LDAP Configuration
As an administrator of the Access Control feature, you can synchronize information between Archer and your organization's Lightweight Directory Access Protocol (LDAP) server. With LDAP synchronization, you can streamline the administration of user accounts and groups by allowing updates and changes that were made in the LDAP server to be automatically reflected in Archer.
Important: Before you configure LDAP synchronization for your Archer SaaS environment, you must first contact Archer Customer Support for assistance connecting your organization's LDAP server to the Archer cloud environment. You must provide the IP address or address range for your LDAP server.
The LDAP configuration feature allows you to do the following:
- Associate user accounts with LDAP users.
- Create accounts when new users are found on the LDAP server.
- Deactivate accounts that can no longer be directly associated with an LDAP user. You cannot delete user accounts using LDAP synchronization.
- Reactivate accounts when certain user criteria is found on the LDAP server, for example, renewed employment status.
- Update user profile data for accounts based on LDAP changes.
The LDAP configuration feature accepts multiple-domain, single sign-on (SSO) information and synchronizes with discrete LDAP systems, allowing you to do the following:
- Standardize the log on procedures in heterogeneous domain environments.
- Incrementally add new domains to existing user access configurations.
- Synchronize data with multiple domain accounts.
LDAP groups cannot be mapped to a previously existing Archer group. The synchronization process replicates the LDAP group structure within Archer. Groups created in Archer by the LDAP synchronization process cannot be edited within Archer.
It is recommended that you do not specify a default LDAP configuration if your organization employs multiple domains and allows non-unique user names across your domains. If you do, an individual with an identical user name to an individual in the default domain could potentially gain improper access to Archer.
For example, John Smith (jsmith@apac.company.com) from the Asia-Pacific domain and Jim Smith (jsmith@us.company.com) from the United States domain have the same user name. If a default LDAP configuration specifies us.company as the default domain and the apac.company.com domain is not valid in the us.company instance, John Smith can log on to the account of Jim Smith. When John Smith logged on to Archer using SSO, Archer attempted to validate him in the default domain by the user name "jsmith." Archer matches this user name to an existing account, jsmith@us.company.com, even though it is a different individual.