What is the idenprotect Active Directory Agent

From idenprotect Knowledge Base
Jump to: navigation, search

If you are already familiar with how the idenprotect Active Directory Agent works and want to install the application, please see Start Here - idenprotect Active Directory Agent

Introduction

The idenprotect Active Directory Agent is a Spring-Boot microservice which can be deployed on-premise and provides an additional layer of security for communications between the idenprotect Core Platform and your Active Directory.

The communication between the idenprotect Active Directory Agent and the idenprotect Core Platform is done by a Secure WebSocket (WSS) communication protocol which uses a Transport Layer Security (TLS) for the secure connection. The connection is initiated as an HTTPS request from the WebSocket Client (idenprotect Active Directory Agent) to the WebSocket Server (idenprotect Core Platform) to change the protocol to the Secure WebSocket which allows to instantly send messages between both the client and a server.

The WebSocket Client will be connected for as long as the application is running which improves the performance compared to standard REST calls, due to connecting only once and listening on the socket.

The idenprotect Core Platform supports multiple WebSocket Clients. This means that you can install multiple instances of the idenprotect Active Directory Agent (on each Active Directory server if you wish) which allows the idenprotect Active Directory Agent to be independent on each domain it is connected to.


LDAP Synchronization process

After the WebSocket connection is established, these are the steps taken in the background to perform an LDAP User synchronization: -

  1. idenprotect Core Platform checks if there are any WebSocket Clients connected.
  2. idenprotect Core Platform broadcasts an "initiate" message to the connected idenprotect Active Directory Agents.
  3. idenprotect Active Directory Agent checks the connection with the LDAP and responds back with a message to confirm if it is alive and it's client name.
  4. idenprotect Core Platform broadcasts a "user sync" message with a client name which is only picked up by the idenprotect Active Directory Agent with the given client name
  5. idenprotect Active Directory Agent performs the LDAP user synchronization and replies with all of the users to the idenprotect Core Platform.
  6. idenprotect Core Platform checks the users and adds/deletes/disables users where appropriate.


Next Steps

If you wish to continue with installing the idenprotect Active Directory Agent, please return to Start Here - idenprotect Active Directory Agent to check the pre-requisites and begin the download and installation process