Active Directory with LDAP
Learn how to configure Active Directory with LDAP as an identity provider for Prophecy.
Here are the basics steps to follow connect Prophecy with your LDAP:
- Log in to Prophecy as an admin user.
- Navigate to the SSO tab of the Prophecy Settings page.
- Under Authentication Provider, select LDAP.
- Fill out the rest of the information and click Save. More information about the available fields can be found below.
Host and Certs
Parameter | Description |
Host | Host and optional port of the LDAP server in the form host:port . If the port is not supplied, it will be guessed based on "Disable SSL" and "Start TLS" flags. |
Disable SSL | Required if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network. |
Skip Certificate Verification | If a custom certificate isn't provided, this option can be used to turn on TLS certificate checks. |
Certificates | Upload trusted Root certs, client certs, and client keys. |
Parameter | Description |
Bind Distinguished Name | The distinguished name for an application service account. The connector uses these credentials to search for users and groups. |
Bind Password | The distinguished password for an application service account. The connector uses these credentials to search for users and groups. |
Username Prompt | The attribute to display in the provided password prompt. |
User Search
Parameter | Description |
Base Distinguished Name | BaseDN to start the search from. |
Filter | Optional filter to apply when searching the directory. |
User Name | Username attribute used for comparing user entries. |
ID Attribute | String representation of the user. |
Email Attribute | Attribute to map to Email. |
Name Attribute | Maps to display name of users. |
Group Search
Parameter | Description |
Base Distinguished Name | BaseDN to start the search from. |
Filter | Optional filter to apply when searching the directory. |
Name Attribute | Maps to display name of users. |
Configured LDAP Groups API
You can use the Configured LDAP Groups API to retrieve all config data for your LDAP groups.
curl 'https://<prophecy-env-url>/api/idp/getAllIDPsConfig' \
-H 'Content-Type: application/json;charset=utf-8' \
-H 'cookie: prophecy-token=<prophecy-access-token>'
"data": {
"config": [
"id": "cp_ldap",
"type": "ldap",
"name": "",
"idp": "others",
"resourceVersion": "",
"idpConfig": {
"host": "host-name-here:host-port",
"insecureNoSSL": true,
"insecureSkipVerify": true,
"startTLS": false,
"rootCA": "",
"clientCert": "",
"clientKey": "",
"rootCAData": "",
"clientCertData": "",
"clientKeyData": "",
"bindDN": "*****",
"bindPW": "*****",
"usernamePrompt": "cn",
"userSearch": {
"baseDN": "dc=example,dc=org",
"filter": "(objectClass=person)",
"username": "cn",
"scope": "",
"idAttr": "DN",
"emailAttr": "mail",
"nameAttr": "cn",
"preferredUsernameAttr": "",
"emailSuffix": ""
"groupSearch": {
"baseDN": "ou=users,dc=example,dc=org|ou=newusers,dc=example,dc=org",
"filter": "(objectClass=groupOfNames)",
"scope": "",
"userAttr": "",
"groupAttr": "",
"userMatchers": null,
"nameAttr": "cn"
"id": "cp_saml",
"type": "saml",
"name": "",
"idp": "okta",
"resourceVersion": "",
"idpConfig": {
"caData": "-----BEGIN CERTIFICATE-----\nCERT-HERE\r\n-----END CERTIFICATE-----\n",
"emailAttr": "email",
"entityIssuer": "issuer",
"groupsDelim": ", ",
"nameIDPolicyFormat": "persistent",
"redirectURI": "https://env-domain/api/oauth/samlCallback",
"ssoIssuer": "",
"ssoURL": "https://SSO-URL",
"usernameAttr": "name"
"success": true
User Matchers
This list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user's attribute value.