AD Sync Tool connects to Apex Central via Port 443. To avoid issues in using AD Sync Tool, Port 443 of the Apex Central Server should be open for communication.

To synchronize the Active Directory information and authenticate the Active Directory accounts:

1. Log on the Apex One as a Service web console and navigate to Administration > Settings > Active Directory and Compliance Settings.

   

2. Enable Active Directory synchronization.
   1. Download the Active Directory synchronization tool.

      

      Apex Central only receives data from one tool.

      • Apex Central and the Active Directory synchronization tool are paired.
      • Each download will generate a unique tool and Apex Central will be paired with the new one.
      • If you download the tool again, Apex Central will remove the relation with the previous one.

        

      Once the Active Directory synchronization tool is downloaded, the file MD5 hash value for the tool appears.

      

   2. Save the Apex_Central_ADSyncAgent_*.zip and extract it.
   3. Execute the synchronization tool to synchronize with the Active Directory server:
       

      Ensure that .NET Framework 4.6.1 is installed on the Windows endpoint before executing the tool.
      ​
      1. Open a command prompt.
      2. Use the following command to locate the directory which contains the ADSyncAgentTool.exe file:

         cd <Apex_Central_ADSyncAgent_directory>

      3. Configure the Active Directory server settings by executing the following command:

         ADSyncAgentTool.exe -i

      4. (Optional) Configure the proxy server settings by executing the following command:

         ADSyncAgentTool.exe -p

      5. Synchronize the configured servers manually by executing the following command:

         ADSyncAgentTool.exe -s

          

         You may also use Windows Task Scheduler to synchronize configured servers using a scheduled task that has a time interval of at least two (2) hours between each task repetition. For more information, refer to the Microsoft documentation.

         When configuring the Windows Scheduled task to run under a specific user, make sure that the user already has assigned "Log on as Batch Job" right.

      Users can see the result including the Server and Last synchronized time.

      

   4. Import AD user\group via the Administration > Account Management > User Accounts page.
3. Enable Active Directory authentication.

   We use the Active Directory Federation Services (ADFS) server to do authentication. ADFS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.

   

   The requirements are:

   • The version of the AD FS server should be ADFS 2.0 or above. Apex Central integrates with AD FS through SAML 2.0 protocol.
   • You need to configure Apex Central as a trusted party of the AD FS server. Please refer to the Appendix section of the Deployment Guide below for the detailed steps.

   Please refer to the ADFS Deployment Guide for details.

   1. Get the ADFS Service Identifier:
      1. Open the ADFS management tool.
      2. Click service on the left panel.
      3. Click Edit Federation Service Properties... on the right panel.

      A property window will pop up and the service identifier will be shown on the General tab.

      

   2. Export the ADFS Signing Certificate:
      1. Open the ADFS management tool.
      2. Click Certificate on the left panel.
      3. Right click Token-Signing certificate entry on the main panel.
      4. Click View Certificate.

         

         A certificate window will pop up.

      5. Click the Details tab.
      6. Click Copy to File....
      7. Select the BASE64 encoded format.

         

      8. Save the certificate.
   3. Tick the "Enable Active Directory authentication" checkbox and configure the ADFS settings on the web console:

      Field Name on web console	Attribute
      SSO service URL	ADFS login console URL
      Server identifier	ADFS Service Identifier from Step 3.a.iii.
      Server certificate	ADFS signing certificate from Step 3.b.iv.

      

   4. Save the settings.

To set up the Apex Central server as a relying party of the ADFS server:

1. Go to the Relying Party Trusts folder and on the right sidebar, click Add Relying Party Trust.... The Add Relying Party Trust Wizard window should appear.

   

2. Click Start.

   

3. Choose "Enter data about the relying party manually" and click Next.

   

4. Add the display name for this setting in the "Display name" field and the description for this setting in the Notes field, and then click Next.

   

5. Choose "AD FS profile" and click Next.

   

6. Click Next.

   

7. Tick the checkbox for "Enable support for the SAML 2.0 WebSSO protocol" and add the https://<Apex Central's FQDN>/webapp/login.aspx in the "Relying party SAML 2.0 SSO service URL" field, then click Next.

   

8. Add the https://<Apex Central's FQDN>/ in the "Relying party trust identifier" field and click Next.

   

9. Choose "I do not want to configure multi-factor authentication settings for the relying party trust at this time" and click Next.

   

10. Choose "Permit all users to access this relying party" and click Next.

    

11. Click Next.

    

12. Right-click your display name for this setting and click Edit Claim Rules.... The Edit Claim Rules for <Display Name> window should appear.

    

13. Click Add Rule....

    

14. Under "Claim rule template", choose "Pass Through or Filter an Incoming Claim" from the dropdown list and click Next.

    

15. Add the claim rule display name in the "Claim rule name" field, choose "Windows account name" from the dropdown list for "Incoming claim type", choose "Pass through all claim values", and click Finish.

    

To set up the Apex Central server as a relying party of the ADFS server:

1. Go to the Relying Party Trusts folder and on the right sidebar, click Add Relying Party Trust...
   The Add Relying Party Trust Wizard window should appear.

   

   ^{Click the image to enlarge.}

2. Select Claims aware, then click Start.

   

   ^{Click the image to enlarge.}

3. Choose Enter data about the relying party manually, and click Next.

   

   ^{Click the image to enlarge.}

4. Add the Display Name and Description for this setting, and then click Next.

   

   ^{Click the image to enlarge.}

5. Click Next.

   

   ^{Click the image to enlarge.}

6. Tick the Enable support for the SAML 2.0 WebSSO protocol option, and add the https://<FQDN of Apex Central>/webapp/login.aspx in the "Relying party SAML 2.0 SSO service URL" field, then click Next.

   

   ^{Click the image to enlarge.}

7. Add the https://<Apex Central's FQDN>/ in the "Relying party trust identifier" field and click Next.

   

   ^{Click the image to enlarge.}

8. Tick the I do not want to configure access control policies at this time option, then click Next.

   

   ^{Click the image to enlarge.}

9. Click Next.
10. Right-click the Display Name created from Step 4, and click Edit Issuance Policy.

    

    ^{Click the image to enlarge.}

11. Click Add Rule...

    

    ^{Click the image to enlarge.}

12. Under "Claim rule template", select Pass Through or Filter an Incoming Claim from the dropdown list, and click Next.

    

    ^{Click the image to enlarge.}

13. In the Add Transform Claim Rule Wizard screen, do the following:
    1. In the Claim rule name field, add the claim rule display name.
    2. In the "Incoming claim type" dropdown list, select Windows account name.
    3. Enable the Pass through all claim values option.
    4. Click Finish.

    

    ^{Click the image to enlarge.}