End User Sync

Quickly add your Customer End Users via Active Directory or Okta with Startly’s End User Sync integration. Administrative access to network users and/or a Super User with LDAP (Lightweight Directory Access Protocol) access is required to properly configure a sync.

Add a New Sync Configuration

    • Click on the Settings menu from the left nav.
    • Select the Integrations category.
    • Select the End User Sync setting.
    • Click the + Icon to add a new sync configuration
      • Select a Customer
      • Enter a Sync Name (e.g. Customer Name AD Sync)
      • Select the Sync Type, either Active Directory or Okta
      • Enter your Domain Name/DNS in LDAP URL for (e.g. ladps://CustomerName.com:636)
      • Select Test Connection

Domain Name / DNS

URI (Uniform Resource Identifier) of the LDAP server. Server must have valid TLS certificate. URI must be specified in the following format:

• ldap://myldapserver.com:389
• ldaps://mysecureldapserver.com:636

If port is not specified explicitly, application will use default port

• LDAP – 389
• LDAPS – 636

If LDAPS is used, sever must be configured with a trusted TLS certificate which matches domain name and AD domain. Note: LDAP protocol without encryption and is not recommended to use outside of protected and trusted networks.


Test Authentication

    • Select a Bind Type to authenticate a client to a directory server
    • Enter your Service Account User ID. See below for formatting.
    • Enter your Service Account Password
    • Select Test Authentication button

Bind Type

Simple – the login/password authentication. When this bind type is selected. Login and password is required

Anonymous(Not Recommended) no authentication. Anonymous authentication is not supported by most providers and not secure.

Service Account User Id  / Bind DN

Distinguished Name of the user (LDAP Admin) that have access to the directory. This field should be specified in format according to RFC 2253 https://datatracker.ietf.org/doc/html/rfc2253.

For Azure Active Directory Domain Services (AAD DS) it should be a member of AAD DC Administrators group. Example: CN=AD Sync,OU=AADDC Users,DC=CustomerName,DC=com

  • CN – common name, the name of the user, usually looks like fname and lname combined but it might depend on specific AD configuration.
  • OU – Organizational Unit. For ADD DS it will be AADDC Users
  • DC – Domain Component – a sequence of domain name parts

Service Account Password / Bind Credential

Password string for the user


Finish Authentication Settings

    • Enter your Users DN to search for users and groups
    • By default the Username LDAP attribute, RDN LDAP attribute, UUID LDAP attribute, User object classes fields will be filled with default values
    • Select Next to move on to Data Mappings

Users DN

Distinguished name of the object which contains all users to be synchronized. For AAD DS it will be:

OU=AADDC Users,DC=CustomerName,DC=com

Note: Startly’s current implementation performs only one level search so nested objects won’t be synchronized. But it Is possible to change to tree search.

Username LDAP attribute

The name of the LDAP attribute to be used as username. Must be unique. For AAD DS it will be userPrincipalName – contains username in email format. For Okta it will be uid. Usually, this parameter is automatically selected and don’t need to be changed by administrator in case of typical setup.

RDN LDAP Attribute

Name of the LDAP attribute, which is used as RDN (top attribute) of typical user DN. Usually it’s the same as the Username LDAP attribute, however it is not required. For example for Active directory, it is common to use ‘cn’ as RDN attribute when username attribute might be ‘sAMAccountName’. Usually, this parameter is automatically selected and don’t need to be changed by administrator in case of typical setup.

UUID LDAP Attribute

Name of the LDAP attribute, which is used as a unique object identifier (UUID) for objects in LDAP. For many LDAP server vendors, it is ‘entryUUID’; however, some are different. For example, for Active directory it should be ‘objectGUID’. If your LDAP server does not support the notion of UUID, you can use any other attribute that is supposed to be unique among LDAP users in tree. For example, ‘uid’ or ‘entryDN’. Usually, this parameter is automatically selected and don’t need to be changed by administrator in case of typical setup.

User object classes

All values of LDAP objectClass attribute for users in LDAP, divided by commas. For example: ‘inetOrgPerson, organizationalPerson’. Existing LDAP user records are found just if they contain all those object classes. It works as a filter by object class attribute.


End User Sync Data Mappings (default)

    • If your sync requires filtering skip to the next step
    • The Preferred Contact Method mapping can be selected, by default email is selected
    • All other Data Mappings for your sync are mapped by default
    • Select Save
    • A sync will be run automatically overnight (1AM EST)
    • See Manual Sync to run a sync after setup

End User Sync Data Mappings (Filtered)

    • If it is required to filter users by Group or OU, Select Filter Type (Security Group or OU)
    • Enter the name of the Selected Filter Name from your Group or OU
    • The Preferred Contact Method mapping can be selected, by default email is selected
    • All other Data Mappings for your sync are mapped by default
    • Select Save
    • A sync will be run automatically overnight (1AM EST)
    • See Manual Sync to run a sync after setup

Security group filter

Security group filter can be specified as semicolon separated list of groups the users must be members of. LDAP uses memberOf attribute of the user to search the users. Group can be specified by name or by DN. When group is specified by name, the group should be located in Users DN folder. If group is specified as DN it can be any valid group DN.

For example:

Security group: Administrators; Users

Users DN:  OU=AADDC Users,DC=startly,DC=com

Resulting filter: (|(CN=Administrators,OU=AADDC Users,DC=startly,DC=com)(CN=Users,OU=AADDC Users,DC=startly,DC=com))

When group is specified as DN:

Security group: CN=Administrators,OU=IT,DC=startly,DC=com; Users

Users DN:  OU=AADDC Users,DC=startly,DC=com

Resulting filter: (CN=Administrators,OU=IT,DC=startly,DC=com)(CN=Users,OU=AADDC Users,DC=startly,DC=com))

Note that in the second example Administrators group belongs to IT organizational unit.

It is allowed to use special characters and they will be escaped automatically. It is also possible to provide string with escape expressions.

Organizational Unit filter

OUs are specified as semicolon separated list of the organizational units to use for synchronization. The user will be synchronized in case when its DN contains at least one of the OUs specified in the list.

For example, if filter will be AADDS Users; IT

CN=John Snow, OU=AADDC Users,DC=CustmerName,DC=com – will be synchronized

CN=Thomas Anderson,OU=IT,DC=CustmerName,DC=com – will be synchronized

CN=Peter Parker,OU=Support,OU=IT, DC=CustmerName,DC=com – will be synchronized

CN=Harold McMillan,OU=Board,DC=CustmerName,DC=com = will NOT be synchronized

Example synchronization parameters

AAD DS

Connection URL: ldaps://ldaps.customername.com:636

Bind DN: CN=AD Sync,OU=AADDC Users,DC=startly,DC=com

Users DN: OU=AADDC Users,DC=startly,DC=com

Username LDAP attribute: userPrincipalName

RDN LDAP attribute: cn

UUID LDAP attribute: objectGUID

User object classes: person, organizationalPerson, user

Okta

LDAP Interface connection settings https://help.okta.com/en-us/content/topics/directory/ldap-interface-connection-settings.htm

Connection URL: ldaps://dev-12345678.ldap.okta.com

Bind DN: [email protected],dc=dev-12345678,dc=okta,dc=com

Users DN: ou=users, dc=dev-12345678, dc=okta, dc=com

Username LDAP attribute: uid

RDN LDAP attribute: cn

UUID LDAP attribute: uniqueIdentifier

User object classes: inetOrgPerson


Manual Sync

    • To sync End Users outside of the scheduled overnight sync (1AM EST), select the Manual Sync option from the action menu of the End User Sync you wish to run in the list
    • A confirmation modal appears, select Confirm to begin a manual sync
Was this article helpful?

Related Articles

Submit a Comment

Your email address will not be published. Required fields are marked *