You can configure and edit password (cloud) authentication in the Workspace ONE Access console, Enterprise Authentication page after the Directory Sync service is configured with your Active Directory.

Which text boxes you configure for password (cloud) authentication are based on the directory type you select. The following is a list of the type of directories for password authentication.
  • Active Directory with fixed host and port
  • Active Directory with DNS lookup
  • Global Catalog Directory
  • IWA Directory
  • LDAP Directory

See the Directory Integrations with Workspace ONE Access guide to learn how directory sync service integrates with your Active Directory.

Prerequisites

  • The Directory Sync service installed on a Workspace ONE Access connector.
  • Directories configured in the Workspace ONE Access console Identity & Access Management section.
  • User attributes correctly mapped to Active Directory.
  • Make sure that all User Auth service instances in your environment are version 21.08. You cannot configure User Auth service authentication methods if you mix versions 21.08 and 20.x of the User Auth service.

Procedure

  1. In the Workspace ONE Access console Identity & Access Management tab, select Manage > Enterprise Authentication Methods.
  2. Click NEW and select Password (cloud deployment).
  3. In the Directory and Hosts screen, select the directory and the service host to configure with password authentication.
  4. In the Configuration page, configure the Password (cloud) authentication method.
    Directory Type Option Action
    All types Number of authentication attempts allowed. Enter the maximum number of failed login attempts when using password authentication against a directory. The default is 2 attempts.
    All types Directory Type Select the type of directory that you set up when you installed the Directory Sync service in the connector server.

    Active Directory with fixed host and port Server Port Select the port used for Active Directory, either 389 or 636 for standard LDAP queries.

    For global catalog queries, enter either ports 3268 or 3269 .

    Active Directory with fixed host and port Server Host Select one or more Directory Sync Service instances to use.
    All Types Communication Mode Basic mode is selected by default. You can change the communication mode.
    • Select SSL, if SSL/TLS is used for communication with the directory.
    • Select STARTTLS, if the DNS service location and SSL are used for communication with the directory. Add the certificates.
    All types Directory Certificate If the enterprise directory requires access over SSL, copy and paste the enterprise directory server's root CA SSL certificate into the text box. Ensure that the certificate is in PEM format and include the "BEGIN CERTIFICATE" and "END CERTIFICATE lines.
    Active Directory with DNS lookup Use DNS Service Location Select this box to use the DNS service location records to locate the Active Directory domains.

    If you do not use DNS service location lookup, deselect the check box and enter the Active Directory server host name and port.

    • Active Directory with fixed host and port
    • Active Directory with DNS lookup
    • IWA Directory
    • LDAP Directory
    Base DN Enter the DN from which to start searches in the directory. For example, cn=users,dc=example,dc=com.
    All Types Bind DN / User Name (IWA) Enter the user name to use to search for users. For example, CN=binduser,OU=myUnit,DC=myCorp,DC=com.
    Note: Using a Bind DN user account with a non-expiring password is recommended.
    All Types Bind Password Enter the Bind DN user password.
    • Active Directory with fixed host and port
    • Active Directory with DNS lookup
    • IWA Directory
    Search Attribute Enter the account attribute that contains the user name. This can be either sAMAcountName, UPN, or Custom.
    • LDAP Directory
    Custom Directory Search Attribute for Users When you enter Custom in the Search Attribute text box, enter the custom search attribute to use to query your LDAP directory to obtain user and group names. For example, UID.
    • Active Directory with fixed host and port
    • Active Directory with DNS lookup
    • IWA Directory
    Filter query to get AD users Enter the search filters used to query your enterprise directory.
    • Groups search filter to obtain groups. For example, (objectClass=groupOfNames).
    • Users search filter to obtain users to sync. For example, (&(objectClass=user) (objectCategory=person))
    • Active Directory with fixed host and port
    • Active Directory with DNS lookup
    • IWA Directory
    • Global Catalog Directory
    SAML Name-Id Format Enter the nameIdFormat value that is used to identify the user after authentication. By default, the value is the Directory search UID attribute.
    All Types Change password feature enabled Enable this feature to allow users to reset their Active Directory passwords from the Workspace ONE Access login page.
    All Types Display domain in login page Enable this to show the System Domain as an option when users are signing on. If this is disabled and only one domain is available, the domain selection page is not displayed.
  5. Click NEXT to review the configuration and then click SAVE.

Results

What to do next

Add Password (cloud deployment) as an authentication method to the built-in identity provider.

Add the authentication method to the default access policy. Go to the Identity & Access Management > Manage > Policies page and edit the default policy rules to add the password authentication method to the rule. See Managing Access Policies.