Directory Server Integration

Purpose

Jamcracker Services Delivery Network (JSDN) supports integration with most of the Directory Servers for authentication and authorization of organization-wide data. This document explains how the Directory Servers can be integrated with JSDN.

What are Directory Servers?

Directory Server provides a repository for storing and managing information such as user profiles, organizations, user credentials (passwords, and pin numbers), access privileges, application resource information, and network resource information. It is essentially used for identity management; user, organization and other relevant information can be stored in Directory Server and the same can be used for authenticating and authorizing users to enable secure access to services and applications.

Protocols

Since diversified type of applications can be accessed via the directory, it requires a network based means of communication between the applications and the directory. The widely used protocols in which applications can communicated to the directory are the following:

Lightweight Directory Access Protocol (LDAP)
Directory Services Markup Language (DSML)

Lightweight Directory Access Protocol

LDAP is an application protocol that the client applications and servers use to communicate with one another. LDAP uses an open directory access protocol running over TCP/IP and uses simplified encoding methods.

Directory Services Markup Language

Directory services markup language (DSML) is a proposed set of rules for using extensible markup language (XML) to define the data content and structure of a directory and maintain it on distributed directories. Directory Server uses HTTP and the SOAP version 1.1 to transport the DSML content.

DSML also works synergically with LDAP directories, allowing LDAP directory information to be transmitted into other applications over internet.

Directory Server Support in JSDN

Both Active Directory and Red Hat Directory Servers are officially certified to be integrated with JSDN. In addition to these, JSDN can be integrated with any other DSML ver2 supported Directory Servers. JSDN uses Directory Servers for Identity Access Management and syncing organizations, users and roles so that the service administration can be done seamlessly.

Directory Server Integration at the Store Level: JSDN supports Directory Server integration at the store level and facilitates the synchronization of organizations, users and roles so that the service administration could be done seamlessly.
Directory Server Integration at the Enterprise Level: JSDN supports Directory Server integration at the Enterprise level (organization) and enables the authorization/authentication and management of users and roles.
Directory Server Integration for the Dealers: JSDN supports Directory Server integration at the marketplace level so that the dealer information can be synchronized.

How Directory Servers are integrated with JSDN?

The Directory Server integration can be done at various levels using the JSDN user interface. A DSI service should be configured at the pivotpath with attributes that should be mapped with the Directory Server. Please refer to the DSI service configuration section for more information on this. Once the service is configured by the marketplace administrator, respective administrators can configure the directory server.

Directory Server Integration at the Store level

As a store administrator, you can use the Identity Management feature in the marketplace to setup an appropriate directory server for access management and data synchronization.

Log in to the marketplace using your administrator credentials.
Navigate to the Store > Setup tab. You will see the marketplace configuration wizard. The customization options are listed in the left pane of the setup window.

Select the Identity Management option from the options listed on the left pane. The Identity Management page is displayed. You will be prompted to choose whether you want to configure identity management at the store level, select Yes next to the Configure Identity Management option. The Identity Management page will be displayed with Identity Server tab as the first tab opened.


Fields	Description
Directory Server	Select the Directory Server you want to configure for identity management.
Server Access Type	Select the Server Access type. If the Directory Server resides outside the firewall of the organization and can be accessed via LDAP or directly, then select the Direct Access option. If you select the other directory server option, then give the directory server name in the text box. If you are using agent, select the Agent Access otherwise select the Direct Access. Tip: If the Directory server is within a firewall in an organization, select Agent Connect.
Access Protocol	If you select the server access type as direct, select the Access protocol - whether it Is LDAP or DSML.
User Name	Type the Username to login to the directory server. << Log-in Name >>. Applicable for Direct Access – LDAP
Password	Type the Password to login to the directory server. Applicable for Direct Access - LDAP
URL	Type the IP address of the server where the Active Directory resides. This is applicable for Direct Access - LDAP.
Port	Type the Port number of the server where the Active Directory resides.
End Point URL	Type the End Point URL for DSML to connect - This is applicable for Direct Access - DSML.
Agent Name	If you select Agent Connect as the Server Access Type, type the Agent Name.
enable SSL Certificate	If you want a secure connection, enable the SSL certificate option. Click Browse to upload the SSL certificate.
Upload SSL Certificate	If you enable SSL Certificate option, click Browse to upload the SSL certificate.
Base Domain	Enter the base domain. << Base DN >> ( Ex : OU=adsyncep,DC=PNAD,DC=COM) (Finding the Distinguished Name field In Active Directory, right click on the store that is created, select properties. Click the Attribute Editor. Look out for Distinguished Name. Double-click the distinguishedName field, a pop-up is displayed. Copy the distinguishedName field,, then use wherever Base Domain reference is required.)
Deleted Object Domain	Deleted objects are stored in a separate domain. Select the deleted object domain.
Use Delete Control	If you select Yes, any object deleted from Active directory shall be synced to JSDN
Identity Start Value	Select the Identity Start Value - Field Name, Field Value and Date Type. For Active directory, type “uSNChanged” In field name and value as uSNChanged in AD Select data type as numeric. For other directory servers, use “modifyTimestamp“ as field name and value as modifyTimestamp in directory server. Select data type as date. (Finding the uSNChanged fields In Active Directory, right click on the store that is created, select properties. Click the Attribute Editor. Look out for uSNChanged Name. Double-click the uSNChanged field, a pop-up is displayed. Copy the uSNChanged field as required.)

After completing the details, check the test connection and click Save and Next. The Identity Mapping page is displayed.

The list of JSDN fields that are to mapped with Directory Server fields are displayed in the Organizational mapping and User Mapping. Select the Object class from the Select Object Class list . Based on the object class selection, the organizational, user and role mapping fields are displayed. Select the directory sever fields corresponding to the platform fields.

The directory server fields and the corresponding platform fields should be mapped appropriately. The User Role Mapping fields are optional. Some of the common attributes used for mapping are the following:

Organizational Mapping

Select Object Class : organizationalUnit
Organization Alias : OU
Organization Name : OU
Address: Line 1 = Street
Address: Country = CO
Address: State = st
Address: City = l
Address: Zip = postal code
Note: Edit organization field for DSIService (Address: Line 1,Address: Country,Address: State,Address: City,Address: Zip) make as mandatory fields.
Note: Organization Unit Name should match with JSDN Store Acronym. Ex : OU=adsyncep,DC=PNAD,DC=COM. "adsyncep" should be same as the JSDN Store acronymn.
Note: User Role Mapping is optional to sync with your AD Server. However, to have your user role mapped with your AD Server, then your user role name should be in Alphanumeric format, otherwise the system won't sync users.

Active Directory

Organizational Search Criteria : (ObjectClass=organizationalUnit)
Organizational Delete Criteria : (&(objectClass=organizationalUnit)(isDeleted=TRUE))

Other Directory Servers

Organizational Search Criteria : (&(objectClass=organizationalUnit)(!(ou:dn:=Deleted Objects)))
Organizational Delete Criteria : (&(objectClass=organizationalUnit)(ou:dn:=Deleted Org))

User Mapping

Select Object Class : User
Contact Phone = telephone Number
Contact Email = mail (Note: Duplicate email Id are not allowed in JSDN.)
First Name = given name
Last Name = sn
User Name = cn
roleName = member of
User Create & Update Criteria = (objectClass=user)
Customer Admin Search Criteria = (objectClass=user)
User Delete Criteria = (&(objectClass=user)(isDeleted=TRUE))
Other Directory Servers :( Redhat / Oracle )
User Create & Update Criteria = (&(objectClass=inetOrgPerson)(!(employeeType=true))(!(ou:dn:=Deleted Objects)))
Customer Admin Search Criteria = (&(objectClass=inetOrgPerson)(businessCategory=cn=Administrators,ou=kpnstep,dc=jc,dc=com)(!(employeeType=true))(!(ou:dn:=Deleted Objects)))
User Suspend Criteria = (&(objectClass=inetOrgPerson)(employeeType=true)(!(ou:dn:=Deleted Objects)))
User Delete Criteria = (&(objectClass=inetOrgPerson)(ou:dn:=Deleted Users))

Active Directory:

User Create & Update Criteria = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
Customer Admin Search Criteria = (&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=Administrators,CN=Builtin,DC=KPNAD,DC=COM))<Note: The attributes highlighted in the blue color is not applicable to Enterprise integration>
User Suspend Criteria = (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
User Delete Criteria = (&(objectClass=user)(isDeleted=TRUE))
Click the plus sign to add additional fields to be mapped.

Click Save and Next.

Before you Start Sync you must contact your support team for them to setup the additional configurations for directory server in the platform.

The Primary Admin tab is displayed. The administrator details as given at the time of store creation are displayed.

The organization name and details provided here should match what is there in the Active Directory which means that the user has to be created first in active directory and then using the same credentials the primary admin has to be created in marketplace. The fields as displayed on the Primary dmin tab are the following:


Field	Value
First Name	Displays the first name.
Last Name	Displays the last name.
Company Name	Displays the name of the company.
E-mail Address	Specifies the e-mail address of the store.
Confirm E-mail Address	Confirm the e-mail address.
Phone Number	Displays the phone number.

Now, you can start synchronizing the data. Click Start Sync.

The Directory Sync Status tab is displayed. It displays the details of the synchronization. It displays the Sync ID, Sync Start Time, Sync End Time, Sync Type and Status.

You can view further details for each synronization listing.

Click View Sync Details icon in the Action column to view the details of each sync. If the type is User, the View Sync Details page displays the following fields:


Field	Value
Organization Name	Name of the organization
First Name	First Name of the user
Last Name	Last Name of the user
E-mail	E-mail address of the user
Operation	Displays the operation performed
Status	Status of the sync
Action	The User Information can be viewed.

Click Export to CSV File to export the information into an excel file. The View User Information displays the following fields:


Field	Value
Record Name	Displays the name of the record.
Organization Name	Displays the name of the organization.
First Name	Displays the First Name.
Last Name	Displays the Last Name.
Login Name	Displays the Login Name.
E-mail	Displays the e-mail address.
Phone	Displays the phone number.
Role Name	Displays the role name.
Status	Displays the status of the sync.
Comments	Displays comments if any.

If the sync type is Organization, the View Sync Details displays the following fields:


Field	Value
Organization Name	Displays the name of the organization
Operation	Displays the operation performed
Status	Displays the status of the sync
Action	The Organization Information can be viewed.

Click Export to CSVFile to export the information into an excel file.You can view further details for each synronization listing. Click View Sync Details icon in the Action column to view the details of each sync. The View Organization Information displays the following fields:


Field	Value
Record Name	Displays the name of the record.
Organization Name	Displays the name of the organization.
Organization Short Name	Displays the short name of the organization.
Status	Displays the status of the sync.
Comments	Displays comments if any.

Authentication - Select the Authentication Protocol from the Authentication drop-down list, then click Save and Finish.

Directory Server Integration at the Enterprise level

Log in to marketplace using your enterprise store administrator credentials.
Navigate to the Store > Setup tab. You will see the marketplace configuration wizard. The customization options are listed in the left pane of the setup window.
Select the Identity Management option from the options listed in the left pane. The Identity Management page is displayed with Identity Server tab selected by default. If you want to configure identity management at the store level, select Yes next to the Configure Identity Management option.
The Identity Server tab fields will be displayed. Enter the required information.
After entering the required information, click Save & Next.

The Enterprise Admin tab is displayed. The administrator details as given at the time of store creation are displayed.


Field	Value
First Name	Displays the first name.
Last Name	Displays the last name.
Company Name	Displays the name of the company.
E-mail Address	Specifies the e-mail address of the store.
Confirm E-mail Address	Confirm the e-mail address.
Phone Number	Displays the phone number.

The organization name and details provided here should match what is there in active directory which means that the user has to be created first in active directory and then using the same credentials the enterprise admin has to be created in marketplace.

Once you enter the Enterprise Admin details, click Start Sync.
Click Save and Next.

The Directory Sync Status tab is displayed.

The Identity Mapping page is displayed. You can do the object class mapping on this page. The list of Directory Server fields that has to be mandatory mapped with JSDN is displayed in the Organizational mapping and User Mapping. The directory server fields and the corresponding platform fields should be mapped appropriately. The User Role Mapping fields are optional. You should select the object class. Based on the object class selection, the organizational, user and role mapping fields are displayed. Select the directory sever fields corresponding to the platform fields. Refer to the Reseller section for more details to know how to map these fields. The sections which are not applicable for Enterprise object class mapping is highlighted. After entering the mapping information, click Save & Next.

The Enterprise Admin tab is displayed. The administrator details as given at the time of store creation are displayed. At the Enterprise level, organizations are not synced as its only one organization Directory Server is dealing with. The organization name and details provided here should match with what is there in the Directory Server which means that the user has to be created first in the Directory Server and using the same credentials, the enterprise admin has to be created in the marketplace. Click Start Sync to start the synchronization process. You can see the synchronization status on the Directory Sync Status tab.

Directory Server Integration at the Dealer Level

You can use the Identity Management page in the marketplace to setup an appropriate directory server for dealer synchronization.

To setup identity management at the marketplace for dealer synchronization, do the following:

Log in to the marketplace using your marketplace administrator credentials.

In addition to the mapping information from the reseller section, add the following mapping information also for the dealer synchronization.

Dealer Code = ou

Expiry Date = x121Address

Store Name = extensionName

After entering the mapping information, click Save & Next.

The Dealer Admin page is displayed.

Once you enter the Dealer Admin details, click Start Sync.

The Directory Sync Status tab is displayed.

The following table lists the Directory Sync Status tab fields available for viewing the sync status.


Field	Value
Sync ID	Displays the Sync ID
Start Time	The start time of the sync
End Time	The end time of the sync
Type	Displays the type - user or dealer
Status	Status of the sync
Action	The Sync Details can be viewed.

You can view the sync details by clicking View Sync Details.


Field	Value
Record Name	Displays the name of the record
Dealer Name	Displays the name of the dealer
Dealer Code	Displays the code of the dealer
Store Name	Displays the store name associated with
Expiry Date	Displays the expiry date
Address Line1	Displays the address of the dealer
City	Displays the city of the dealer
Country	Displays the country of the dealer
State	Displays the state of the dealer
Zip	Displays the zip
Status	Displays the status of the sync
Comments	Displays comments if any

If the type is Dealer, the View Sync Details displays the following fields:


Field	Value
Dealer Name	Displays the name of the dealer
Dealer Code	Displays the code of the dealer
Store Name	Displays the store name associated with
Expiry Date	Displays the expiry date
Operation	Displays the operation performed
Status	Displays the status of the sync
Action	The Dealer Information can be viewed.

Click Export to CSV File to export the information into an excel file.
The View Dealer Information displays the following fields:


Field	Value
Record Name	Displays the name of the record
Dealer Name	Displays the name of the dealer
Dealer Code	Displays the code of the dealer
Store Name	Displays the store name associated with
Expiry Date	Displays the expiry date
Address Line1	Displays the address of the dealer
City	Displays the city of the dealer
Country	Displays the country of the dealer
State	Displays the state of the dealer
Zip	Displays the zip
Status	Displays the status of the sync
Comments	Displays comments if any

DSI Service Configuration For Reseller/Enterprise Store/Dealer

This section explains how to select attributes in JSDN that should be mapped with Directory Server attributes.

Log in to the pivotpath. You should log in to the pivotpath as root level (root admin) so that you can configure a DSI service available for all marketplaces.
Click Services Tab > Service Management > Add Service link.

The Service Details page is displayed. Enter the information as given in the following table:


Field	Value
Service Name	Type the service name as DSIService if you are configuring it for enterprise or store. Type the service name as DealerConfigService if you are configuring it for dealer synchronization.
Service Code	Type the service code as DSIService if you are configuring it for enterprise or store. Type the service code as DealerConfigService if you are configuring it for dealer synchronization.
Service Description	Type the service description as DSIService if you are configuring it for enterprise or store. Type the service description as DealerConfigService if you are configuring it for dealer synchronization.
Service Category	Select the required category from the drop-down list.
Service Source	Select the service source as Jamcracker-vendor.
Service Sub Category	Select the required sub category from the drop-down list.
Service Information	Type the service description as DSIService. Type the service information as DealerConfigService if you are configuring it for dealer synchronization.
Contact Name	Select the contact name from the drop-down list.

Leave the other fields as it is, then click Next.

The Service Fields page is displayed.

Click Next.

The Organization Fields page is displayed. By default, dummy_update_order field and billing flag are selected by default. The following are mandatory fields for dealers and stores.

Mandatory Fields

companyAcronym
companyName
address1
city
country
state
zip

Other than the fields selected by default, if you want to display additional fields, then select whichever are required from this page. The other mandatory fields specific to dealer are : 1) dealerCode 2) Store Name 3) Expiry Date . Create the fields by clicking the Add Link on the Organizational Fields page and then provide the following values for fields.

Dealer Code


Field	Value
Field Name	dealerCode
Description	Dealer Code
Mask Field	Not applicable
Field Label*	Dealer Code
Default Value	Not applicable
Type*	string
Scope	public
Minimum Length	1
Maximum Length	30
Regular Expression	Alphanumeric
Allowed Values	Not applicable ot applicable

Store Name


Field	Value
Field Name	storeName
Description	Store Name
Mask Field	Not applicable
Field Label*	Store Name
Default Value	Not applicable
Type*	string
Scope	public
Minimum Length	1
Maximum Length	100
Regular Expression	Alphanumeric
Allowed Values	Not applicable ot

ExpiryDate


Field	Value
Field Name	expiryDate
Description	Expiry Date
Mask Field	Not applicable
Field Label*	Expiry Date
Default Value	Not applicable
Type*	date
Scope	public
Minimum Length	Not applicable ot
Maximum Length	Not applicable ot
Regular Expression	Select the Marketplace date format
Allowed Values	Not applicable ot

Click Save & Next. The User Fields page is displayed.

Other than the fields selected by default, you want to display additional fields, then select whichever are required from this page

Note: For enterprise, you need to select the below fields to sync the Department, Manager, and Employee ID.

managerLoginName
employeeNumber
departmentName

The Field Expressions page is displayed.

Click Save& Next.

The SSO Properties page is displayed. Map a dummy url in the SSO url field.

Click Save&Next.

Leave all the other fields as it is and then click Save. The Custom page is displayed.

You will be prompted to provide service callback information. By default, it is selected as No.

Click Save & Next. The Provisioning Events page is displayed.
Click Save & Next. The Field Expressions page is displayed.
Click Save & Next. The SSO Properties page is displayed. Map a dummy url in the SSO url field.
Click Save &Next. The Service Offer information page is displayed.
Type the offer code, offer name and offer description
- Offer Code as : dsiserviceoffer
- Offer Name as : dsiserviceoffer
- Offer Description : dsiserviceoffer
Click Save & Next.