Configure Active Directory / LDAP

By setting up Active Directory or LDAP as the primary authentication service for Bitium, you can extend your primary identity to all your cloud apps. You can also add directory to sync users and groups with Bitium, or you have the option to simultaneously perform a Directory sync and also enable primary authentication. Employees will log into Bitium using their Active Directory or LDAP username and password.

Active Directory Integration is available to Business Plus and Unlimited plan users. To learn more, please visit our Plans page or contact support@bitium.com.

Setup Process:

Setting up an Active Directory connector with Bitium is simple. While logged into Bitium as an admin for your org:

  1. Open the “Manage [ORG]” menu and select Directories.
  2. On the Directory setup screen, select “Active Directory” or “LDAP”

To Connect via the On-Premise Agent

To Connect over the Web

  1. Select “Get Started”

  2. On the Active Directory / LDAP “Step 1: Services” page select either “Authentication”, “Directory Sync” or both. Click “Next”.

    Select "Authentication", "Directory Sync" or both

    Select “Authentication”, “Directory Sync” or Both

  3. On the “Step 2: Connect” page supply the required information about your Active Directory / LDAP server and an AD / LDAP account that has permission to browse groups and accounts. Click “Continue”.

    Populate Required Information

    Populate required information

    Important – The account used for setting up the Active Directory / LDAP connector must have permission to browse the list of users and groups.

    JumpCloud is a Bitium partner that provides Directory-as-a-Service solutions.

    By enabling JumpCloud as the primary identity authentication service for Bitium, you can extend your primary identity to all your cloud apps. Employees accessing their Bitium dashboard will be authenticated against their JumpCloud credentials.

    Note: On step 2 of “Setup process” for Connect over Web, your Base DN should be in the following format: “ou=Users,o=xxxxxxxxxxxxxxx,dc=jumpcloud,dc=com”.

  4. The next page will confirm that you are successfully connected to Active Directory / LDAP. Click “Next”. If you did not enable “Directory Sync” skip steps 5-7.

    Connected to Active Directory / LDAP

    Connected to Active Directory / LDAP

  5. On the “Step 4: Users” page, use the visual tree to select the Organizational Unit Users you want to sync with. Once selected, click “Preview” to view these users.

    Select Users and Groups

    Select Users and Groups

    To edit Attribute Settings click the link on the right corner of the Visual Tree Preview. ‘Username’ is now an available mapping field in the LDAP flow.

  6. Click “Next”, and use the next visual tree to select the Organizational Unit Groups you want to sync with. Once selected, click ” Preview” once again to verify these groups. Click “Next”.

  7. On the “Step 4: Settings” page configure your directory with the following options: Primary Directory, Remove Apps when User Leaves Group, and Reactivate Users. Click “Continue”. In step 2 if you selected just “Directory Sync”, you have completed the AD/ LDAP directory sync setup.

    Configure Authentication options

    Configure Authentication Options

  8. On the “Step 5: Primary Auth” page enter your Active Directory / LDAP credentials to activate Primary authentication.

    Enter Active Directory / LDAP credentials

    Enter Active Directory / LDAP Credentials

  9. Once you select “Sign in & Active”, Bitium will confirm the supplied information. Once confirmed, your users may log into Bitium using their AD / LDAP credentials.

    Shows successful integration

    Shows Successful Integration


Recommendations:

Bitium accesses your AD / LDAP server directly in real-time. All access is done over SSL and originates from a single IP address allowing you to create very specific firewall rules. We also encourage you to setup a read-only replica (RODC) in a DMZ network.​

The system can be setup using Bitium’s authentication initially, access permissions can be configured, and then primary authentication can be turned on afterwards. So long as the user email addresses match, the changeover is seamless. The advantage of this approach is that user onboarding and the technical configuration can be run in parallel.

Technical Information:

Originating IP Address: 107.21.50.229 (gw01.bitium.com)

Recommended port and protocol: LDAPS (port 636 - see http://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx)

Notes:

Bitium can support non-standard ports as well; use server.domain:port notation when supplying the Server information to specify a different port.