QTS Dashboard Identity Providers

What is an Identity Provider/User Directory?

This is a system entity that creates, maintains, and manages identity information for users while providing authentication services to relying applications.  So in a simple sense, QTS uses Identity providers for two purposes.

  1. To know a user of the system in order to association roles and license pools to support product functionality/access.

  2. To authenticate users and verify they are valid within the system to access functionality.

The origin of the user is only important in fulfilling these purposes. Beyond that, it treats users in the system equally.

Currently, there are two types of  Identity Providers supported

  1. Internal QTS User Directory: This is installed by default

  2. Active Directory

 

Adding an Active Directory Identity Provider

Start by Clicking on the “Add Identity Provider” Button

 
 

There is a simple 4 step wizard implemented to help guide the user in adding an Active Directory. By completing the 4 steps a QTS Admin will have configured a connection to a particular AD and saved a valid configuration in the QTS system.

 

 Steps to Setting up Active Directory :

 
 

Username

The distinguished name of the user that the application will use when connecting to the directory server.

Examples:

  • cn=administrator,cn=users,dc=ad,dc=example,dc=com

  • cn=user,dc=domain,dc=name

  • user@domain.name

The specific privileges required by the user to connect to LDAP are 'Bind' and 'Read' (user info, group info, group membership, update sequence number, deleted objects), which the user can obtain by being a member of the Active Directory's built-in administrators group.



Password

The password of the user is specified above.

Note: Connecting to an LDAP server requires that this application log in to the server with the username and password configured here. As a result, this password cannot be one-way hashed - it must be recoverable in the context of this application. The password is currently stored in the database with obfuscation. To further guarantee its security, you need to ensure that other processes do not have OS-level read permissions for this application's database or configuration files.



Host:port

The hostname of your directory server and the port on which your directory server is listening.

Examples:



BaseDN

The root distinguished name (DN) to use when running queries against the directory server.

Examples:

  • o=example,c=com

  • cn=users,dc=ad,dc=example,dc=com

For Microsoft Active Directory, specify the base DN in the following format: dc=domain1,dc=local. You will need to replace domain1 and local for your specific configuration. Microsoft Server provides a tool called ldp.exe which is useful for finding out and configuring the LDAP structure.



SSL

Check if the connection to the directory server is an SSL (Secure Sockets Layer) connection. Note that you will need to configure an SSL certificate to use this setting

 

Editing an Active Directory Identity Provider

For Active Directory Identity Providers you will see a gear icon on the bottom right of their card.  Click on that and edit the details via the wizard dialogue provided.

 
 

Removing an Active Directory Identity Provider
Click on the Garbage can of the provider card you wish to remove. After being prompted to confirm this the provider and all associated groups and users will be removed from the system.

 

Internal QTS User Directory Setup

Since the QTS User Directory is baked into the product there is no configuration required before adding users.

 

Using QTS Identity Providers with the Client

Users can obtain a Licence from QTS when they are given the appropriate privileges, for Users that are using an Active Directory or the Internal QTS Directory connect to the server in the same location.  From a QVscribe client standpoint, the main difference in experience between these two types of users is that internal QTS Users will be prompted with a dialogue to enter their credentials.  Active Directory Users will have their credentials automatically determined.   In both cases, the license request will be tied to the particular system by a unique system identifier.