As an administrator of the Access Control feature, you can synchronize information between Archer and your organization's Lightweight Directory Access Protocol (LDAP) server. With LDAP synchronization, you can streamline the administration of user accounts and groups by allowing updates and changes that were made in the LDAP server to be automatically reflected in Archer.
Important: LDAP synchronization is not available for Archer SaaS.
The LDAP configuration feature allows you to do the following:
- Associate user accounts with LDAP users.
- Create accounts when new users are found on the LDAP server.
- Deactivate accounts that can no longer be directly associated with an LDAP user. You cannot delete user accounts using LDAP synchronization.
- Reactivate accounts when certain user criteria is found on the LDAP server, for example, renewed employment status.
- Update user profile data for accounts based on LDAP changes.
The LDAP configuration feature accepts multiple-domain, single sign-on (SSO) information and synchronizes with discrete LDAP systems, allowing you to do the following:
- Standardize the log on procedures in heterogeneous domain environments.
- Incrementally add new domains to existing user access configurations.
- Synchronize data with multiple domain accounts.
LDAP groups cannot be mapped to a previously existing Archer group. The synchronization process replicates the LDAP group structure within Archer. Groups created in Archer by the LDAP synchronization process cannot be edited within Archer.
LDAP configuration with multiple domains
It is recommended that you do not specify a default LDAP configuration if your organization employs multiple domains and allows non-unique user names across your domains. If you do, an individual with an identical user name to an individual in the default domain could potentially gain improper access to Archer.
For example, John Smith (jsmith@apac.company.com) from the Asia-Pacific domain and Jim Smith (jsmith@us.company.com) from the United States domain have the same user name. If a default LDAP configuration specifies us.company as the default domain and the apac.company.com domain is not valid in the us.company instance, John Smith can log on to the account of Jim Smith. When John Smith logged on to Archer using SSO, Archer attempted to validate them in the default domain by the user name jsmith. Archer matches this user name to an existing account, jsmith@us.company.com, even though it is a different individual.
