RoboForm Active Directory Connector
RoboForm Active Directory Client allows a company admin to sync their Active Directory (AD) users and groups to their RoboForm for Business company account.
RoboForm for Business user accounts and groups can be created based on your Company's already created AD users and groups. If left running as a service, the AD Connector can continue to update the RoboForm for Business company with any changes made the to company AD. Per filter settings, these changes will be propagated to your RoboForm for Business users and groups. The detected changes include AD user name and email changes, group membership, status (creation, suspension, deletion).
The AD Connector can be downloaded from the On-prem Active Directory section of the RoboForm for Business administrator console's Integrations page.
Setting Up Active Directory Sync
Start by downloading and running the RoboForm Active Directory Connector Setup.
RoboForm Active Directory needs both Microsoft .NET Framework 4.6.2 and Microsoft Visual C++ 2017 Runtime Libraries to run. If not already installed, the RoboForm Active Directory Connector installer will also install .NET 4.6.2 and VC++ 2017. The AD Connector supports Windows Server 2008R2 and Windows devices running Windows 7 and above. Once the installation is complete, simply click "Launch".
To begin syncing the Active Directory to a RoboForm for Business account, Log In to an admin account.
RoboForm AD Client needs connections with:
1) RoboForm for Business Company account (Admin level account)
2) Active Directory server (Admin level account credentials required)
Provide credentials to Log In to the Active Directory server (if credentials are not provided, the current user's credentials will be used). The credentials used to sign into the Active Directory server must have administrator privileges and need the permission to Replicate directory changes. For instructions on enabling this permission click here. If the AD Connector is not being installed on the AD server itself and the domain name of the AD server has not been specified in Windows hosts file, then instead enter the IP address of the AD server.
The AD Connector will begin searching for Organizational Units (OU) and containers (CN) to sync using the specified Base Distinguished Name (DN). It is recommended to specify a Base DN for large domains as it will narrow the search range and can dramatically reduce the time it takes to list the groups in the domain. You can copy the DN from the attribute editor in the properties menu of the target OU, for example "OU=where-synced-groups-are,DC=domain,DC=com".
If user from child domains need to be synced as well as users from a parent domain then enable the Global Catalog option. With this feature enabled, the AD Connector can look for users in the entire directory. Keep in mind that expanding the range of the AD Connector may increase the time it takes to discover all the groups in your domain, slowing down the process.
If all the users that need to be synced are located in one child domain then connect to the child domain directly rather than using the Global Catalog option.
While continuing to sync groups located in a child domain, do not disable the Global Catalog option. The AD Connector will interpret this as all users that were members of those groups have been removed from all the groups in your AD which, depending on how the sync rules have been set, may cause their RoboForm accounts to become suspended or deleted.
After the RoboForm for Business AD Client successfully establishes a connection to the RoboForm for Business Company account and Active Directory Server, filters and rules can be applied.
Active Directory Client Groups Filter
Click the "Select AD Groups" button and in next step select which of the Active Directory groups should be created (synced) in your RoboForm for Business Company account.
The Show all nodes option, enabled by default, will show all OUs and groups in the specified DN. If this option is disabled then only the OUs within this DN will be shown. Disabling this option will help decrease the amount of time it takes for the AD Connector to discover all OUs in the DN.
Sync Rules
Specify how the RoboForm Active Directory Client will handle changes made on the Active Directory Server or on your RoboForm for Business Company account.
When RoboForm account is created for AD synced users:
This rule decides what happens when a RoboForm account is created for a new user in your AD Group. The options are to automatically send an email to each user who just had a RoboForm for Business account created for them with their temporary password and instructions on how to complete their account setup, or to not send the user an email, allowing administrators to send each user an activation email later.
When a user in Active Directory is detected
This rule decides what action to take if an AD user is detected in one of the pre-selected Active Directory groups. The options are to create a RoboForm for Business user account for them based on their AD account (user name and email) and place them in the appropriate group, or to do nothing.
When a user in Active Directory is deleted
This rule decides what action to take if an AD user included in one of the pre-selected Active Directory groups is deleted from the Active Directory. The options are to either have their RoboForm for Business user account deleted, suspended, or do nothing.
When a user in Active Directory is disabled
This rule decides what action to take if an AD user included in one of the pre-selected Active Directory groups is disabled in Active Directory. The options are to have their RoboForm for Business user account deleted, suspended, or to do nothing.
When a user in Active Directory is removed from group in filter
This rule decides what action to take if an AD user is no longer a member of any selected groups. The options are to have their RoboForm for Business user account deleted, suspended, or to do nothing.
When a user is removed from a group in RFO, but is still present in Active Directory
This rule decides what action to take if a user is removed from a RoboForm for Business group but not from the same group in Active Directory. The options are to add the user back into the RoboForm for Business group or to do nothing.
When a user is deleted from RFO, but exists in Active Directory
This rule decides what action to take if a user's RoboForm for Business account is deleted. The options are to recreate their RoboForm for Business user account during the next sync process (manual or automated) or to do nothing (the user account will remain deleted).
When a user is suspended in RFO, but active in Active Directory
This rule decides what action to take if a user's RoboForm for Business account is suspended. The options are to restore their RoboForm for Business user account during the next sync process (manual or automated) or to do nothing (the user account will remain suspended).
When a user name in RFO and Active Directory are not equal
This rule decides what action to take if a user's RoboForm for Business account has a different name record than their name record in the Active Directory account. The options are to update their RoboForm for Business user account name record (according to the name record found in their AD account) or to do nothing (the user name will remain as seen on their RoboForm for Business users account).
This option is used when we want to change users records in their RoboForm for Business Company account while keeping their AD records intact.
When a user email in RFO and Active Directory are not equal
This rule decides what action to take if a user's RoboForm for Business account has a different email record than their email record in Active Directory account. The options are to update their RoboForm for Business user account email record according to the email record found in their AD account, or to do nothing (the user email will remain as seen on their RoboForm for Business users account).
This option is used when we want to change users records in their RoboForm for Business Company account while keeping their AD records intact.
Scheduler
This setting regulates the number of minutes between scheduled synchronization runs.
The number of minutes set here regulates time between each sync performed by the RoboForm AD Client between the Active Directory and the RoboForm for Business Company account.
In order for the unattended service to run, the Windows user configuring the service must have at least domain admin privileges on the machine where the RoboForm AD client is installed.
Sync Log
Set the location where the RoboForm AD Client stores its logs.
After completing the first time setup, press "Start" and the RoboForm AD Client will begin syncing as scheduled. To change any of these settings, click "Edit Configuration."
Comments
0 comments
Please sign in to leave a comment.