Skip to main content

Identity Connector

Overview

Traditional IT environments often rely on disparate user directories, complicating identity management, especially in hybrid and multi-cloud landscapes. ColorTokens Xshield addresses this challenge by integrating seamlessly with Active Directory (AD).

Understanding the Building Blocks

LDAP

LDAP acts as a centralized directory for IT infrastructure, storing and managing user, group, device, and resource information. It eliminates the need for local configurations on every machine by allowing client applications to access data via LDAP servers.

SCIM

SCIM standardizes user provisioning, updates, and de-provisioning across multiple cloud applications, ensuring consistent user data flow and simplified identity management.

The Power of Integration

Benefits of Integrating AD with ColorTokens Xshield

  • Ease in User Segmentation – Ensures accurate and dynamic user-group information for seamless segmentation.
  • Identity Lifecycle Management – SCIM automates user provisioning and updates, reducing risks associated with stale credentials.
  • Net Effect – Streamlined operations with up-to-date and accurate user data.

How SCIM Integration Works

The sample Identity Connector acts as a data bridge between LDAP and Xshield:

  • Establishes an outbound connection to LDAP (Port 636), pulling user and group data.
  • Pushes the collected data securely to Xshield (Port 443).
  • Configurable update frequency ensures real-time identity synchronization.

How SCIM Integration works

The Identity Sample Connector streamlines user and group identity management within your Zero Trust security strategy. It functions like a data bridge, acting as an intermediary between your existing LDAP directory and Xshield platform.

The connector establishes an outbound connection to your LDAP server on port 636, actively pulling user and group information.  This data is then securely pushed (via another outbound connection on port 443) to Xshield.

Users can configure the update frequency, ensuring the data in Xshield stays fresh by automatically syncing information every 'X' minutes. This continuous flow of user and group identities empowers Xshield to maintain a comprehensive and up-to-date view of your access landscape,  a crucial foundation for effective user segmentation.

SCIM Integration Using An Identity Connector

Prerequisites

Software Requirements

  • Python Version (>=3.10)
  • Required Packages: 
    python3-dev
    redis-server
    libldap2-dev
    libsasl2-dev
    ldap-utils
    pip3 (>=21.2.4)
    requests
    ldap3
    python-ldap
    redis
    configparser

Network Requirements

  • Whitelist Xshield Base Domain (e.g., https://ng.colortokens.com – Port 443).
  • Connectivity to LDAP Server (e.g., Port 389).

Hardware Requirements

  • Linux Server (Ubuntu >20.x or RHEL 8.x)
  • 2 CPU cores, 8 GB RAM, 5 GB Free Disk Space

6. Installation Guide

Step 1: Enable SCIM Integration on Xshield

  1. Go to Xshield Platform → Integrations → User Provisioning → SCIM
  2. Click "Activate"
  3. Click "Generate New Token" and Copy the Bearer Token

Step 2: Download the sample Identity Connector

  • Ubuntu: 
    wget https://artifacts-ng-dev.colortokens.com/ct-ldap-to-scim-bridge/ldap-scim-bridge.deb
  • RHEL: 
    wget https://artifacts-ng-dev.colortokens.com/ct-ldap-to-scim-bridge/ldap-scim-bridge-1.0.2-1.el9.x86_64.rpm

Step 3: Install the Connector

  • Ubuntu Installation: 
    sudo dpkg -i ldap-scim-bridge.deb
  • RHEL Installation: 
    sudo rpm -i ldap-scim-bridge-1.0.2-1.el9.x86_64.rpm

Step 4: Configure the Connector

Modify the config file:

sudo nano /opt/colortokens/ldapscimbridge/config

Configuration Parameters

  • Polling Interval:

    pollInternalInMinutes = <Value in minutes>
    logLevel = DEBUG

  • LDAP Configuration:

    [LDAP]
    Protocol = ldap
    Server = <LDAP Server IP>
    Port = 389
    baseDN = <Base DN from AD>
    password = <Admin Password>
    username = <Admin Username>
    userDN = <Admin Username>

  • SCIM Configuration:

    [SCIM]
    userApiEndpoint = <Base URL>/Users/
    tenant = <Tenant ID>
    groupApiEndpoint = <Base URL>/Groups/
    authorization = Bearer <Bearer Token>

Step 5: Verify Installation

Check cron jobs:

crontab -l

Monitor logs:

tail -f /opt/colortokens/ldapscimbridge/logs/*.log

Imported users and groups will be visible in the Users/Groups tab in Xshield.

7. Uninstallation Guide

Ubuntu Uninstallation

sudo dpkg --purge ldap-scim-bridge

RHEL Uninstallation

sudo rpm -e ldap-scim-bridge

8. Notes & Limitations

  • LDAPS is currently not supported.
  • The sample connector is tested with Microsoft AD only.