Views:
AD Sync Tool connects to Apex Central via Port 443. To avoid issues in using AD Sync Tool, Port 443 of the Apex Central Server should be open for communication.

To synchronize the Active Directory information and authenticate the Active Directory accounts:

  1. Log on the Apex One as a Service web console and navigate to Administration > Settings > Active Directory and Compliance Settings.

    Integrate AD

  2. Enable Active Directory synchronization.
    1. Download the Active Directory synchronization tool.

      Integrate AD

      Apex Central only receives data from one tool.

      • Apex Central and the Active Directory synchronization tool are paired.
      • Each download will generate a unique tool and Apex Central will be paired with the new one.
      • If you download the tool again, Apex Central will remove the relation with the previous one.

        Integrate AD

      Once the Active Directory synchronization tool is downloaded, the file MD5 hash value for the tool appears.

      Integrate AD

    2. Save the Apex_Central_ADSyncAgent_*.zip and extract it.
    3. Execute the synchronization tool to synchronize with the Active Directory server:
       
      Ensure that .NET Framework 4.6.1 is installed on the Windows endpoint before executing the tool.
      1. Open a command prompt.
      2. Use the following command to locate the directory which contains the ADSyncAgentTool.exe file:

        cd <Apex_Central_ADSyncAgent_directory>

      3. Configure the Active Directory server settings by executing the following command:

        ADSyncAgentTool.exe -i

      4. (Optional) Configure the proxy server settings by executing the following command:

        ADSyncAgentTool.exe -p

      5. Synchronize the configured servers manually by executing the following command:

        ADSyncAgentTool.exe -s

         

        You may also use Windows Task Scheduler to synchronize configured servers using a scheduled task that has a time interval of at least two (2) hours between each task repetition. For more information, refer to the Microsoft documentation.

        When configuring the Windows Scheduled task to run under a specific user, make sure that the user already has assigned "Log on as Batch Job" right.

      Users can see the result including the Server and Last synchronized time.

      Integrate AD

    4. Import AD user\group via the Administration > Account Management > User Accounts page.
  3. Enable Active Directory authentication.

    We use the Active Directory Federation Services (ADFS) server to do authentication. ADFS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.

    Integrate AD

    The requirements are:

    • The version of the AD FS server should be ADFS 2.0 or above. Apex Central integrates with AD FS through SAML 2.0 protocol.
    • You need to configure Apex Central as a trusted party of the AD FS server. Please refer to the Appendix section of the Deployment Guide below for the detailed steps.

    Please refer to the ADFS Deployment Guide for details.

    1. Get the ADFS Service Identifier:
      1. Open the ADFS management tool.
      2. Click service on the left panel.
      3. Click Edit Federation Service Properties... on the right panel.

      A property window will pop up and the service identifier will be shown on the General tab.

      Integrate AD

    2. Export the ADFS Signing Certificate:
      1. Open the ADFS management tool.
      2. Click Certificate on the left panel.
      3. Right click Token-Signing certificate entry on the main panel.
      4. Click View Certificate.

        Integrate AD

        A certificate window will pop up.

      5. Click the Details tab.
      6. Click Copy to File....
      7. Select the BASE64 encoded format.

        Integrate AD

      8. Save the certificate.
    3. Tick the "Enable Active Directory authentication" checkbox and configure the ADFS settings on the web console:
      Field Name on web consoleAttribute
      SSO service URLADFS login console URL
      Server identifierADFS Service Identifier from Step 3.a.iii.
      Server certificateADFS signing certificate from Step 3.b.iv.

      Integrate AD

    4. Save the settings.

To set up the Apex Central server as a relying party of the ADFS server:

  1. Go to the Relying Party Trusts folder and on the right sidebar, click Add Relying Party Trust.... The Add Relying Party Trust Wizard window should appear.

    Appendix

  2. Click Start.

    Appendix

  3. Choose "Enter data about the relying party manually" and click Next.

    Appendix

  4. Add the display name for this setting in the "Display name" field and the description for this setting in the Notes field, and then click Next.

    Appendix

  5. Choose "AD FS profile" and click Next.

    Appendix

  6. Click Next.

    Appendix

  7. Tick the checkbox for "Enable support for the SAML 2.0 WebSSO protocol" and add the https://<Apex Central's FQDN>/webapp/login.aspx in the "Relying party SAML 2.0 SSO service URL" field, then click Next.

    Appendix

  8. Add the https://<Apex Central's FQDN>/ in the "Relying party trust identifier" field and click Next.

    Appendix

  9. Choose "I do not want to configure multi-factor authentication settings for the relying party trust at this time" and click Next.

    Appendix

  10. Choose "Permit all users to access this relying party" and click Next.

    Appendix

  11. Click Next.

    Appendix

  12. Right-click your display name for this setting and click Edit Claim Rules.... The Edit Claim Rules for <Display Name> window should appear.

    Appendix

  13. Click Add Rule....

    Appendix

  14. Under "Claim rule template", choose "Pass Through or Filter an Incoming Claim" from the dropdown list and click Next.

    Appendix

  15. Add the claim rule display name in the "Claim rule name" field, choose "Windows account name" from the dropdown list for "Incoming claim type", choose "Pass through all claim values", and click Finish.

    Appendix

To set up the Apex Central server as a relying party of the ADFS server:

  1. Go to the Relying Party Trusts folder and on the right sidebar, click Add Relying Party Trust...
    The Add Relying Party Trust Wizard window should appear.

    setup ADFS

    Click the image to enlarge.

  2. Select Claims aware, then click Start.

    Claims Aware

    Click the image to enlarge.

  3. Choose Enter data about the relying party manually, and click Next.

    Select Data Source

    Click the image to enlarge.

  4. Add the Display Name and Description for this setting, and then click Next.

    Specify Display Name

    Click the image to enlarge.

  5. Click Next.

    Configure Certificate

    Click the image to enlarge.

  6. Tick the Enable support for the SAML 2.0 WebSSO protocol option, and add the https://<FQDN of Apex Central>/webapp/login.aspx in the "Relying party SAML 2.0 SSO service URL" field, then click Next.

    Configure URL

    Click the image to enlarge.

  7. Add the https://<Apex Central's FQDN>/ in the "Relying party trust identifier" field and click Next.

    Configure Identifiers

    Click the image to enlarge.

  8. Tick the I do not want to configure access control policies at this time option, then click Next.

    Add Trust

    Click the image to enlarge.

  9. Click Next.
  10. Right-click the Display Name created from Step 4, and click Edit Issuance Policy.

    Claim Issuance policy

    Click the image to enlarge.

  11. Click Add Rule...

    Issuance Transform Rules

    Click the image to enlarge.

  12. Under "Claim rule template", select Pass Through or Filter an Incoming Claim from the dropdown list, and click Next.

    Rule Template

    Click the image to enlarge.

  13. In the Add Transform Claim Rule Wizard screen, do the following:
    1. In the Claim rule name field, add the claim rule display name.
    2. In the "Incoming claim type" dropdown list, select Windows account name.
    3. Enable the Pass through all claim values option.
    4. Click Finish.

    Configure Rule

    Click the image to enlarge.