Integrating User Directories ============================ You can configure the Policy Server to authenticate to external authentication systems using LDAP, RADIUS, IMAP, POP3, SMTP, or other third-party systems. RADIUS ------ Remote Authentication and Dial-in User Service (RADIUS) is a broadly supported client-server protocol that provides centralized authentication, authorization, and accounting functions. You can configure Policy Server to integrate with existing external RADIUS Server for User Authentication. When a user is authenticated through a captive web portal or an agent, the user password is authenticated through a RADIUS server. #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **RADIUS Server** section in the main window #. For **Server Address**, enter the RADIUS server's IP Address or FQDN. #. For **Server Port**, enter the RADIUS server's port (Default is 1812) #. For **Shared Secret Key**, enter the pre-shared secret key for RADIUS authentication. #. Click **Update** .. _intergrate-external-ldap: LDAP (Active Directory) ----------------------- Lightweight Directory Access Protocol (LDAP) is an Internet protocol used to maintain data that may include departments, people, groups of people, passwords, email addresses, and much more. Genian |product_name| can be integrated with LDAP to collect User Information and validate User Credentials. #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **LDAP Server** section in the main window #. Enter the following: - **Server Address**: - **Server Port**: (*LDAP=389, LDAPS=636*) - **Base DN**: (*e.g. CN=Users,DC=company,DC=com*) - **Bind DN**: (*Should be FQDN: e.g. Administrator@company.com*) (*Bind Account should have Administrator Privileges*) - **Bind Password**: - **User Naming Attribute**: (*e.g. sAMAccountName*) - **SSL Connection**: (*Turn on if using LDAPS*) #. Click **Update** #. Click **Test** to test configuration settings (*Test account can be any User Account found within the Base DN*) .. note:: Known Issues LDAP Server connection failed. URI=ldaps://[IP]:[PORT]/, ERRMSG='-1:Can't contact LDAP server, TLSv1.0=-1:Can't contact LDAP server' Possible Fix: Update AD(LDAP) Server Operating System to latest patches. Known issues authenticating against Active directory over Secure LDAP on un-patched servers due to encryption incompatibility. EMAIL is the service provided by most organizations, making it an easy choice to provide the user directory. You can check the user's username and password using **SMTP**, **POP3**, and **IMAP**. IMAP ---- #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **IMAP Server** section in main window #. Enter in **Server Address**, **Server Port**, and **Domain Name** #. Click **Update** #. Click **Test** to test configuration settings **Examples** ============================ ===================== ======== ============== Service Name Server Name Port Domain ============================ ===================== ======== ============== Google G Suites imap.gmail.com 993 Your Domain Exchange Online (Office 365) outlook.office365.com 993 Your Domain ============================ ===================== ======== ============== POP3 ---- #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **POP3 Server** section in main window #. Enter in **Server Address**, **Server Port**, and **Domain Name** #. Click **Update** #. Click **Test** to test configuration settings **Examples** ============================ ===================== ======== ============== Service Name Server Name Port Domain ============================ ===================== ======== ============== Google G Suites pop.gmail.com 995 Your Domain Exchange Online (Office 365) outlook.office365.com 995 Your Domain ============================ ===================== ======== ============== SMTP ---- #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **SMTP Server** section in main window #. Enter in **Server Address**, **Server Port**, **Connection Security** and **Domain Name** #. Click **Update** #. Click **Test** to test configuration settings **Examples** ============================ ===================== ======== ====================== ============== Service Name Server Name Port Connection Security Domain ============================ ===================== ======== ====================== ============== Google G Suites smtp.gmail.com 465 SMTPS Your Domain Office 365 smtp.office365.com 587 MSA/STARTTLS Your Domain ============================ ===================== ======== ====================== ============== .. note:: Known Issues Gmail Error: "Authentication failed.Authentication failed.SMTP(535-5.7.8:Username and Password not accepted. Learn more at https://support.google.com/mail/?p=BadCredentialsy32sm41405227qt)" Fix: Turn on Less secure app access in Google account settings / security or use SAML integration SAML 2.0 -------- Security Assertion Markup Language (`SAML`_) is an open standard that allows exchanging authentication and authorization data between parties. SAML consists of an End User and a Service Provider (SP) that requires authentication, and an Identity Provider (IdP) that provides authentication services. If Genian |product_name| is integrated with Google through SAML, Genian |product_name| becomes SP and Google becomes IdP. The following are the basic configuration steps for SAML integration. #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **SAML2** section in main window #. Copy the **SP Entity ID** and **SP ACS URL** values #. Input these values into the *IdP server* during Genian |product_name| SAML configuration. #. For **IdP Entity ID** and **IdP SSO URL** , enter the values obtained from the IdP server. #. For **x509 Certificate**, Paste the certificate issued by the IdP server. #. Click **Update** #. Click **Test** to test configuration settings .. toctree:: :maxdepth: 1 integrate-external/saml-okta integrate-external/saml-okta-adminconsole integrate-external/saml-msentraid integrate-external/saml-msentraid-adminconsole .. _intergrate-external-oidc: OIDC (OpenID Connect) --------------------- `OIDC`_ (OpenID Connect) is an open standard authentication layer built on top of OAuth 2.0. Through OIDC, clients can verify the identity of end users based on the authentication of an Authorization Server and obtain basic profile information. When Genian |product_name| is integrated with an external Identity Provider through OIDC, Genian |product_name| becomes the Relying Party (RP) and the external system becomes the OpenID Provider (OP). The following OIDC Providers are supported: .. toctree:: :maxdepth: 1 integrate-external/oidc-google integrate-external/oidc-google-adminconsole integrate-external/oidc-keycloak integrate-external/oidc-keycloak-adminconsole integrate-external/oidc-msentraid integrate-external/oidc-msentraid-adminconsole integrate-external/oidc-okta integrate-external/oidc-okta-adminconsole SAML ZTNA Client 인증 --------------------- ZTNA Client VPN 인증시 SAML 인증을 사용하여 VPN 연결을 지원합니다. .. toctree:: :maxdepth: 1 integrate-external/saml-ztna-client Testing Integration ------------------- You can test the integration configurations of **RADIUS**, **LDAP**, **IMAP**, **POP3**, **SMTP**, or **SAML** to verify successful connections. #. Go to **Preferences** in the top panel #. Go to **User Authentication > Authentication Integration** in the left Preferences panel #. Find **Authentication Test** section at the bottom of main window #. Click **Update** if you made any configuration changes #. Click **Test** to test configuration settings .. _SAML: https://en.wikipedia.org/wiki/Security_Assertion_Markup_Language .. _OIDC: https://openid.net/connect/ Troubleshooting --------------- - :doc:`/troubleshoot/ldap-search-failed-1`