How to Provision SHIELD ID Users/Groups Inbound
Inbound provisioning (synchronization) is conducted in the Security365 management center.
Overview of Synchronization Methods
SHIELD ID can synchronize user/group information from the following three sources:
- MS Azure- Users/Groups in the Microsoft 365 environment
- SCI server- User/Group Information of the SCI Server
- Local Active Directory- On-premises AD/LDAP server
Each synchronization method follows the common steps as follows:
- Log in as an administrator to the Security365 Management Center.
- Go to the [Settings] → [Inbound Provisioning] tab.
- Select and configure the synchronization settings.
- Synchronization execution and result verification
Microsoft Sync
How to set up Microsoft
- Microsoft 365 synchronization settingsSelect.
- Select a synchronization method:
- Full group synchronization: Synchronize all groups and users
- Partial group synchronization: Synchronize only specific groups and subgroups
- Save the settings and execute synchronization.
Synchronization Options
Full group synchronization
- Synchronize all groups in Microsoft 365 and the users belonging to those groups.
- (✔️ Optional) Check the user affiliation group path on the log page after the HR integration.
Partial group synchronization
- Only synchronize a specific group, all groups under it, and the users belonging to those groups.
- You can limit the synchronization scope by selecting only the necessary groups.
SCI Server synchronization
How to configure the SCI Server
- SCI Server account synchronization settingsSelect.
- Enter the following information:
- SCI server IP, PortService address for retrieving user/group information
- DomainDomain information to be appended after the SCI server ID
- Save the settings and execute synchronization.
Main configuration items
| Item | Description | Remarks |
|---|---|---|
| SCI server IP, Port | User/Group Information Service Address | This is the service address, not the SCI server IP. |
| Domain | Domain to be added to the SCI server ID | SHIELD ID only supports email format IDs. |
ReferenceThe SCI server ID is generally not in the form of an email, so it needs to be converted into an email format by adding domain information.
For example: domain __PH_0__softcamp.co.krwhen set togdhongThe ID is __PH_0__.gdhong@softcamp.co.krIt will be saved as __PH_0__.
Local Active Directory Synchronization
How to set up a local Active Directory
- Local Active Directory Synchronization SettingsSelect.
- Configure the settings required for integration.
- Save the settings and execute synchronization.
Settings Item
※ All items areRequiredThis is an input field.
Server Configuration
| Item | Description | Remarks |
|---|---|---|
| Server Type | Types of Directory Servers | Active Directory (default): Microsoft AD server LDAP: OpenLDAP, ApacheDS, and other general-purpose servers |
| Server URL | Server address | Communication using the LDAP or LDAPS protocol |
| Base DN | Directory search starting point | DC: Domain Component DN: Distinguished Name |
Administrator Authentication
| Item | Description | Remarks |
|---|---|---|
| Admin ID | Account to access the AD server | For example: cn=Administrator,dc=SOFTCAMP,dc=co,dc=kr |
| Admin Password | Password for the above account | Encrypted storage |
Search Options Configuration
| Item | Description | Remarks |
|---|---|---|
| Search Scope | Setting the scope for the account/group to search | ONELEVEL (default): Search only one level below the specified DN SUBTREE: Search all subtrees |
| Page Size | LDAP paging unit | Recommended: 500~1000 |
| Referral | Whether to allow external domain connections | FOLLOW (default): Follow external domains IGNORE: Ignore |
| Connection Timeout | Maximum server connection attempt time (ms) | Example: 3000 |
| Read Timeout | Response wait time (ms) | Example: 3000 |
User Search Configuration
| Item | Description | Remarks |
|---|---|---|
| Base DN | OU DN where the user account is located | For example: ou=Users,dc=SOFTCAMP,dc=co,dc=kr |
| Mapping Filter | User Object Filter | AD example: (&(objectClass=person)(objectCategory=user)) LDAP example: (objectClass=inetOrgPerson) |
| Login Filter | Attributes to use for login | AD: sAMAccountName LDAP: uid |
| ID Attribute | Unique ID for internal identification | For example: employeeNumber, uid |
| Name Attribute | Username attribute | For example: cn, displayName |
| Relative DN Attribute | User DN last configuration attribute | Example: cn |
| Email Attribute | Email properties | AD: userPrincipalName LDAP: mail |
Group Search Configuration
| Item | Description | Remarks |
|---|---|---|
| Whether to use Group Mapping | Select to activate group information synchronization. | Use Do not use (default) |
| Group Base DN | Group search starting position | For example: ou=Groups,dc=SOFTCAMP,dc=co,dc=kr |
| Group Mapping Filter | Group Target Filter | AD: (objectClass=group) LDAP: (objectClass=groupOfNames) |
| Group Name Attribute | Group Name Attribute | Example: cn |
| Group Description Attribute | Group description property | For example: description |
| Group Member Attribute | Group Member Attributes | AD: member LDAP: uniqueMember |
Common Settings
Scheduling synchronization settings
- To perform synchronization tasks automatically at a specific time every day, enable the automatic synchronization cycle setting.
- Default: Not in use
- Select the start time.
- From 00:00 AM to 11:50 PM10-minute intervalcan be selected.
- Click the save button.
Check synchronization results
You can check the results through the following menu after synchronization is complete:
- [User]: Check synchronized user list
- [Group]: Check synchronized group list