Once the Active Directory Connectors are successfully installed, configure the integration between your instance Active Directory and OneLogin.
To complete this configuration, do the following:
Before you complete the configuration steps described in this article, install at least one Active Directory Connector.
See Install Active Directory Connector 5 for more information.
Verify Active Directory connection
Go to Users > Directories, and select the directory.
On the Connector Instances tab, verify that the Active Directory Connector instance is successfully connected.
If successfully connected, Status is Connected. If you installed a single Active Directory Connector instance for this Active Directory domain, both User Sync and Auth are checked. For additional Active Directory Connector instances on the same Active Directory domain, only Auth is checked.
Sync Status column provides additional telemetry information for each configured Active Directory Connector. The column updates the status of user syncs every 15 minutes. The column provides telemetry for the following:
- Reachable domains
- Users in backlog
- When health check was last updated
You may see a message under the ADC Connector Instance table that provides helpful tips about Auto User Sync and load balancing auth requests.
Each column has a tooltip to clarify the information provided under the header. Hover over the column name to discover more.
Map and sync Active Directory attributes with OneLogin
By default, OneLogin provides key directory attributes imported from Active Directory to OneLogin during sync. Default mappings for these Active Directory fields, to the OneLogin fields, hold the synchronized values. Add and set additional mappings to synchronize in the opposite direction, from OneLogin to Active Directory.
To review and update directory attribute mappings, go to the Directory Attributes tab.
In addition to the default mappings listed on this tab, OneLogin also syncs the following fields from Active Directory to OneLogin:
|Active Directory Field
The attributes in the default mappings are hardcoded, but you can map other Active Directory attributes to custom OneLogin fields:
Create a Custom User field.
See Custom User Fields.
- On the Directory Attributes tab, click the + (plus) button above the information panel.
A new attribute row is added to the bottom of the list.
- Select the AD Directory Field from the left dropdown to select the custom field from the OneLogin Field dropdown.
Remove Manager from ADC sync
Follow the steps below to remove the Manager from ADC sync to OneLogin.
C:\Program Files (x86)\OneLogin Inc\OneLogin Active Directory Connector\connectorService.exe.config
Open the file in a notepad running as administrator and add the following line in the config.
<setting name="DisablePopulateManagers" serializeAs="String">
OneLogin Active Directory Connector (ADC) synchronizes the majority of the users in real time. It does this either by subscribing to Active Directory Change Notifications or by subscribing to the Directory Synchronizing cookie. The default setting in ADC is Active Directory Change Notification.
To learn more, see User Sync for Active Directory Connector.
Synchronize and export from OneLogin to Active Directory
By default, attributes are imported from Active Directory to OneLogin during sync. You can export attributes from OneLogin to Active Directory. Below are two typical use cases where synchronizing from OneLogin to AD is beneficial.
User records are managed in a HR system, like Workday or UltiPro, but Active Directory is used to manage access to network resources.
Configure a Workday or UltiPro directory connector to import user attributes to OneLogin, and then configure an Active Directory Connector to export users attributes from OneLogin to Active Directory. OneLogin functions as an intermediary during synchronization between the HR system and AD. For more information, see Provisioning from Workday to Active Directory using Custom Reports.
User records are maintained in an HR system and Active Directory, and you want to sync them.
For example, you can use Active Directory to manage the attributes included in the default mappings (first name, last name, email, distinguishedName, memberOf, and so forth), and use Workday to manage attributes updated by your HR system, like title, manager name, employee ID, and location, as in the example depicted below.
Note: The arrows indicate the sync direction. The default mappings point from the Active Directory field to the OneLogin field, and the remaining mappings point from the OneLogin custom field (which hold values imported from Workday) to Active Directory fields.
To change the sync direction:
Go to Advanced tab and select Exporting Users.
Return to this tab and click the arrow on an attribute row to change sync direction.
You must change one attribute row at a time.
Select Organizational Units to sync from AD to OneLogin
Go to the OU Selection tab to select the AD organizational units to import into OneLogin.
The tab displays your domain's Base DN in the format
Select the plus button to expand the tree and show selected nodes. The top-level node is displayed when you first open the tree. After you select OUs and save, the tree expands to display the branches and nodes that include selected OUs. To view child nodes, click the plus button to expand the node. To view sibling nodes, click the ellipsis button.
The following screenshot displays the default tree view.
The screenshot below shows the same tree, expanded after clicking the bottom ellipsis button (in line with the Stor node). Note, all of the siblings of the Stor node are now displayed.
Set advanced Active Directory Connector settings
Go to the Advanced tab to set granular Active Directory Connector settings.
Base DN: If your OneLogin-synced Organizational Units are on one domain controller, enter the domain controller info (DC=yourcompany, DC=com) in the Base DN field to improve Active Directory Connector performance.
Mappings: Toggle on to enable OneLogin to assign OneLogin role and group membership, among other user attributes, based on user membership in AD security groups. For more information, see Mappings.
Stage users: Turn the toggle on to move Active Directory users to OneLogin's staging environment (requiring manual approval of users) during sync. Turn it off to convert synced AD users automatically to active OneLogin users, without approval steps. If this option is on, imported users are listed as Unapproved in Users > All Users. You can activate them one-by-one from their user details page, or approve all unapproved users by clicking More Actions and select Approve all users from the drop-down menu.
Sync User Status from Active Directory: Select to ensure users disabled in AD are disabled in OneLogin, and deprovisioned from their apps.
Ignore computed user access control: Select to inform OneLogin not to use the Computed User Access Control attribute (msDS-User-Account-Control-Computed) in Active Directory to determine if a user should be locked out, based on Group Policy.
Enable Smart Password: Select for LDAP directory migrations to this Active Directory instance and to capture your user's LDAP password in Active Directory without requiring a user password reset.
This option works for any user with an Active Directory record. When a user authenticates to OneLogin with their LDAP credentials, OneLogin executes a password reset in the background and provisions the user password to Active Directory. The password is never stored in OneLogin.
OneLogin extracts the user's AD domain from the Base DN value entered on this tab.
If that value is empty, OneLogin uses the domain from the Distinguished Name (DN) synced from the LDAP directory and stored in the OneLogin user record. In a multi-domain environment, the
dc= value in the DN must match the user's Active Directory domain for password provisioning to work.
Enable auto-switch sync failover: Select if multiple Active Directory Connectors are configured for this Active Directory instance and you want to fail over automatically to another Active Directory Connector if the Active Directory Connector responsible for synchronization fails. For more information, see Installing Additional Active Directory Connectors for High Availability.
Login username attribute: Select the attribute users should use as their user name on your company's branded OneLogin login page. The default is email address.
Exporting users: Select to export user attributes from OneLogin to Active Directory. To configure user attribute export to AD, switch the sync direction for each attribute on the Directory Attributes tab.
Delete users in AD...: Choose OneLogin actions when users are deleted in Active Directory:
- unaffected in OneLogin
- suspended in OneLogin (users are set to Inactive but their user record remains)
- deleted in OneLogin (user record is completely deleted from OneLogin directory)
Account owners are never suspended or deleted, regardless of your selection here.
Enforce OneLogin password expiration policies: Enable Active Directory to maintain OneLogin's policy-based password expiration settings, if the OneLogin policy is more restrictive. When you enable this setting, the most restrictive password policy always wins: if OneLogin's password expiration interval is shorter than your Active Directory's, OneLogin's is applied. If your Active Directory password expiration interval is shorter, its policy is applied.
Do not write user status back to Active Directory: If checked, won't write back the users' status to Active Directory. If this is checked, the admin can unlock the user in OneLogin regardless of the user's status in Active Directory and regardless if OneLogin can change the user status in Active Directory.