Systems - AD: Manage groups membership in multi domain (cross domain) AD environment

Managing groups membership in MS AD is basic use case which is commonly used and helps admins with automatization of daily tasks. IdM is used for this task for a long time, but this only works when you managing groups membership in same AD domain where the users are. In this tutorial we will show how to achieve the same in multi domain (cross domain) environment. In other words that's mean you will be able to manage membership of groups which are in different domain then user.

There are some limitation still:

• User can has only one account per AD system otherwise you won't be able to set different groups to these accounts

• Connected 2 or more AD into IdM via WinRM + AD connector in version 1.0.3
• AD domains must be in trust mode
• Groups which can be used for cross domain must be Domain local type
• Enabled Extras module in version 1.8.0 for IdM version < 10 or 2.0.1 for IdM version > 10
• Server name is parsed from DC values which is set in Root suffixes in System configuration. E.g CN=… DC=piskoviste,DC=bcv,DC=cz is after parsing piskoviste.bcv.cz and this value is then used for -Server parameter inside powershell scripts. So make sure that the AD system is accessible under this calculated hostname

When we have all things prepared, we can jump into IdM and begin with configuration. As a first thing you need to open all your existing AD connections and move to "Configuration" tab, scroll down and check the following option

This option is mandatory to make this working, otherwise in case of assigning group from other domain the update via AD (LDAP protocol) will fail. Now we will manage all groups membership only via WinRM (powershell script).

Next step is to go to "Settings" → "Code lists" and create new code list. You can name it as you want (for example: Cross AD systems). Then create items into this code list where value is UUID of AD system which should be in cross domain mode and as value just fill the name of the system. Repeat this step for each AD which should be in this mode. As a result you will have one code list with the same number of items as you have AD systems.

Go to "Settings" → "Configuration" and add new configuration property: idm.sec.extras.configuration.cross.codeList and as value use code or UUID of the code list which we created above.

Go to "Settings" → "Modules" → tab "Processors" validate if you have these processors enabled: extras-cross-ad-groups-provisioning-processor and extras-provisioning-update-processor and extras-provisioning-create-processor In the same tab search for "provisioning-update-processor" which is from acc module and disable this one. Do the same for "provisioning-create-processor"

Now we did all necessary configuration. Our IdM is prepared to manage group membership in multi domain AD setup, but achieve that you still need to do a few things.

To be able to assign roles to specific account in specific AD domain we need to prepare roles in IdM. When you have only one AD in IdM and you synchronized roles into IdM then you will see that each role which represent some AD group has mapped system and overriding ldapGroups attribute. This way you are able to manage membership in these groups for accounts in the same domain. If you want to manage membership in these groups in other AD domain which is represented by other AD system in IdM you need to create new roles and as a mapped system select this other AD system. The override attribute ldapGroups will have same value as in already existing role. If you have a lot of roles you don't want to create these role manually and for this purpose, there is long running task prepared in Extras module.

There is mandatory prerequisite for running this task. You need to have filled EAV attribute groupType for each role otherwise it will not run. This value is used for deciding if this role can be duplicated only for same domain or for other according to AD group types. This attribute is Integer a can has following values:

• -2147483644 for domain local security group
• -2147483646 for global security group
• -2147483640 for universal security group

In extras module there is task CrossAdRolesDuplication which will help you with creating new roles. Go to "Settings" → "Task scheduler" → tab "Scheduled tasks" and add this new task. This task has a several options which you need to configure before using it.

Systems for which the duplicated roles will be created - Select AD system for which the newly created roles will be used (Roles will have this system as mapped) Catalog from which all roles will be duplicated - Source catalog with roles, if you don't have your roles in catalog move them into some manually, or you use new options in synchronization WF Environment of the new duplicated roles - You can't have roles with same name so new roles will have different environment value then the source one Catalogue in which the new roles will be created - Role catalog where the newly created roles will be stored

After this you will have "same" roles with different mapped system. Let say you have system AD1 and AD2 and role basicRole which exists twice in IdM. One instance has mapped system AD1 and the other one AD2. If you want to assign this group to account in AD1 you will use the one which map AD1 system. For AD2 system you will use the second one.