LDAPS SSO with Active Directory

This guide explains the settings you'll need to enter into the LDAP tab of the LDAP/SAML Maintenance program to enable LDAPS SSO with Active Directory.

This guide is for LDAPS (which is encrypted in transit using SSL/TLS encryption). See LDAP SSO with Active Directory if you wish to use LDAP without encryption.

These steps have been tested on Windows Server 2019 with the Active Directory Domain Services role installed and configured. For guidance on configuration an Active Directory server for LDAPS with a self-signed certificate, refer to: Enable LDAPS for Active Directory.

TASS Cloud Customers

Please contact the TASS Technical Services team before enabling this.

LDAP Settings

LDAP Root	Specify the Organisational Unit (OU) that contains the users who will be logging into the TASS product or portal being configured. You must provide the full Canonical Name (CN) of this OU. Note that users can be in child OUs. To find this: Open Active Directory Users and Groups In thew View menu, click on Advanced Features if it is not currently enabled. Right-click on your OU click Properties. In the Attribute Editor tab, locate the distinguisedName attribute and copy the value. Paste this into the LDAP Root field.
LDAP Server	Enter the fully-qualified domain name (FQDN) of your AD Domain Controller. If you are using a self-signed certificate, this FQDN be the same as what is specified for the server in question. To find this: Open Active Directory Users and Groups In thew View menu, click on Advanced Features if it is not currently enabled. Locate the computer object for the relevant Domain Controller. Right-click on the computer object, then click Properties. In the Attribute Editor tab, locate the dNSHostName attribute and copy the value. Paste this into the LDAP Server field.
LDAP Filter	The attribute of the user object that contains the username that will be used to log in. Common options are: sAMAccountName (username) mail (email address)
LDAP Port	The default LDAPS port is 636.
Admin Username	Create a user account for TASS to use to read the directory. This is used to check that the user exists. Members of the Domain Users group have the appropriate permissions by default. Enter the username into this field. Contrary to the name of this field, this account does not need and should not have any administrative privileges.
Admin Password	Enter the password for the user account created above.
LDAP Secure	Select CFSSL_BASIC.
Username (testing purposes only)	Leave blank.
Client Certificate	Leave blank (LDAPS for Active Directory is authenticated using a server certificate).
Client Certificate Password	Leave blank.

Server Certificate Upload

This is only required if the server certificate has not been issued by a well-known/reputable Certificate Authority, for example a self-signed certificate. The Enable LDAPS for Active Directory article explains how to obtain a self-signed certificate for your Active Directory server.

In the LDAP/SAML Maintenance program, click on Key Store.
Enter the password. Contact TASS Customer Care if you don't know what this is.
On the Add Certificate tab:
1. In the Alias field, enter a name to identify your server certificate.
2. Click Choose File, and select your certificate file. This should be an X509 certificate, using DER or Base64 encoding.
3. Click Upload.
Restart the ColdFusion Application Server service on your TASS web server. Note this will cause a brief TASS outage.