Finalsite’s Active Directory integration is used to synchronize user accounts between a school’s Active Directory system and Finalsite. This is most commonly useful for Faculty/Student account creation. We synchronize a small set of datapoints that are available in Active Directory. The mapping is flexible so it can be modified. If additional datapoints are required/desired, we can add them, in most cases.
The fields we currently sync are:
- objectGUID (primary identifier)
The integration is also able to create Admin User accounts for users who need to be able to log in to Finalsite as a Site Administrator. This falls under the same “Data Filtering” principles discussed below: we will need an authoritative attribute/OU to be able to set these reliably in an automated fashion.
In order to properly target your data, users need to be setup in particular OUs that we can target. Ideally, create a single or multiple OUs specifically for Finalsite integration needs. We do have some flexibility in setting the filter for the query, and some additional options in the custom mapping. However, we are not able to specifically target only certain members contained in an OU unless we have a consistent datapoint to base that on. Tidy organization of the users you intend to sync will help ensure a smooth deployment and desired sync behaviors.
In order to test the integration prior to deployment, we will set up a clone site so we can ensure we are targeting the appropriate users and mapping the data as desired. If you have existing constituents in roles that we will be synchronizing, there may need to be some work to add the unique identifier from AD (objectGUID) as an Import ID to those users to avoid duplication of accounts when the integration is deployed.
We will need you to work with us to ensure we have an account that can perform the queries needed in your AD System. We support ldap and ldaps.
In order to test and subsequently implement the LDAP integration, you will need to provide Finalsite with the following information so we can configure the settings in Integrated Services Manager:
- The FQDN of your server (e.g. ldap.finalsite.com)
- The port number you have chosen (default: 636 for LDAP over SSL)
- The full DN of your test user (e.g. cn=FinalsiteUser,ou=Users,dc=finalsite,dc=com)
Alternatively (AD only), the userPrincipalName of your test user (e.g. John.Doe@finalsite.com). Please note the userPrincipalName is NOT necessarily the user's email address. We also require the test user's password.
It is also recommended that you whitelist these IP subnets as a trusted source for your firewall configuration:
126.96.36.199/24 – This is the IP block for the Finalsite servers
188.8.131.52 - This is the IP for the Finalsite Support offices (used for testing)
LDAP Authentication: You can currently use the integration in tandem with our LDAP Authentication feature so that users can log into Finalsite via your LDAP server. This keeps management of user credentials in Active Directory.
As the integration with AD develops, we are aiming to have two important features available in advance of the 2019-2020 Academic year.
“Off Feed” Behavior: Our goal is to add functionality so that users who are removed from AD can be automatically identified by Finalsite. From there, we intend to offer ways to manually archive/remove their accounts from Finalsite, or an option to have this happen automatically to ensure users removed from access in AD will likewise have their access removed in Finalsite. We hope to have this implemented by summer, 2019.