Single Sign On (SSO) can be implemented for LDAPS in Azure to reduce the need for patrons to remember multiple passwords and to remove multiple authentication challenges from accessing Infiniti or LibPaths. Authentication is against the Azure.
Concord requires schools choosing to use the LDAP authentication channel with Infiniti or LibPaths to encrypt the traffic (LDAPS).
This document outlines some of the steps required to use LDAPS in Azure.
Full documentation for Azure LDAPS can be found at: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps
1. You will need an Azure account with access to your student (and staff) Active Directory.
- If you are not already using the Azure AD Domain Services (AAD-DS) product, using LDAPS with Azure may incur additional third party costs. AAD-DS adds supplemental protocols like LDAP/S to Azure AD.
2. You will need access to the DNS registrar which controls the public domain you will "host" LDAPS under, e.g., "ldap.your-school.edu"
- The subdomain will route to the Azure server farm that will host the actual LDAPS service.
3. Select an existing AD Domain Service suitable for Concord to authenticate against – or create new one.
- If you need to create a new Domain Service, please refer to Azure documentation or your team's Azure specialist for existing school strategies.
- When deciding on the DNS Domain of the AAD-DS, you should choose an internet-visible DNS domain with a certificate whose key pair you have access to. It is recommended that this is a certificate signed by a common commercial third-party certificate authority; but it can be a self-signed certificate.
- The process of generating and signing a certificate (third-party or self-signed) is outside the scope of this document.
- Creation of a new AAD-DS will take some time. The Azure portal should inform once the cloud provisioning is complete.
4. Export your certificate (including the key pair and certificate chain) to the PKCS #12 (*.PFX) format.
- If the certificate is not self-signed, you are delegating trust of this domain to Azure.
- If the PKCS #12 file is encrypted, Azure will be require the export encryption to be TripleDES-SHA1.
- If exporting to this bundled certificate-key file format from Windows, further detail can be found at: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps#understand-and-export-required-certificates
5. Enable LDAPS in Azure
- For the selected AD Domain Service, choose LDAP from the side menu.
- Enable Secure LDAP and Secure LDAP over the Internet
- You can refine network access to the LDAP protocol later. Microsoft advises network restriction to reduce probing of weak passwords from the internet.
- Upload the PKCS #12 / PFX file
6. Permit access to LDAPS from Infiniti/LibPaths
- Locate the Azure Resource Group used by the relevant AD Domain Service
- Locate the Network Security Group within the Resource Group used by the relevant AD Domain Services
- Add an inbound firewall rule for port 636 for your Concord Infiniti/LibPaths service's origin IP.
- The origin IP for your Concord Infiniti service can be determined by:
- Logging into Infiniti/LibPaths as a user with administration privileges.
- Going to the LDAP configuration panel. Administrative Settings → Integrations → Active Directory LDAP
- Clicking the "Test Connectivity" link and noting down the IP address listed.
7. Link a subdomain of the DNS domain declared for the relevant AAD-DS to Azure's LDAP server farm for your region. e.g. "ldap.your-school.edu" → Azure IP
- The specifics of this process will differ by DNS registrar and is outside the scope of this document.
- You can locate the relevant "Secure LDAP External IP Address" in the Properties side-menu of the relevant AAD-DS.
- DNS propagation can take a while.
8. Configure LDAPS in Infiniti/LibPaths
- Go to Administrative Settings → Integrations → Active Directory LDAP
- Replace "ldap://[some ip or domain]:[some port]" to "ldaps://[ldap.your-school.edu:636" or similar
- If using a self-signed (or unrecognised internal PKI) certificate, turn on: SSL Certificate is Self-Signed
- If you have not previously set-up vanilla insecure LDAP in Infiniti/LibPaths, please see this document for advice on the broader LDAP configuration in Infiniti/LibPaths
- The Test Connectivity hyperlink in the Infiniti LDAP configuration page can be used to test LDAPS; after the new configuration has been saved. Addition to correctly configuring Azure and Infiniti for LDAPS, you will need the same user to exist in Azure AD and Concord Infiniti/LibPaths user tables.
- Please note that if testing LDAP authentication through the Infiniti Login page – most authentication errors are not disclosed to reduce the attack surface of Infiniti/LibPaths or the school's Active Directory. LDAP authentications on the Infiniti/LibPaths Login page will often say "bad username/password" even the error is due to neither (for instance the user didn't exist Infiniti).
Note: This document should not be considered as exhaustive instructions for setting up LDAPS in Azure; and does not cover other aspects of Azure Domain Service configuration not directly relevant to Concord Infiniti/LibPaths authentication through LDAPS. A school's use of Azure may broadly differ from the outline in this document. School technicians are expected to be familiar with LDAP, Active Directory, and Azure administration for their school.