\uD83D\uDCCB What

's about

Login with Active Directory accounts using LDAP protocol!

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks.

It is included in most Windows Server operating systems as a database and set of processes and services that connect users with the network resources they need to get their work done. Not to be confused with Microsoft Azure Active Directory. 

A directory is a hierarchical structure that stores information about objects on the network. A directory service, such as Active Directory Domain Services (AD DS), provides the methods for storing directory data and making this data available to network users and administrators. For example, AD DS stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information.

Active Directory stores information about objects on the network and makes this information easy for administrators and users to find and use. Active Directory uses a structured data store as the basis for a logical, hierarchical organization of directory information.

This data store, also known as the directory, contains information about Active Directory objects. These objects typically include shared resources such as servers, volumes, printers, and the network user and computer accounts. 

Security is integrated with Active Directory through logon authentication and access control to objects in the directory. With a single network logon, administrators can manage directory data and organization throughout their network, and authorized network users can access resources anywhere on the network.

In few words, AD DS authenticates and authorizes all users and computers in a Windows domain type network, assigning and enforcing security policies for all computers, and installing or updating software. AD makes sure each person is who they claim to be (authentication), usually by checking the user ID and password they enter, and allows them to access only the data they’re allowed to use (authorization).

AD DS relies on several established protocols and standards, including LDAP (Lightweight Directory Access Protocol). In brief, LDAP is a directory services protocol and Active Directory is a directory server that uses the LDAP protocol.

LDAP provides, as an open and cross platform protocol used for directory services authentication, the communication language that applications use to communicate with other directory services servers. Directory services store the users, passwords, and computer accounts, and share that information with other entities on the network.

How to set up

To activate the login with Active Directory SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (IDP) and a web application (in our case, XCALLY).

The technology industry created SAML to simplify the authentication process where users needed to access multiple, independent web applications across domains. Prior to SAML, single sign-on (SSO) was achievable but relied on cookies that were only viable within the same domain. It achieves this objective by centralizing user authentication with an identity provider. Web applications can then leverage SAML via the identity provider to grant access to their users. This SAML authentication approach means users do not need to remember multiple usernames and passwords. It also benefits service providers as it increases security of their own platform, primarily by avoiding the need to store (often weak and insecure) passwords and not having to address forgotten password issues. (Reference: https://www.onelogin.com/learn)

🔧 Configuration

To activate the login with SAML on XCALLY, you need to: 

A. Join XCALLY server to the Active Directory domain Configure the Identity Provider

B. Enable Active Directory connection in Configure XCALLY Server

C. Enable Active Directory SAML login for Administrator, Users and Agents

Join XCALLY server to the Active Directory domain

As requirement of the integration, the XCALLY server must be added in the Active Directory domain.

Follow these steps to configure the XCALLY server:

Install required packages for joining to Active Directory (AD) domain

apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekit

After a successful installation can you proceed to discover Active Directory: the realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain

realm discover <domain name>

An Active Directory administrative user account is required for integrating your XCALLY machine with Windows Active Directory domain. Check and confirm Active Directory admin account and the password

realm join -U <user> domain.name

Enable Active Directory connection in XCALLY

To use Active Directory login, you need to add Active Directory settings on XCALLY.

Retrieve Active Directory configuration

Ask to Active Directory Administrator the following properties:

Property

Description

url

Active Directory server to connect to, e.g. ldap://ad.example.com

baseDN

The root DN from which all searches will be performed, e.g. dc=example,dc=com.

domain

Domain of email address, e.g. example.com

Configure Active Directory in XCALLY

Follow these steps to configure the Active Directory

Requirements

Configure the Identity Provider

A SAML identity provider is a system entity that issues authentication assertions in conjunction with a single sign-on profile of the Security Assertion Markup Language (SAML).

SAML assertions are the messages that are exchanged between an identity provider (IDP) and XCALLY that confidentially identify who a user is, what pertinent information exists about them, and what they’re authorized or entitled to access.

• Choose a SAML Identity Provider (IDP)

• Associate the XCALLY Motion to the IDP (ex. create the application)

• When requested, add the XCALLY certificate (see next how to get it)

• From the IDP Settings, retrieve:

  • SAML Endpoint (HTTP)

  • IDP Certificate

  • Issuer URL

  • Single Logout URL (HTTP), if available in IDP

• When configuring SAML Assertions, add the custom attribute (or parameter) that defines the connector field. Set email as value, so that the provider will consider the XCALLY user email as connector field.

Below, you can find an example:

Image Added

Retrieve XCALLY Certificate

Certificates in SAML are used as a convenient way to handle the signing and encryption keys. The keys are usually either exchanged through metadata, or by some secure transfer of the certificate to the parties involved in the SAML exchange.

To retrieve the XCALLY certificate from the SAML metadata, go to the API:

Below, you can find an example:

Image Added

Configure XCALLY Server

Follow these steps to configure the XCALLY server:

1. Use SSH to connect to your XCALLY server

2. Login with motion user

su - motion

1. Set SAML strings for activating the connection between XCALLY and the IDP in /var/opt/

1. motion/.env

XC_ACTIVEDIRECTORY_BASE_DN='<baseDN>'
XC_ACTIVEDIRECTORY_URL='<url>'
XC_ACTIVEDIRECTORY_DOMAIN='<domain>'

Stop motion application (with root privileges)

service motion stop

Initialize environment variables

cd /var/opt/motion2
npm run initialize

1. :

   Code Block
   DOMAIN -> Your Motion Domain (XCALLY URL) XC_SAML_ENTRYPOINT -> IDP SAML Endpoint XC_SAML_CERT -> IDP's public signing certificate (paste the certificate text into a single line) XC_SAML_ISSUER -> Issuer string to retrieve from the IDP XC_SAML_LOGOUT_URL (optional) -> IDP Single Logout

Below, you can find an example:

Image Added

To edit the file .env, follow the instructions recommended here, by searching XC_SAML variables

Enable SAML login for Administrator, Users and Agents

Enable login in General Settings

The Login with Active Directory SAML must be enabled under Settings → General:

Image Removed

Image Added

Enable login in

Users

For Users or Administrator, the Login with Active Directory must be enabled under Staff → Users:

Image Removed

The same property is available under Staff → Agents for Agents.

At this point, the User or Agent and Agents (WebRTC and External) will be able to connect if the username on XCALLY, in addition to the domain entered in the settings, is the same as the username in the Active Directory.

Example

In the following example we assume that the domain is http://acme.com and the url to access the active directory is ad.acme.com

In the file /var/opt/motion2/.env, you need to add the following property:

XC_ACTIVEDIRECTORY_BASE_DN='dc=acme,dc=com'
XC_ACTIVEDIRECTORY_URL='ldap://ad.acme.com'
XC_ACTIVEDIRECTORY_DOMAIN='acme.com'

The Agent John Doe with john.doe@acme.com as email address will be able to login using Active Directory, if the agent in XCALLY is configured as shown in the image:

Image Removed

to XCALLY using identity provider credentials.

Login for XCALLY users

On the Login page, the button Login with SAML is available:

Image Added

Clicking on Login with SAML, XCALLY Users will be redirected on the identity provider portal.

After entering the provider credentials on the provider portal, XCALLY Interface will be opened as usual.

If configured, from the second login on, each time Users click on Login with SAML, they will directly access to XCALLY, without entering credentials again.