Global LDAP setup

This page tells you how to configure the M-Pin SSO Server to use an LDAP directory in a Global User sense, i.e. on registration to ensure that the user attempting to register with the SSO server is authorized to do so. This is used, for example, to prevent users outside your organisation from registering with the SSO server and using up one of your licences (if you are an M-Pin SSO Enterprise customer).

LDAP can also be used to manage access per Service Provider on authentication to ensure that the user attempting to authenticate with a specific Service Provider is authorized to do so. This function may then be used to revoke a user's access to a particular service. Instructions for setting this up can be found in the Management of Services List section of the menu.

To configure global LDAP lookup on registration:

  1. Login to your M-Pin SSO Server
  2. Click "Administration"
  3. In the "Global Settings" panel, select "Server settings"
  4. Tick "User Global LDAP"

GLobal LDAP Settings

LDAP Username is the username of an account that has permission to read your LDAP directory. This must be in the DN format, e.g.: cn=Administrator,cn=Users,dc=ldapserver,dc=local

LDAP Password is the password for the above account

The above configuration uses LDAP DN to point to a root group of users. LDAP Group DN could be used to point to a specific group within your users, e.g. cn=ssoregistration,cn=Users,dc=ldapserver,dc=local

The LDAP UserID field is the LDAP field you wish to use for validating the email address entered by the user on registration - hence "mail" is used above.

When finished, you can click 'Check Settings', followed by 'Save'.

Now, when a user attempts to register with your M-Pin SSO Server, their email address will first be looked up in the configured LDAP directory, and if it is not present, the user will see "Error: You are not authorized"