EmpowerID Admin Lab 3: Active Directory Connector
Purpose
This lab guides you through creating an account store connection and definition to an Active Directory (AD) domain.
Prerequisites
- Access to the EmpowerID training environment.
- Credentials for the AD domain (e.g.,
Administratorusername and password). - A Cloud Gateway server configured to connect to the domain.
- A modern web browser.
Steps
1. Initiate the Create Account Store Workflow
- Open your browser and log in to EmpowerID.
- Go to Admin > Applications and Directories > Account Stores and Systems.
- Refresh the page to view existing account stores.
- Click Create Account Store.
- Search for and select Active Directory Domain Services as the system type.
2. Enter the Connection Details for the Account Store
General
- Name: Enter a name for the account store
- Display Name: Enter a Display name for the account store
Active Directory Forest
- FQDN: Enter the fully qualified domain name of the forest.
- Is Remote (Requires Cloud Gateway): Check this box.
Proxy Information
- Proxy Account Username: Enter the username of the connection account ("admin2" for the provided student lab)
- NetBios Domain: Enter the netbios domain name of the domain ("addomain" for the provided student lab).
- Password: Enter the password for the connection account ("p@$$w0rd@534" for the provided student lab).
Submit the information.
3. Select the Cloud Gateway Server
- Search for and select the Cloud Gateway Server for the connection.
- EmpowerID will validate the credentials and list available domains in the forest.
- Select the target domain (e.g.,
addomain.com) and submit The workflow will now create the account store and resource system definitions and return you to the Account Store page
4. Verify and Edit Account Store Settings
- Refresh the search results to see the new AD domain account store.
- Click the account store name to bring up the main Account Store page.
- Click the pencil icon by the account store name to edit the configuration
General Settings
Configure the following settings in the Settings page
- Enable the Is Visible in IAM Shop flag to allow the resources to be visible in the IAM Shop
- Enable the Allow Password Sync to synchronize passwords with AD.
- Disable the Allow Person Provisioning (Identity Source) since we do not want to provision people from this account store.
- Enable Allow Attribute Flow.
- Enable Allow Provisioning (By RET) and Allow Deprovisioning (By RET) to allow account creation and deletion by the provisioning policies
- Disable Allow Business Role and Location Re-Evaluation (OROZ Source) since we will not be using assigning roles and locations from data in this system.
Inventory Settings
- Go to the Inventory tab.
- Enable Inventory Enabled.
Membership Settings
- Go to the Membership tab.
- Enable Enable Group Membership Reconciliation to manage group memberships.
Save the account store settings.
5. Monitor the Inventory Job
- Navigate to the Job History tab.
- Wait for the inventory job to run and monitor its progress.
- Confirm successful completion of the inventory job:
- The Succeeded column will have a check mark in the box if the job completed successfully
6. Verify Imported Data
- Navigate to the User Accounts Tab
- You should see the list of users that was inventoried from the system.
- Navigate to the Groups Tab
- You should see the list of groups that was inventoried from the system.
- Select a user or group by clicking on one of the name linkds to view details and confirm data accuracy.
Notes
- Ensure accurate domain credentials and Cloud Gateway configuration.
- Monitor job history for errors during the inventory process.
- If issues arise, consult logs or your instructor for assistance.
Completion
Once you’ve successfully connected EmpowerID to the AD domain, verified the imported accounts and groups, and configured all required settings, this lab is complete. Proceed to the next lab for additional integrations and configurations.