Auth options for connecting Enonic cloud to company Active Directory

nerdegutt · February 12, 2017, 2:59pm

I’m working on an XP site hosted on Enonic Cloud that I would like to connect to a company Active Directory for user authentication (and possibly authorisation). The company IT dept are naturally hesitant to expose the LDAP externally, so I’m looking into my options.

Does anyone have experience with a similar issue running XP on an external cloud? One option is to set up a VPN tunnel from the Enonic instance to the company network, and use the LDAP plugin from Enonic market, I guess. Another option is perhaps connection through some ADFS setup which I understand might be less problematic to expose externally from the company network?

Also, would a typical setup be that there is a semi-constant sync of users from AD to local Enonic XP users, creating new ones as soon as they are added to AD? I’d also prefer to enrich the XP user profiles with roles and other metadata once they are set up, and that syncing users doesn’t overwrite these settings.

I must admit I have very limited experience with AD and login options from external sites. If anyone has experience with this and is willing to point me in the right direction, I’d be very grateful!

tsi · February 13, 2017, 9:17am

Many questions here…

Connecting XP to a remote LDAP would be far simpler than setting up a federated AD imho. Just for a starter this would require hosting an additional Windows instanse as opposed to a simple tunnel. Alternatively you could do LDAP over SSL too I guess. At Enonic we have successfully used tunneling to secure a remote LDAP/AD server.

In practice, the standard XP LDAP connector only “syncs” or rather “cache” users when they log in/visit. If you want custom behaviour during the login you could potentially clone the LDAP idprovider. If you want to store more data on a user this can be done using profile objects. Alternatively just use the setting to add all users to a spesific group (I believe this is available on the LDAP app). As you see, XP does nothing special itself when users log in, everything is controlled by the IDprovider app.