Active Directory Integration

Last modified: September 30, 2023 18:29

The Microsoft Active Directory (also simplified as AD) integration for its Countly Enterprise Software. This plugin adds Microsoft Active Directory (AD) integration to your Countly instance. When enabled, regular user management of Countly is bypassed and users are authenticated via their AD credentials

Availability

The Active Directory plugin is available only in Countly Enterprise.

Getting Started

In order to enable the plugin, go to Management > Plugins and enable the toggle button for Active Directory.

When Active Directory Plugin is enabled, Countly will bypass its regular authentication and it will use the Active Directory (AD) user credentials of the organization for authentication.

The Countly user of the organization needs to use the same credentials they login to their organization’s Active Directory server.

Active Directory Plugin Currently Supports:

Azure Active Directory

Microsoft Active Directory

Oracle Unified Directory (coming soon)

.....................................................................................................................................................................

Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service

Setting up Azure AD

Create an app from App Registrations or use the existing app
Add a web platform and add the redirect URL /azure-ad-callback
Enable the plugin
```
countly plugin enable active_directory
```
Go inside the plugins directory in Countly path /plugins/active_directory and copy config.azure.sample.js config.js and use your app ID and secret token. Then, select a group where the members of which should be global admin of Countly
Countly-hosted installation
If your server is Countly-hosted, please contact Support and provide us the information listed below.
```
const config = {
 clientId: '8db7e011-a15f-4454-9472-2f475550c7a7',
 clientSecret: 'c33wTBoBv@_1jPm.e1ENTLhpoB]IE@iC',
 globalAdminGroup: 'countly-global-admins'
};
```

Using Azure AD

The first login should be done from an app administrator to allow the app.
Use a user who is a member of the group which is setup as a global admin group inside the configuration as someone who can access the Manage Users section to create the groups. The group name of the Azure Active Directory and the group name of Countly should be same in order to match.
The AD Plugin does not have user-level permissions, but group level permissions. Active Directory groups should match with any Countly group for the member of the AD group to access the Countly Dashboard and permissions will depend on the group permission setup inside Countly Manage Users > Groups section.

.....................................................................................................................................................................

Microsoft On-Prem Active Directory

Microsoft Active Directory is a collection of services that helps manage users and devices on a network.

Setting Up Microsoft AD

1. You need to have a running Active Directory with LDAP v3 server.

2. Go inside the plugins directory in Countly in /plugins/active_directory and copy config.ldap.sample.js config.js and use your app ID and secret token. Then, select a group which members should be global admins of Countly.

Countly-hosted installation

If your server is Countly-hosted, please contact Support and provide us the information listed below.

3. Enable plugin

countly plugin enable active_directory

HOW TO USE STEPS [ Default Countly Groups ]:

Use an user who is member of the group which is setup as a global admin group inside config who can access manage users section to create the groups. Group name of Azure Active Directory and group name of Countly should be same in order to match.
AD Plugin does not have user level permission instead it is group level permissions. Active Directory groups should match with any countly group for the member of the AD group to access countly dashboard and permissions will depend on the group permission setup inside countly manage users/groups section.

Using Microsoft AD (Legacy Role Based Authentication)

AD groups and corresponding user roles on Countly

Active Directory groups (Groups are Active Directory objects that can contain users, contacts, computers, and other groups) should contain the user to be authorized, which should match the possible roles that will be configured or generated in Countly as described below.

One direct AD group will be mapping to the Global Admin user role of Countly. This AD group should be configured in the AD plugin config file like:

globalAdminGroup: 'ad-global-admin'

For each application on Countly there will be three direct AD groups with the following name structure:

AppAnalytics-APPIDENTIFIER-ROLE

The possible roles can be any of the following:

User, with Countly User level permissions for the app (no write access and only read access).
Admin, with Countly Admin level permissions for the app (admins of Countly can only view and administer their own applications)
Marketing, new Countly user level with permissions to create a funnel, view Messaging and Attribution sections and can create new Attribution and push notifications campaigns, and all other rights Countly user has
Custom role can be implemented based on customer requirements

The AD Group can be set up in an app basis, which is defined on the Countly Dashboard.

Looking for help?

Countly Enterprise Support

Create a ticket for any support request you might have as a Countly Enterprise Customer

Countly Community

Join us on Discord to engage in discussions, share your feature ideas, and learn from fellow Countly users