Skip to main content

3.27 – Active Directory, Azure AD, LDAP, RADIUS integration

You can authenticate your users against Active Directory, LDAP or RADIUS server. Please configure your users.json as followings:

Active Directory or LDAP

{
  "source": {
    "type": "AD",
    "properties": {
      "server": "192.168.12.128:389", //can also be specified without the port
      "domain": "mydomain.com",
      "groups": "sales, support",
      "transferCredential": false
    }
  }
}

You can let gateway fetch servers from the AD. The following example will fetch all the servers from the "otherLoginWorkstations" attribute:

{
  "source": {
    "type": "AD",
    "properties": {
      "server": "192.168.12.128:389",
      "domain": "mydomain.com",
      "groups": "sales, support",
      "transferCredential": false,
      "serversAttr": "otherLoginWorkstations"
    }
  }
}

Gateway can also change AD user password if:

  1. AD has SSL enabled.
  2. Export the AD certificate (Public key only) in Base-64 encoded X.509 file format.
  3. Import the AD certificate to Java keystore with following commands:
    cd JRE\bin (use JDK\bin instead if JRE is not found, for example, OpenJDK11).
    keytool -importcert -alias "anyName" -keystore \lib\security\cacerts -storepass changeit -file "C:\Users\username\Desktop\exported.cer"
    
    Please check https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-stepguide-to-setup-ldaps-on-windows-server/Microsoft Tech Community Blog for more details.details on how to setup LDAPS on Windows.
  4. users.json:
    {
      "source": {
        "type": "AD",
        "properties": {
          "server": "192.168.12.128:389",
          "secProtocol": "tls",
          "domain": "mydomain.com",
          "groups": "sales, support",
          "transferCredential": false,
          "serversAttr": "otherLoginWorkstations"
        }
      }
    }
    
    "tls" or "ssl" can be used for the security protocol (secProtocol).

RADIUS

{
  "source": {
    "type": "RADIUS",
    "properties": {
      "server": "192.168.12.128",
      "port": "1812",
      "accountingPort": "1813",
      "sharedSecret": "test123"
    }
  }
}

The sharedSecret can be gateway wide, can also be passed from the client side. Please check the source code of login.html for more information.

You also need to configure the servers in servers.json.

Azure AD

The Azure AD connection is essentially an OAuth2 connection. You can find more information about OAuth2 here.

To connect Azure AD, you need to create a JSON file (e.g. providers.json) with the following content, or extend an existing OAuth2 JSON file:

{
  "providers" : [
    {
      "name" : "Live",
      "client_id" : "40e0b9e5-a534-4bbe-98d2-f3ff0139b67f",
      "client_secret" : "UVH8Q~_e3MxQknUYzbo.bSy_lYafDBO_-R8pTWaCt",
      "request_uri" : "https://login.microsoftonline.com/common/oauth2/v2.0/authorize",
      "redirect_uri" : "https://www.mygateway.com/oauth2callback",
      "access_token_uri": "https://login.microsoftonline.com/common/oauth2/v2.0/token",
      "scope": "openid profile email"
    }
  ]
}

Please replace https://www.mygateway.com with the address of your SparkView server.

In the gateway.conf file, this file must then be linked (if not already done with an existing file):

oauth2 = C:\\data\\oauth\\providers.json

Please note that the endpoint name "common" in the URL may be different for you. You can find more information about this here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols#endpoints