What is an Identity Provider/User Directory?
This is a system entity that creates, maintains, and manages identity information for users while providing authentication services to relying applications. So in a simple sense, QTS uses Identity providers for two purposes.
To know a user of the system in order to association roles and license pools to support product functionality/access.
To authenticate users and verify they are valid within the system to access functionality.
The origin of the user is only important in fulfilling these purposes. Beyond that, it treats users in the system equally.
Currently, there are two types of Identity Providers supported
Internal QTS User Directory: This is installed by default
Adding an Active Directory Identity Provider
Start by Clicking on the “Add Identity Provider” Button
There is a simple 4 step wizard implemented to help guide the user in adding an Active Directory. By completing the 4 steps a QTS Admin will have configured a connection to a particular AD and saved a valid configuration in the QTS system.
Steps to Setting up Active Directory :
The distinguished name of the user that the application will use when connecting to the directory server.
The specific privileges required by the user to connect to LDAP are ‘Bind’ and ‘Read’ (user info, group info, group membership, update sequence number, deleted objects), which the user can obtain by being a member of the Active Directory’s built-in administrators group.
The password of the user-specified above.
Note: Connecting to an LDAP server requires that this application log in to the server with the username and password configured here. As a result, this password cannot be one-way hashed – it must be recoverable in the context of this application. The password is currently stored in the database with obfuscation. To further guarantee its security, you need to ensure that other processes do not have OS-level read permissions for this application’s database or configuration files.
The host name of your directory server and the port on which your directory server is listening.
The root distinguished name (DN) to use when running queries against the directory server.
For Microsoft Active Directory, specify the base DN in the following format: dc=domain1,dc=local. You will need to replace the domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the the LDAP structure.
Check this if the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you will need to configure an SSL certificate in order to use this setting
Editing an Active Directory Identity Provider
For Active Directory Identity Providers you will see a gear icon on the bottom right of their card. Click on that and edit the details via the wizard dialog provided.
Removing an Active Directory Identity Provider
Click on the Garbage can of the provider card you wish to remove. After being prompted to confirm this the provider and all associated groups and users will be removed from the system.
Internal QTS User Directory Setup
Since the QTS User Directory is baked into the product there is no configuration required prior to adding users.
Using QTS Identity Providers with the Client
Users can obtain a Licence from QTS when they are given the appropriate privileges, for Users that are using an Active Directory or the Internal QTS Directory they connect to the server in the same location. From a QVscribe client standpoint, the main difference in experience between these two types of users is that for internal QTS Users they will be prompted with a dialog to enter their credentials. Active Directory Users will have their credentials automatically determined. In both cases, the license request will be tied to the particular system by a unique system identifier.