As a groups registry, AuthMan's powerful Grouper software can provision groups externally, but it does not sync any groups by default.
AuthMan provides a basic provisioning mechanism to push your AuthMan access policy groups as regular LDAP groups in the UOFI Active Directory. This is the preferred method for group authorization enforcement, particularly for services that are configured to use Shibboleth authentication or direct LDAP authentication.
Configure Groups to Sync
- Anyone that is a delegated "org" or "app" folder admin has the ability to mark groups for sync.
- It is recommended to set the sync attributes on the folder once, so that any groups created within that folder are automatically synced.
- Steps to configure:
-
- Navigate to the folder that you want to assign to sync.
- Click on the Functions button in the upper right to expand the menu.
- Select Attribute Assignments
- Click the orange Assign Attribute button
- In the attribute name box, type etc:pspng:provision_to (it should auto-complete as you begin to type.)
- Click the Save button to set the attribute field to the folder.
- In the list of assigned attributes, click the Actions button to the right of the "provision_to" attribute.
- Select Add Value
- If you need a basic global security group in AD, enter the string exactly as uofi_urbana.
- If you need a universal security group in AD, enter the string exactly as uofi_urbana_universal. **This is necessary if you plan to mail enable your group. For more information about mail enabling a group, see Office 365, Email, Exchange, Distribution Groups, How to request a mail-enabled Exchange Distribution group.
Group Syncing Considerations
-
By default, all AuthMan groups that are configured for sync will be located beneath either OU=AuthMan,OU=Urbana or OU=AuthManUniversal,OU=Urbana. All folder admins are given read-only access to these two OU's. Normal domain users cannot see the AuthMan OU's.
-
Syncing from AuthMan to AD will be “flat”. That means that synced group in AD will consist of only the direct and indirect members of the group. If you are syncing a nested group, you will NOT see the nested group IDs in the synced AD group.
-
AD group names are limited to a maximum of 64 characters. Your AD group name will include the full path of your Authman group so please be aware of the overall character limitations when naming your Authman group.
- The cn of the group in Active Directory is derived from the Authman group "ID Path", which is possibly different from the group's display name. By default, the AuthMan group display name and ID are the same but you have the ability to edit the AuthMan group ID. If you do so and your group name and group ID are different, please make sure that you’re looking for the group ID and not the group display name in AD.
-
Once your group is synced to AD, you may use it to access resources in AD, like any other AD group.
-
Syncing will be faster if you create your group and add members before you sync it to AD.
-
If you delete your group in AuthMan, that group will be deleted entirely in AD.
-
If you rename your group in AuthMan (and change the group ID), that group will be deleted and recreated in AD. That is, the group object GUID in AD will change.
-
Allow at least 15 minutes for changes that you make in AuthMan to be reflected in AD.
-
A full sync of the entire set of groups happens every 6 hours at 00:00, 06:00, 12:00 and 18:00.
-
If you are syncing more than 50 groups, we can set up custom provisioners, which allow you to specify an alternate OU for group provisioning. Send in a request to auth-man@illinois.edu.
Important Note About Privacy!
- Any group you sync to AD will be visible to anyone with read-only privileges on the AuthMan OU (other folder admins). If you have a special requirement for securing group membership, contact AuthMan service managers at auth-man@illinois.edu.