LDAP authentication
Express and EnterpriseAvailable for Express and Enterprise Editions only.
Prophecy can connect to your organization’s LDAP directory for authentication.
- You can integrate Microsoft Entra ID over LDAP by using the same configuration fields.
- Group mapping can be enabled using group-to-team mapping. To automatically create new teams in Prophecy via group mappings, set the
ENABLE_AUTO_TEAM_CREATIONflag totruein your Prophecy deployment.
Configuration
Here are the basics steps to connect Prophecy with your LDAP directory:
- Log in to Prophecy as an admin user.
- Navigate to the SSO tab of the Prophecy Settings page.
- Under Authentication Provider, select LDAP.
- Fill out the rest of the information and click Save. More information about the available fields can be found below.
Host and Certs
| Parameter | Description |
|---|---|
| Host | Host and optional port of the LDAP server in the form host:port. If the port is not supplied, it will be guessed based on "Disable SSL" and "Start TLS" flags. |
| Disable SSL | Required if the LDAP host is not using TLS (port 389). This option inherently leaks passwords to anyone on the same network. |
| Skip Certificate Verification | If a custom certificate isn't provided, this option can be used to turn on TLS certificate checks. |
| Certificates | Upload trusted Root certs, client certs, and client keys. |
Binds
| Parameter | Description |
|---|---|
| Bind Distinguished Name | The distinguished name for an application service account. The connector uses these credentials to search for users and groups. |
| Bind Password | The distinguished password for an application service account. The connector uses these credentials to search for users and groups. |
| Username Prompt | The attribute to display in the provided password prompt. |
User Search
| Parameter | Description |
|---|---|
| Base Distinguished Name | BaseDN to start the search from. |
| Filter | Optional filter to apply when searching the directory. |
| User Name | Username attribute used for comparing user entries. |
| ID Attribute | String representation of the user. |
| Email Attribute | Attribute to map to Email. |
| Name Attribute | Maps to display name of users. |
Group Search
| Parameter | Description |
|---|---|
| Base Distinguished Name | BaseDN to start the search from. |
| Filter | Optional filter to apply when searching the directory. |
| Name Attribute | Maps to display name of users. |
Configured LDAP Groups API
You can use the Configured LDAP Groups API to retrieve all config data for your LDAP groups.
Example:
curl 'https://<prophecy-env-url>/api/idp/getAllIDPsConfig' \
-H 'Content-Type: application/json;charset=utf-8' \
-H 'cookie: prophecy-token=<prophecy-access-token>'
Response:
{
"data": {
"config": [
{
"id": "cp_ldap",
"type": "ldap",
"name": "",
"idp": "others",
"resourceVersion": "",
"idpConfig": {
"host": "host-name-here:host-port",
"insecureNoSSL": true,
"insecureSkipVerify": true,
"startTLS": false,
"rootCA": "",
"clientCert": "",
"clientKey": "",
"rootCAData": "",
"clientCertData": "",
"clientKeyData": "",
"bindDN": "*****",
"bindPW": "*****",
"usernamePrompt": "cn",
"userSearch": {
"baseDN": "dc=example,dc=org",
"filter": "(objectClass=person)",
"username": "cn",
"scope": "",
"idAttr": "DN",
"emailAttr": "mail",
"nameAttr": "cn",
"preferredUsernameAttr": "",
"emailSuffix": ""
},
"groupSearch": {
"baseDN": "ou=users,dc=example,dc=org|ou=newusers,dc=example,dc=org",
"filter": "(objectClass=groupOfNames)",
"scope": "",
"userAttr": "",
"groupAttr": "",
"userMatchers": null,
"nameAttr": "cn"
}
}
},
{
"id": "cp_saml",
"type": "saml",
"name": "",
"idp": "okta",
"resourceVersion": "",
"idpConfig": {
"caData": "-----BEGIN CERTIFICATE-----\nCERT-HERE\r\n-----END CERTIFICATE-----\n",
"emailAttr": "email",
"entityIssuer": "issuer",
"groupsDelim": ", ",
"nameIDPolicyFormat": "persistent",
"redirectURI": "https://env-domain/api/oauth/samlCallback",
"ssoIssuer": "http://www.okta.com/TOKEN",
"ssoURL": "https://SSO-URL",
"usernameAttr": "name"
}
}
]
},
"success": true
}
User Matchers
This list contains field pairs that are used to match a user to a group. It adds a requirement to the filter that an attribute in the group must match the user's attribute value.