Managing LDAP Connections

As an organization owner, you must configure LDAP to enable your TIBCO Cloud users to sign in to TIBCO Cloud by using their federated credentials instead of TIBCO Account credentials.

After you have configured and enabled the LDAP connection for a domain such as example.com, all the users who have email addresses registered with example.com can sign in to TIBCO Cloud by using their federated credentials as well.

Note: After you configure LDAP, all the users of your email domain are affected.

Federated Authentication Configuration

It is possible to register more than one LDAP for a particular email domain as long as the Base DNs are unique. In the event where more than one LDAP is configured, authentication of the users' credentials is attempted by using each configuration in order. Authentication continues until one succeeds or until all are exhausted.

A successful test must be performed before any LDAP configuration can be saved.

The following topics are covered in this section:

To configure LDAP connections, you must first request permission to configure LDAP by contacting the TIBCO Support team.

When an LDAP connection is configured and enabled for a domain such as example.com, all its registered users can sign in to TIBCO Cloud by providing their email ID and LDAP password and clicking the FEDERATED LOGIN button. Organization owners can still sign in using the password set up with TIBCO Account by clicking the TIBCO LOGIN button.

Prerequisites

The following prerequisites apply:

  1. You must have a publicly accessible LDAP server. The server may support the ldaps scheme by using TLS/SSL using a publicly verifiable certificate. Self-signed certificates are not supported.

  2. You must be an organization owner to configure LDAP.

  3. You must provide the credentials of an administrative user or service account with read-only access.

  4. TIBCO calls your server from a fixed IP address. For your security, TIBCO recommends that you whitelist this IP address in your firewall. The IP addresses are communicated to you in the confirmation email that is sent after your request to enable LDAP has been approved.

Requesting Permission to Enable LDAP

To request permission to enable LDAP:

    Procedure

  1. On the Settings tab, in the Enterprise SSO section, click Request LDAP next to Use LDAP.

  2. In the Request permission to enable LDAP dialog, enter all the necessary information, and then click Send.

    You can cancel your request before it is approved. In the Enterprise SSO section, click the Update button next to Use LDAP.

    A request email is sent to the TIBCO Support team and an email notification is sent to you. When the permission is granted, another email notification is sent to you.

Note: After you enable LDAP, no new users are created at TIBCO Accounts. They are expected to authenticated by their IdP. You can make the switch between using the TIBCO Account and LDAP and notify your users.

Configuring LDAP

To configure LDAP:

    Procedure

  1. On the Settings tab, in the Enterprise SSO section, click Update configuration next to Use LDAP.

  2. In the Configure LDAP for domain window, fill in all the required information.

  3. To test the connection, click Test connection.

    If the test fails, you can see the details of the error. Correct the error and test the connection again until the test is successful.

    If the test is successful, the Base DN and the Server URL are displayed in the Configure LDAP for domain window.

  4. Click Save.

    Note: You cannot save a connection until it is successfully tested.

Adding a New Connection

To add a new connection:

    Procedure

  1. On the Settings tab, in the Enterprise SSO section, click Update configuration next to Use LDAP, and then click Edit or add new.

  2. In the Configure LDAP for domain window, click the New connection link.

  3. In the Configure LDAP for domain window, fill in all the required information, and then click Save.

  4. You can create as many new connections as you need. Repeat steps 1-3 to create a new connection.

    The number of active connections is displayed on the Settings tab in the Enterprise SSO section.

Modifying an LDAP Connection

To modify a connection:

    Procedure

  1. On the Settings tab, in the Enterprise SSO section, click Update configuration next to Use LDAP, and then click Edit or add new.

  2. In the Configure LDAP for domain window, click the Edit LDAP connection edit icon, and then make the required changes.

  3. Click Test connection and correct errors, if any, before clicking Save.

Disabling an LDAP Connection

If you want your users to use the TIBCO Account credentials instead of the federated credentials to sign in to TIBCO Cloud, you can disable the LDAP connection that you have configured. In case of such a switch, any LDAP users who don't have passwords with TIBCO Accounts would need to be provisioned manually by TIBCO. Contact TIBCO Support to initiate such a request.

    Procedure

  1. On the Settings tab, in the Enterprise SSO section, click Update next to Use LDAP, and then click Edit or add new.

  2. In the Configure LDAP window, click the delete icon for the connection you want to disable.

    The LDAP connection is no longer displayed in the Configure LDAP for domain window.

  3. Click Save.

You can disable all the LDAP connections that you have configured.