SSO and LDAP Integration
Overview
GuardAxion supports Single Sign-On (SSO) integration with major identity providers and LDAP/Active Directory for centralized authentication.
Supported SSO Providers
- Microsoft Entra ID (Azure AD)
- Okta
- Google Workspace
- Keycloak
- PingIdentity
- OneLogin
- Generic SAML 2.0
Configuring SSO
Step 1: Access SSO Settings
- Navigate to System > SSO Configuration
- Click Enable SSO
Step 2: Choose Provider
Select your identity provider from the list
Step 3: Configure Provider Settings
For Microsoft Entra ID:
- Tenant ID: Your Azure AD tenant ID
- Client ID: Application (client) ID
- Client Secret: Application secret value
- Redirect URI: Copy from GuardAxion settings
For Okta:
- Domain: Your Okta domain
- Client ID: OAuth client ID
- Client Secret: OAuth client secret
- Authorization Server: Default or custom
For SAML Providers:
- Entity ID: IdP identifier
- SSO URL: SAML login endpoint
- Certificate: X.509 certificate
- Attribute Mapping: Map SAML attributes
Step 4: Configure User Provisioning
- Auto-create users: Create accounts on first login
- Update user info: Sync email, name, etc.
- Default role: Assign to new users
- Default group: Group membership
Step 5: Test SSO
- Click Test SSO Connection
- Log in with test account
- Verify user creation
- Check attribute mapping
LDAP/Active Directory Integration
Configuring LDAP
- System > SSO Configuration
- Select LDAP provider
- Enter LDAP settings:
- Server: ldap://domain.com:389
- Base DN: dc=example,dc=com
- Bind DN: Service account DN
- Bind Password: Service account password
- User Filter: (sAMAccountName={username})
SSL/TLS Configuration
For secure LDAP:
- Use ldaps:// protocol
- Port 636 for LDAPS
- Upload CA certificate
- Enable certificate verification
User Attribute Mapping
Map LDAP attributes to GuardAxion fields:
- Username: sAMAccountName
- Email: mail
- Display Name: displayName
- Groups: memberOf
Group Synchronization
- Enable group sync: Import AD groups
- Group DN: OU=Groups,dc=example,dc=com
- Group filter: (objectClass=group)
- Member attribute: member
- Sync interval: Every 1 hour
Azure AD Setup Guide
Register Application in Azure
- Azure Portal > Azure Active Directory
- App registrations > New registration
- Configure:
- Name: GuardAxion SSO
- Redirect URI: [From GuardAxion]
- Supported accounts: Single tenant
Configure API Permissions
- API permissions > Add permission
- Microsoft Graph > Delegated permissions:
- User.Read
- User.ReadBasic.All
- Directory.Read.All
Create Client Secret
- Certificates & secrets > New client secret
- Copy secret value (shown once)
- Enter in GuardAxion settings
User Experience
SSO Login Flow
- User visits GuardAxion login page
- Clicks "Sign in with [Provider]"
- Redirects to identity provider
- Authenticates with corporate credentials
- Redirects back to GuardAxion
- Automatically logged in
Fallback Authentication
Even with SSO enabled:
- Local admin account remains active
- Emergency access capability
- Useful for SSO troubleshooting
Best Practices
- Test with limited users first
- Keep local admin account
- Enable MFA at IdP level
- Regular certificate renewal
- Monitor failed auth attempts
- Document configuration
- Backup IdP settings
- Use service accounts for LDAP
Troubleshooting
SSO Login Fails
- Verify redirect URI matches exactly
- Check client secret hasn't expired
- Confirm user has access to app
- Review Azure AD logs
LDAP Connection Issues
- Test connectivity to LDAP server
- Verify bind credentials
- Check firewall rules
- Confirm base DN is correct
User Not Created
- Enable auto-provisioning
- Check default role assignment
- Verify attribute mapping
- Review application logs
Group Sync Not Working
- Confirm group DN is correct
- Check sync interval setting
- Verify service account permissions
- Review LDAP filter syntax