Introduction

The objective of the integration between Proxyclick and the directory server is to synchronize company users and Proxyclick accounts.

The integration is used when a user logs into the Proxyclick application to validate his/her e-mail address and password. This has the following advantages:

  • Users can use their company password, so there is no need for a new password.
  • Security settings for passwords defined by the company will also apply for accessing the Proxyclick application
  • When a user is disabled or removed from the directory, she/he will not be able to connect to the Proxyclick application anymore

LDAP1

Key features

  • One-way synchronization from your directory to the Proxyclick application
  • No modification of the directory information
  • Integration only reads the user data from the directory

Prerequisites

The connection from Proxyclick to the directory server must be available. If the connection is down at the moment an user wants to log in, Proxyclick will not be able to verify his/her credentials and the login will be refused with an error message. Also on user synchronization, Proxyclick cannot update the accounts in the database if the connection to the directory server is failing.

A good connection speed is furthermore a minimum in order to have good response times for the login and synchronization of users.

Technical implementation

Access to the directory server uses the LDAP protocol (Lightweight Directory Access Protocol). Proxyclick supports LDAP over TLS/SSL (LDAPS) for securing the connection and data exchange over the internet.

The firewall needs to accept incoming connections to the directory server. We suggest you create a rule limited to the IP addresses of the Proxyclick servers:

Environment IP addresses
DEV 109.89.29.98, 80.200.254.199
PROD 5.196.119.170, 149.202.139.22, 149.202.139.23, 51.255.113.67, 46.105.32.37

We also suggest to create a separate account for accessing the directory. This account needs to be able to read data from directory and to search for users. Write access is not required as Proxyclick will not modify directory information.

Supported Platforms

All directory servers that support the LDAP protocol can be used. This includes:

  • Microsoft Active Directory
  • Lotus Domino
  • OpenLDAP
  • Apache Directory

Login procedure at Proxyclick

If you need the users to be authenticated against the LDAP directory, they need to use a login page using a special URL:

https://app.proxyclick.com/login/[alias]

where [alias] is used to know which directory server to access in order to validate the credentials. Please contact in order to get the alias (the alias is only available after we have set up the integration).

The user enters email address and password.

A connection is opened to the directory server with the Proxyclick account and a lookup is done to retrieve the user with the e-mail. If no result is found, then the e-mail is invalid and the login is refused (a error message is displayed). If an entry is found, the distinguished name (DN) of the user is retrieved for the next step.

Another connection is opened with the user DN and the password. If the directory server refuses the connection, then the password is not correct and the login is refused (user gets an error message). If the connection is accepted, the credentials are correct.

The login process checks if an account exists. If not, the account is created using the user information extracted from the directory.

Finally, if there are no errors, the user gets access to the application.

(Other authentication mechanisms are our standard login page (password stored on Proxyclick servers) or SSO).

User synchronization

Proxyclick will regularly synchronize the user from the directory with the Proxyclick accounts. For every entry in the directory, a check is done in the Proxyclick database. If account for the user is found in Proxyclick, the data will be updated if it has changed. If no account found, a new one is created.

Accounts that exist in the Proxyclick database but are missing in the user directory will be flagged as deleted.

User information extracted from the directory

The data to be retrieved for users in the user directory are:

  • First name (mandatory)
  • Last name (mandatory)
  • E-mail address (mandatory)
  • Mobile phone number (optional), E.164 format
  • Fixed phone number (optional),  less than 20 characters
  • Language (optional), ISO 639-1 format

For every field, Proxyclick needs to know the attribute to use to get the value.

 

Info needed for every location

In order to set up an integration with your AD, we need the following info (for every location):

  • Person of contact: name and email of contact person (in case we have technical questions)
  • Server address: hostname or IP
  • Server port: typically 389 for LDAP (without encryption) or 636 for LDAPS (with encryption). In case of LDAPS, and depending on the certificate you need, it might take a few days to install the certificate on our side (as some infrastructure work is needed)
  • Credentials: username/password for searching the directory
  • Base DN: Distinguished name of entry the search of users is to be started from
  • Search Query: the query to find the users to be synchronized with Proxyclick (e.g. filter on OU, member of group, …)
  • Attributes to use to get the first name, last name, e-mail address of the users

 

FacebookGoogle+EmailTwitterLinkedIn