security Accounts Manager) or UPN (User Principal Name)

  3. Click "Save"

  4. Click "Save and Apply Changes"

Warning

  • Without TLS enabled, LDAP queries between the CyberEdge and the Active Directory server will be in plain text. It is strongly advised to always use LDAPs which protects sensitive data, such as usernames and passwords, from being intercepted during transmission
  • Recursive lookups for supporting nested groups in large Microsoft Active Directories can cause performance issues. It is recommended to avoid using nested groups whenever possible

Microsoft Azure SSO

The following configuration guide outlines the setup requirements to support Microsoft Azure/Entra SSO. SSO can be used on the CyberEdge web applications including Reporting, LiveZone, CLassroom Control and the Captive Portal.

In your Microsoft Azure tenancy:

  1. Login to the Azure portal https://portal.azure.com
  2. From the navigation bar go to Microsoft Entra ID
  3. In the sub menu go to Enterprise Applications. Within Enterprise Applications:
    • Click New Application > Create your own application
    • Select Option 3, Integrate any other application you don't find in the gallery (Non-gallery)
    • Click Create
  4. In the sub menu go to Security > Permissions
  5. You must register your application. To do so, click app registration
  6. In the sub menu go to Token Configuration > Add optional claim
    • Select ID
    • Select a claim and click Add
  7. In the sub menu go to Authentication > Platform Configuration > Add a platform
  8. Select Single-page application
  9. Within the redirect URIs field, add the CyberEdge URIs as listed below
  10. Click Configure
  11. In the sub menu go to API permissions > Microsoft Graph > Delegated permissions. Within the OpenID permissions section, click openID and Add Permissions
  12. Once added, clock Grant Admin consent and confirm. Permissions should now be successfully granted
  13. In the sub menu go to Overview to obtain the client (application) ID and tenant (directory) ID

In the CyberEdge management UI:

  1. Browse to Authentication > Providers. If necessary, change your existing AD provider’s “User Authentication Attribute” setting from SAM to UPN
  2. In the list of SSO providers, click the Add button and add an Azure SSO provider
  3. Provide the tenant and client IDs listed on the Azure portal
  4. For “Authentication Provider”, choose your existing AD provider
  5. Browse to Authentication > Zone Access`. Under “Captive Portal SSO Provider”, choose your new SSO provider
  6. Sign in with Microsoft should now be available via the Captive Portal
  7. Alternatively, browse to System > General. Under Reporting > SSO Provider, choose your new SSO provider
  8. Sign in with Microsoft should now be available on the Reporting login page
  9. Alternatively, browse to Livezone > General. Under SSO Provider, choose your new SSO provider
  10. Sign in with Microsoft should now be available on the LiveZone login page

Note

Microsoft's Azure SSO supports the UPN User Authentication Attribute. You must ensure this is enabled within your Microsoft AD authentication provider configuration

Local Directory

The local directory is used in smaller networks where no external directory providers exist. For large networks of greater than 100 users, it is strongly recommended to utilize an external authentication provider. The local directory service supports:

  • Users and Groups
  • Support for up to 100 users
  • Secure passwords
  • Supports HA configuration with users and groups replicated between nodes
  • Bulk import of users

Google Cloud Identity

Cloud Identity is an Identity as a Service (IDaaS) solution that centrally manages users and groups. You should reference Google documentation for the configuration and setup of Cloud Identity.

To integrate your CyberEdge with Google Cloud Identity, set your Google configuration first:

  1. In admin.google.com go to Apps > LDAP
  2. Click Add client
  3. Provide Verify User Credentials and Read User Information for Entire domain (or restrict by OU if required) and toggle read group information
  4. On the next page and download the certificate.
  5. On the final page, make sure to turn the service ON.

Note

You will need to convert the crt and key file into a single PEM file to upload to the CyberEdge. Simply using a text editor to copy the the 2 files together is enough.

On the CyberEdge:

  1. Go to Systems > Certificates and upload the certificate.
  2. Go to Authentication > Providers > Add Google Cloud Identity and enter the following information:
    • Name: Provide a name for your Authentication Provider. This object will be available throughout the user interface when configuring authentication.
    • Domain Name: The domain name for your Google Identity Provider
    • Communication Timeout: The period of time, in seconds, before giving up on the query. Default: 10 Seconds
    • Client Certificate: Choose the certificate provided from Google, uploaded in the previous step.
    • Retrieve Nested Groups: Add recursive lookups to return nested groups from Google. Note: recursive lookups on large Google directories can create performance impacts

Google SSO

The following configuration guide outlines the setup requirements to support Google SSO. To configure Google SSO:

  • Go to https://console.cloud.google.com/apis/credentials
  • Click Create credentials > OAuth client ID. Application type is Web application
  • The following configuration matrix should be followed to support Google SSO for the required CyberEdge web applications:

Javascript and redirect URIs

Application Javascript Redirect
Captive Portal https://login.localnetwork.zone https://login.localnetwork.zone
LiveZone https://live.localnetwork.zone https://live.localnetwork.zone/login
Reporting https://reporting.localnetwork.zone https://reporting.localnetwork.zone/login
Custom https://custom.domain https://custom.domain/login