Security and navigation
SECURITY Administrators and Super Administrators
NAVIGATION Workplace Online > Configuration > Active Directory
Workplace offers Microsoft Active Directory (AD) integration, offering the following benefits:
- A Workplace team can be linked to AD
- UserA user is anyone with access to Workplace. accounts can be provisioned and maintained using account information from AD
- User accounts share the account lockout policies from AD
- GroupA group is a collection of members and/or connections. Groups can be share recipients, thus making sharing simpler and more convenient. and group relationships are imported and maintained by AD
- User authentication is performed though the integration link to AD. TeamA team is an entity, usually a company, which subscribes to the Workplace service. A team is made up of members and connections. members will use their AD credentials to login to Workplace.
Glossary
This glossary only lists terms specific to the Active Directory integration:
| Term | Definition |
|---|---|
| AD | Active Directory |
| Team Admin (TA) | The person responsible for managing the team and AD integration. |
| AD Linked Account | An account in Workplace that is linked to an account in AD. It was either provisioned via data from AD or matched during AD sync. The email addresses in AD and Workplace must match for the accounts to be linked. |
| Provisioned Account | An AD account that is created in the Workplace system based on information imported from AD. |
| Unlinked account | An account in Workplace that is not linked to any account in AD. |
| Integration Agent | A Workplace ServerWorkplace Server is a component of the Workplace service. It makes all your files accessible through Workplace while retaining local, centralized data storage so that your data is also available via your local area network (LAN). The Workplace service keeps all data on your LAN accessible internally and in sync with Workplace. that has been designated as an integration agent through which communication with AD behind the corporate firewall can occur. |
| Workplace Password | Password for non-AD linked accounts. Used by accounts that are not linked to AD and maintained within Workplace. |
| AD Password | The password for a user maintained by AD. The AD password is only stored in AD and validated against AD. |
| AD Data Cache | Cached view of AD users/groups in Workplace. The data does not contain passwords, only the users/groups and their attributes. |
| AD Synchronization | The process of extracting complete group and user information from AD and comparing / updating the team state in Workplace. The AD data cache is updated as well. |
Accounts
- If an email address associated with a member or connection in Workplace is identical to an email address captured by the LDAP search path, the Workplace account will automatically become an AD managed account.
- Accounts that have been locked out in AD (via policy or manually) will be unable to authenticate. While the inability to authenticate is immediate, their status will only be updated in Workplace after the next AD sync.
- AD Linked Accounts disabled/deleted via AD will show as Disabled when viewed via Workplace Online > ConfigurationConfiguration is the area within Workplace Online that allows you to customize your site, add your integrations, and configure the site-wide policies that dictate how Workplace will behave for your team. > Active Directory. Although not accessible, these accounts will continue exist within Workplace, and projects owned by these accounts will remain available.
- Unlinked Accounts are managed and authenticated locally in Workplace.
- AD Linked Accounts are managed and authenticated via AD:
- Full name, email address, phone number and password are managed from Active Directory.
- E-mail address is a mandatory attribute. An account with empty e-mail can’t be provisioned or linked with a Workplace account.
- Mapping of account attributes:
Active Directory Workplace Display Name full name E-mail e-mail Telephone Number phone number Locked/Disabled disabled
Groups
- AD groups and Workplace groups can coexist - projects and folders can be shared with AD groups as well as Workplace groups
- Groups synced from AD will display a Windows badge in the bottom left corner of the group icon
- Members of groups imported from AD are managed from within Active Directory
- If there is a name collision between a Workplace group and AD group, both will exist and retain the same name
- Groups in AD are updated on each AD Sync, which may result in:
- Members being added to groups, resulting in Projects and folders shared with that group being available to the newly added members
- Members being removed from groups, resulting in access to projects and folders being denied for members that were allowed access via sharing with that group
- If groups are removed within AD, they will also be removed from the Workplace team upon the next sync
- Mapping of group attributes:
| Active Directory | Workplace |
| Display Name | name |
| Description | description |
LDAP Search Path Syntax
The LDAP path must be specified in the following manner: CN=Users, DC=domain, DC=local
The rules are:
- One element for each new level in the AD
- The DC elements must be entered left to right - e.g. DC=domain, DC=local
- The remainder of the path must be entered from right to left - the element furthest to the right must match the top node in AD and so forth
- Each specified LDAP search path is Workplace is ONE search path in AD
- LDAP search path specifying the groups must be placed above the LDAP search paths specifying the users, where applicable
The syntax is:
- DC for Domain Controller nodes
- CN for Container nodes
- OU for Organizational Unit nodes
The types must match the types used in the Active Directory.
Enabling and Disabling Active Directory
- After enabling AD, the specified team admins (in the AD settings) will receive an e-mail informing them that AD has been enabled.
- All matched accounts will become AD Linked Accounts that will require the AD credentials to access Workplace.
- If the connection to AD is lost, the specified team admins (in the AD settings) will receive an e-mail with a URL . Clicking this URL will disassociate the admins account from AD and allow them to reset their password. This will allow them to access Workplace Online to make the necessary changes to the AD configuration.
- If AD is disabled, all administrators will receive an email with a link to confirm disabling the AD integration. Once the integration is disabled via this link, all AD provisioned users will receive a password reset mail - users can then follow link and set a new Workplace password.
- If AD is re-enabled, all users will receive a mail stating that their account is now AD managed and they must use their AD password.
Synchronizing
- Synchronization can be run manually or scheduled to run automatically, commencing at a specified hour of the day
- The AD Sync process may require a substantial overhead traffic and CPU load on the integration agent
- Each AD Sync performs the following:
- Compares the Workplace cached AD data with the live AD data:
- New AD accounts are displayed as “New accounts since last sync” within the Workplace Active Directory Integration UI
- Deleted AD accounts are displayed as Deleted account from AD within the Workplace Active Directory Integration UI.
- Compares the Workplace cached AD data with the live AD data:
- The account is not deleted from Workplace but only disabled.
- Iterates through all defined groups and updates, imports or removes:
- Group Name
- Group Members (groups and members)
- Iterates through all accounts and imports information about new accounts and updates any existing. Account information includes the following:
- Full Name
- Email Address
- Phone Number
- Iterates through all defined groups and updates, imports or removes:
- Each AD Sync operation generates a log of changes which is visible in Workplace Online > Configuration > Active Directory > Sync Log
Time Intervals
- AD access check (runs a dummy query on every configured account) – configured per server (1 minute default).
- Time before the first connection check is done (after server startup) – configured per server (1 minute default).
- AD log is kept for 10 days by default – configured per server.
- AD sync time – scheduled for every day (default at 00:00) – configured per team.
- The AD status on the UI is updated at the same frequency as the AD access check interval.
Implementation
Workplace offers three methods for integrating with Active Directory: "OnPrem," "LDAP Direct," and "AD Azure."
AD Azure
The AD Azure integration is a way of integrating Workplace with Microsoft (Windows) Azure Active Directory (WAAD). This integration allows users and groups to be synced from WAAD. Once configured and enabled, users can authenticate with their Active Directory credentials and keep their email address, telephone number and name synchronized with Active Directory.
Refer to Integrate Active Directory: Azure.
NOTE Workplace does not support multiple Azure SSO apps under the same Azure AD instance, unless the Workplace accounts are in different geographic regions (URL when logged in shows the same domain prefix, i.e. us, eu, au,ca). For more about regions and IP addresses, please refer to Workplace App Ports and IP Addresses.
LDAP Direct method (recommended)
This method requires a certificate to be created and the integration takes place via LDAPS. There are no additional hardware requirements for this method.
Refer to Integrate Active Directory: "LDAP Direct" Method.
OnPrem method
This method involves activating an integration agent by installing Workplace Server on a dedicated machine, bound to the AD domain. This integration agent is responsible for syncing with AD.
Choose which users will be sent Active Directory alerts:
- Log into Workplace Online.
- Go to Configuration > Active Directory.
- Scroll to the bottom of the page to see the new Alert Settings area:
- Select the Notify only selected admins check box.
- Enter the name or email address of an administrator in the Select team admins to notify field, or click the
icon to use a data selector.
IMPORTANT If you have selected the Notify only selected admins check box and do not select any administrators in the Select team admins to notify field, no one will receive Active Directory alert messages, so it's very important to select one or more recipients.