This feature is available as a paid add-on for Countly Enterprise.
This feature adds integration of Microsoft Active Directory (AD) or Azure AD to your Countly Enterprise instance. Regular user management of Countly is bypassed when enabled, and users are authenticated via their AD credentials.
What are LDAP and Active Directory?
LDAP (Lightweight Directory Access Protocol) is a software protocol that is used to enable anyone to locate data about organizations, individuals, and other resources, such as files and devices in a network.
Active Directory (AD) consists of a database and a set of services users use to connect with the network resources they need to get their work done. Active Directory follows the LDAP protocols.
In Countly, LDAP and AD provide both authentication and authorization by verifying users' identities and controlling their access based on predefined groups. To deploy them, contact your account manager.
The group name in Countly must be the same as the group names in LDAP and AD.
Getting Started
To enable the feature, go to Management > Feature Management and enable the toggle button for Active Directory.
When Active Directory is enabled, Countly will bypass its regular authentication and it will use the Active Directory (AD) user credentials of the organization for authentication.
The Countly user of the organization needs to use the same credentials they login to their organization’s Active Directory server.
Active Directories Available
The Active Directory feature currently supports:
Azure Active Directory
Azure Active Directory (Azure AD) is Microsoft's cloud-based identity and access management service.
Setting up Azure AD
- Create an app from App Registrations or use the existing app.
2. Add a web platform and add the redirect URL /azure-ad-callback
3. Enable the feature
countly feature enable active_directory
4. Go inside the features directory in Countly in/features/active_directory and copy config.azure.sample.jsconfig.js and use your app ID and secret token. Then, select a group that the members of which should be global admin of Countly.
Countly-hosted installation
If your server is Countly-hosted, please contact Support and provide us with the information listed below.
const config = {
clientId: '8db7e011-a15f-4454-9472-2f475550c7a7',
clientSecret: 'c33wTBoBv@_1jPm.e1ENTLhpoB]IE@iC',
globalAdminGroup: 'countly-global-admins'
};
Using Azure AD
- The first login should be done by an app administrator to allow the app.
- Use a user who is a member of the group which is set up as a global admin group inside the configuration as someone who can access the Manage Users section to create the groups. The group name of the Azure Active Directory and the group name of Countly should be the same in order to match.
- The AD feature does not have user-level permissions, but group-level permissions. Active Directory groups should match with any Countly group for the member of the AD group to access Countly and permissions will depend on the group permission setup inside User Management > Groups section.
Microsoft On-Prem Active Directory
Microsoft Active Directory is a collection of services that helps manage users and devices on a network.
Setting Up Microsoft AD
- You need to have a running Active Directory with an LDAP v3 server.
- Go inside the features directory in Countly, in /features/active_directory and copy config.ldap.sample.js config.js and use your app ID and secret token. Then, select a group whose members should be global admins of Countly.
If your server is Countly-hosted, please contact Support and provide us with the information listed below.
- Enable the feature
countly feature enable active_directory
Using Microsoft AD [Default Countly Groups]
- Use a user who is a member of the group which is set up as a global admin group inside config who can access the manage users section to create the groups. The group name of Azure Active Directory and the group name of Countly should be the same in order to match.
- AD feature does not have user-level permission instead it is group-level permissions. Active Directory groups should match with any countly group for the member of the AD group to access Countly and permissions will depend on the group permission setup inside the countly manage users/groups section.
Using Microsoft AD (Legacy Role Based Authentication )
This is not applicable for new versions of Countly.
Active Directory groups (Groups are Active Directory objects that can contain users, contacts, computers, and other groups) should contain the user to be authorized, which should match the possible roles that will be configured or generated in Countly as described below.
One direct AD group will be mapped to the Global Admin user role of Countly. This AD group should be configured in the AD feature config file using the command below:
globalAdminGroup: 'ad-global-admin'
For each application on Countly there will be three direct AD groups with the following name structure:
AppAnalytics-APPIDENTIFIER-ROLE
The possible roles can be any of the following:
- User, with Countly User level permissions for the app (no write access and only read access).
- Admin, with Countly Admin-level permissions for the app (admins of Countly can only view and administer their own applications).
- Marketing, new Countly user level with permissions to create a funnel, view Messaging and Attribution sections and can create new Attribution and push notifications campaigns, and all other rights Countly users have been assigned.
- The custom role can be implemented based on customer requirements.
The AD Group can be set up on an app basis, which is defined on the Countly platform.