Chat now with support
Chat with Support

Active Roles 7.4.1 - Administration Guide

Introduction About Active Roles Getting Started Rule-based Administrative Views Role-based Administration
Access Templates as administrative roles Access Template management tasks Examples of use Deployment considerations Windows claims-based Access Rules
Rule-based AutoProvisioning and Deprovisioning
About Policy Objects Policy Object management tasks Policy configuration tasks
Property Generation and Validation User Logon Name Generation Group Membership AutoProvisioning E-mail Alias Generation Exchange Mailbox AutoProvisioning AutoProvisioning for SaaS products OneDrive Provisioning Home Folder AutoProvisioning Script Execution Office 365 License Management Office 365 Roles Management User Account Deprovisioning Office 365 Licenses Retention Group Membership Removal Exchange Mailbox Deprovisioning Home Folder Deprovisioning User Account Relocation User Account Permanent Deletion Group Object Deprovisioning Group Object Relocation Group Object Permanent Deletion Notification Distribution Report Distribution
Deployment considerations Checking for policy compliance Deprovisioning users or groups Restoring deprovisioned users or groups Container Deletion Prevention policy Picture management rules Policy extensions
Workflows
Understanding workflow Workflow activities overview Configuring a workflow
Creating a workflow definition Configuring workflow start conditions Configuring workflow parameters Adding activities to a workflow Configuring an Approval activity Configuring a Notification activity Configuring a Script activity Configuring an If-Else activity Configuring a Stop/Break activity Configuring an Add Report Section activity Configuring a Search activity Configuring CRUD activities Configuring a Save Object Properties activity Configuring a Modify Requested Changes activity Enabling or disabling an activity Enabling or disabling a workflow Using the initialization script
Example: Approval workflow E-mail based approval Automation workflow Activity extensions
Temporal Group Memberships Group Family Dynamic Groups Active Roles Reporting Management History
Understanding Management History Management History configuration Viewing change history
Workflow activity report sections Policy report items Active Roles internal policy report items
Examining user activity
Entitlement Profile Recycle Bin AD LDS Data Management One Identity Starling Management One Identity Starling Two-factor Authentication for Active Roles Managing One Identity Starling Connect Azure_Overview
Config ARS to Manage Hybrid AD Objects Managing Hybrid AD Users Office 365 roles management for hybrid environment users Managing Office 365 Contacts Managing Hybrid AD Groups Managing Azure O365 or Unified Groups
Managing Configuration of Active Roles
Connecting to the Administration Service Adding and removing managed domains Using unmanaged domains Evaluating product usage Creating and using virtual attributes Examining client sessions Monitoring performance Customizing the console Using Configuration Center Changing the Active Roles Admin account Enabling or disabling diagnostic logs Active Roles Log Viewer
SQL Server Replication Appendix A: Using regular expressions Appendix B: Administrative Template Appendix C: Communication ports Appendix D: Active Roles and supported Azure environments Appendix E: Enabling delegation for Federated Authentication

Azure Object Management in Federated and Synchronized Identity environments

Synchronization methods are applicable only in Synchronized and Federated environments and AAD Connect is used to perform the synchronization. Azure non-federated environment does not require synchronization and the direct GRAPH API calls are used to make the Azure or Office 365 object management.

The following table provides information about the operations and methods of operation that can be performed on Azure Objects in Federated and Synchronized Identity environments.

Table 117: Supported Azure configurations comparison chart
Object Operation

Commands

Tabs

Federated/Synchronized : Method
User Create     Created by GRAPH API
Read     Using GRAPH API and Exchange Online Command-lets
 

 

 

 

 

Update

 

 

 

 

 

 

 

 

 

Azure properties

 

 

Identity

Synced using AAD Connect

Settings

Using GRAPH API

Job Info

Synced using AAD Connect

Contact Info

Synced using AAD Connect

Licenses

Using GRAPH API

Office 365 Admin Roles

Using GRAPH API

OneDrive

Created by OneDrive Policy using PowerShell commands

 

 

Exchange Online properties

 

 

Mail flow Settings

Using Exchange Online cmdlets

Delegation

Using Exchange Online cmdlets

Email Address

Synced using AAD Connect

Mailbox Features

Using Exchange Online cmdlets

Mailbox Settings

Using Exchange Online cmdlets

Delete

 

 

Using GRAPH API
Security Group Create

 

 

Created in Azure, Back Synced to Active Roles, Synced using AAD Connect
Read

 

 

Using GRAPH API
Update

 

 

Synced using AAD Connect
Delete

 

 

Using GRAPH API
Mail Enabled Security Group Create

 

 

Created in Azure, Back Synced to Active Roles, Synced using AAD Connect
Read

 

 

Using GRAPH API
Update

 

 

Synced using AAD Connect
Delete

 

 

Using GRAPH API
Distribution Group Create

 

 

Created in Azure, Back Synced to Active Roles, Synced using AAD Connect
Read

 

 

Using GRAPH API
Update

 

 

Synced using AAD Connect
Delete

 

 

Using GRAPH API

Native Office 365 Group (Cloud-only*)

 

 

 

Create

 

 

Using GRAPH API

Read

 

 

Using GRAPH API

Update

 

 

Using GRAPH API

Delete

 

 

Using GRAPH API

Contacts Create

 

 

Synced using AAD Connect
Read

 

 

Using GRAPH API
Update

 

 

Synced using AAD Connect
Delete

 

 

Using GRAPH API

NOTE:

  • *Active Roles provides cloud-only support only for Native Office 365 Group management.
  • Synced using AAD Connect referenced in the table specifies that the object operation is initially performed on the on-premise object . After a Microsoft Azure AD Connect synchronization cycle, the object is updated in Azure AD or Office 365.

  • For more information on how to perform Back Sync operation refer Active Roles Configuration to synchronize existing Azure AD objects to Active Roles in the Active Roles Administration Guide.

Appendix E: Enabling delegation for Federated Authentication

To enable delegation for Federated Authentication follow the steps provided here.

Configuring internet explorer settings

  1. Navigate to Internet options | Security | Local Intranet click Custom Level.

  2. In the User Authentication section choose Automatic Logon with current user name and password option.
  3. Navigate to Internet options | Security | Local Intranet | Sites | Advanced, add the domain as a trusted site.

  4. Add the domain and web server machine name, such as <https://*.mydomain.com, https://webservermachinename>.

Configuring distributed COM and IIS_USR group membership

  1. In Active Directory Users and Computers, add the Active Roles service account to the Distributed COM Users group if it is not already added.

  2. If the server hosting Active Roles Web Interface is a member server (non-DC), navigate to Computer Management | System Tools | Local Users and Groups.

  3. Add the Active Roles service account to both Distributed COM Users and IIS_USRS groups.

Creating ServicePrincipalName entries for the Active Roles service account

  • setspn -U -S HTTP/webserver.domain.com domain\AppPoolAccount
  • setspn -U -S HTTP/webserver domain\AppPoolAccount
  • setspn -U -S ArAdminSvc/serviceserver.domain.com domain\AppPoolAccount
  • setspn -U -S ArAdminSvc/serviceserver domain\AppPoolAccount

Open Active Directory Users and Computers Snap in or type dsa.msc in Run

  1. Open the properties of the user for which ServicePrincipalName is set.

  2. Click the Delegation tab.

  3. select Trust this user for delegation to specified services only option.

  4. Select Use any authentication protocol option.

  5. Click Add and provide the user account for which ServicePrincipalName is added.

  6. Select the SPNs that were added and click OK.

  7. Click OK and close the window.

Local security policy

Open Local Security Policy | Local Policies | User Rights Assignment and add the above user as part of Act as part of the operating system policy.

Installing Redistributable STS

To install the Redistributable STS (RSTS) application, follwo the steps provided here.

Installing Redistributable STS (RSTS)

  1. Open command prompt with Administrator privileges.
  2. At the command prompt, type the web location of the Redistributable STS (RSTS). By default, RSTS is available in C:\Program Files\One Identity\Active Roles\7.4\Web\RSTS.
  3. Type RSTS /install to install the RSTS application.
  4. After the RSTS application is installed, in C:\Program Files\One Identity\Active Roles\7.4\Web\RSTS\ApiAdminApplication, Open RStsApiAdmin application.
  5. In Connection Settings, enter localhost in the Server field and click Login.

    After the successful connection, The STS Server section in the General settings tab is populated with information.

    The fields are populated with the Active Directory information in the Directory Service Providers tab.

  6. Click on Claim Definitions tab, right-click to add a new attribute claim (UPN) as below:
    • Claim ID: Preferred name

    • Claim Type: Browse http://localhost/rsts/wsfedmetadata and pick the URI of the IUser.AccountName attribute. For example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn.
    • Attribute ID: userPrincipalName
  7. Click Save.

    In the Configuration Center, while configuring RSTS provider, you have to provide the Claim Type provided above.

  1. In the list of services check if the RedistributableSecureTokenServer service is running.

 

Examples for configuring identity providers

Here is an example of configuring the identity providers when using the Federated Authentication feature.

Azure

  • Metadata url: https://login.microsoftonline.com/<AzureTenantID>/FederationMetadata/2007-06/FederationMetadata.xml
  • realm: spn:<Azure Application ID>
  • replyurl: https://<Web Server Name>/arwebadmin/

 

ADFS

  • Metadata url: https://<ADFS Server name>/FederationMetadata/2007-06/FederationMetadata.xml
  • realm: https://<Web Server Name>/arwebadmin/
  • replyurl: https://<Web Server Name>/arwebadmin/

 

RSTS

  • Metadata url: http://localhost/rsts/wsfedmetadata
  • realm: https://<Web Server Name>/arwebadmin/
  • replyurl: https://<Web Server Name>/arwebadmin/

 

Switching STS providers, restart IIS and clear the browser cache.

Related Documents