Stormpath Active Directory Integration

Stormpath can now connect your applications to an unlimited number of new and existing Active Directory servers. The integration uses a lightweight, configurable agent to securely mirror AD Accounts and Groups to a Stormpath Directory – making it an ideal solution for plugging into your directory services from the cloud.

The one-way sync reduces IT risk and allows users to connect to multiple applications with the same login. With Stormpath, there’s no need to brush up on LDAP or Kerberos because there’s no custom integration to code.

How It Works

If you have ever had to get your web app to talk to an on-premise AD server, we feel your pain. From maintenance to deletions to security, it’s a complex undertaking. But now, Stormpath makes it easy!

Once installed, a Stormpath agent initiates an outbound-only sync from Active Directory to a mirrored Directory in Stormpath. You will never need to open any ports or configure your firewall for the integration to work properly. The agent currently relays two types of messages to Stormpath:

  1. Messages that require a response, such as configuration updates and lists of object IDs.
  2. Messages that can be processed asynchronously. These include Account and Group info, task statuses, and timestamps.

Active Directory (unlike LDAP) doesn’t allow Stormpath to store hashed user credentials. Instead, when Stormpath receives a login attempt for an account originating in AD, we initiate a message to the agent to perform Delegated Authentication on the Active Directory object.

Differential Update

Updates are performed at regular intervals and only on Accounts and Groups that have been modified. This approach benefits performance – bulk syncs can bring an AD server to its knees.

Working With User Data

From an application’s point of view, working with Accounts and Groups in a mirrored Directory is the same as working with any other Stormpath objects. The sync agent independently manages the integration with the AD server it’s installed on.

Synchronization is strictly one-way; there are no ports to open or configurations to be made on the Directory Server.

Installing the Agent

Here’s how to get started:

  1. Create a new Mirrored Directory in the Stormpath Admin Console.
  2. Configure the agent for a given AD/LDAP installation.
  3. Download, unzip, and install the agent behind your corporate firewall.
  4. Update the file with your Stormpath API Key/Secret.
  5. Run the provided startup script. On startup, the agent will begin a bulk sync. From then on, the agent will conduct a differential poll at a configurable interval (default: 60 min) to update Stormpath with changes made on the Directory Server.
  6. Leave the agent alone! It’s designed to work without intervention.

Active Directory and LDAP agents are available now to Stormpath users on Premium or Enterprise plans. We understand if you need access to these features in order to evaluate Stormpath – just let us know and we’ll be happy to set you up on a trial.

Contact Us

Our team is ready and waiting for questions and feedback: [email protected]