NS1 Status

Articles in this section

NS1 + Active Directory® SSO LDAP Integration (DDI only)

  • Updated
Follow

NS1 Enterprise DDI supports integration with Microsoft Active Directory (AD) allowing NS1 customers to manage user provisioning and role-based permissions for their entire organization via AD. Authentication is delegated to the domain controller defined in the AD configuration. For this reason, users cannot have 2FA enabled for their entire organization. Instead, users have the option to enable or disable 2FA on their individual accounts.

This article includes:

Initial setup

Step 1: Enable Active Directory for your organization.

NOTE
The following steps can be completed only by a user with the “manage Active Directory” permissions enabled. Refer to this article for instructions on how to create or edit user settings.
screen-managed_AD_permissions.png

Log into the NS1 DDI portal. Click your username in the upper-right corner, and navigate to Account Settings > Security Settings

Use the toggle to enable the "Enable Active Directory Login" option.

screen-account_login.png

Enter the following information corresponding to your Active Directory account:

  • Domain Controller Host Address
    This is the domain name or IP address of the Active Directory domain controller.
  • Domain Controller Host Port (optional)
    This is an optional setting allowing you to define a specific port of the Active Directory domain controller.
    NOTE
    Ports 636 and 3269 are used for LDAP connection with TLS enabled. Port 389 does not work with TLS enabled. If TLS disabled, port 389 is used by default for the unencrypted LDAP connection.
  • Active Directory Domain Name
    Note that DDI software version 3.2.6 or later supports a comma-delimited list, allowing you to enter alternative domains.
  • Username & password
    This is the service (BIND) account username and password for Active Directory.
  • Base DN (optional)
    This optional setting specifies the distinguished name (DN) of the root for searches in Active Directory. It is useful for clients with large or complex directories. (Example: dc=ns1, dc=com)
  • Secure/TLS certificate (optional)
    Toggle this option to enable/disable TLS. By enabling this option, the NS1 platform connects via a secure connection to the Active Directory domain controller.
NOTES
  • The integration supports only base-64 encoded X.509 certificates. DER encoded binary X.509 or PKCS aka P7B are not supported.
  • If your Active Directory domain controller uses a certificate for LDAPS signed by an internal certificate authority (CA), upload the root CA certificate (PEM format).
  • The certificate key length must be 2048 bits or more.

Click Test these settings to verify connection to the AD domain controller. Ensure you see the confirmation message below.

screen-AD_connection_successful.png

Once complete, click Save Active Directory Settings.

NOTE
Do not delete the local administrator account associated with your organization as this will prevent you from bypassing Active Directory, if necessary.

Note about user accounts

After enabling the integration and mapping NS1 teams to AD groups, you have the option to delete local user accounts that are duplicated in Active Directory. This helps ensure users cannot bypass authenticated sign-on using their local NS1 login credentials. Alternatively, you can leave all local users in the NS1 database to ensure to avoid a single point of failure if the AD domain controller goes down. Even if you delete local users, we highly recommend retaining at least one local NS1 administrator user to avoid complete lockout.

In the next step, you’ll create “teams” within the NS1 platform that correspond to your AD “groups.” This allows you to manage team-specific settings from the NS1 portal.

 

Step 2: Create a team in NS1 corresponding to an AD group.

Follow the steps below for each AD team you wish to grant access to the NS1 portal. 

    1. Log into the NS1 portal, click your username in the upper-right corner, and navigate to Account Settings > Users & Teams.
      screen-pDNS_users_and_teams.png

    2. Navigate to the Teams tab, and then click Add Team.
      screen-_pDNS_security_settings.png

    3. Enter a team name.

      NOTE
      This name must match the name of the corresponding AD group exactly. If the name of the team is different from the AD group, the connection will fail.

    4. Enable or disable permissions for the team, as desired.

    5. Click Create Team.

      NOTE
      Team mapping from Active Directory to NS1 will occur automatically as users log into the NS1 portal using their AD credentials.

    6. Provide users with your organization ID.

      NOTE
      Team mapping from Active Directory to NS1 will occur automatically as users log into the NS1 portal using their AD credentials.

Test: Log in using Active Directory credentials & org ID.

After setting up teams that correspond to your AD groups, ask users from each team to log into the NS1 portal. To do so, they’ll need to enter their username and password corresponding to their AD account, as well as your NS1 organization ID (obtained from your organization’s operator user) to ensure successful login and permissions.

NOTE
Ensure users are using their Active Directory credentials and not the local NS1 login credentials used previously. These are now two separate accounts.
NOTE
If you don’t know your organization’s NS1 operator user, contact support@ns1.com to identify this person or to obtain your organization ID (required for logging in via AD).

 

Logging into the NS1 portal as an AD user

  1. Navigate to your NS1 Private DNS/Enterprise DDI portal login page.

  2. Enter your username and password corresponding to your Active Directory account.

  3. Enter your organization ID provided by the operator user for your NS1 account.

    NOTE
    If you don’t know your organization’s NS1 operator user, contact support@ns1.com to identify this person or to obtain your organization ID (required for logging in via AD).

  4. Click Log in.

 

Managing AD integration settings

To update team permissions:

  1. In the NS1 portal, click your username in the upper-right corner, and navigate to Account Settings > Users & Teams.

  2. Click the Teams tab, and click the edit icon (under Manage) next to the team you would like to modify.

    NOTE
    The team name must correspond exactly to the group name defined in the Active Directory database.

  3. Make the desired changes, and click Save Team to save your changes.

To disable the AD integration:

  1. In the NS1 portal, click your username in the upper-right corner, and navigate to Account Settings > Security Settings.

  2. Scroll to the Active Directory pane, and toggle the button next to Enable Active Directory Login to the left to disable the feature.

NOTE
Disabling the Active Directory login will not delete previous settings configured during the initial setup. If you choose to reinstate this feature, the system will default to your previous configuration. To clear the AD settings, press the Clear Settings button to delete the information from the database.

Related articles