Overview of LDAP Integration

The Lightweight Directory Access Protocol (LDAP) is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network.  LDAP user authentication validates a username/password combination against a directory server such as Active Directory or OpenLDAP.

With the Metric Insights LDAP integration, you can automatically create Metric Insights users based on existing user and group information in your LDAP server. Once configured, the integration greatly simplifies the setup of hundreds if not thousands of users.

Metric Insights LDAP integration currently supports the following features:

  • Authenticate users against LDAP (If users change their passwords for other applications, the new password will also work to access Metric Insights)
  • Automatically create Metric Insights users with user profile information from LDAP (e.g., first name, last name, email address, etc.)  
  • Automatically create Metric Insights groups that are mapped to LDAP groups and add users to those groups based on LDAP group membership
  • Automatically sync user profile information on successful login
  • Auto-creation of LDAP users can be selectively turned on or off
  • Auto-remove users from MI groups based on LDAP group membership

To read more about configuring this integration, see Configuring LDAP Authentication

The Metric Insights LDAP integration supports the following protocols:

  • LDAP
  • LDAPS

The LDAP authentication mechanism can query against any Active Directory service that supports the LDAP/S protocol, including Microsoft Active Directory.

1. Basic use-case

Basic use-case

The process is as follows:

  1. User enters credentials on the Metric Insights login page
  2. Metric Insights passes credentials to the configured LDAP / Active Directory service
  3. LDAP verifies that the user is authorized. In the event the user profile does not yet exist in Metric Insights, the user profile is automatically created based on the LDAP user data (first name, last name, email address, group membership, etc.). If any existing user information has changed on the LDAP server since a prior authentication, that information is automatically updated in Metric Insights.
  4. On successful authentication, the user is logged into Metric Insights

2. Use-case for new Users

Use-case for new Users
  1. An Administrator creates groups in Metric Insights and maps them to LDAP 'organizational units' (i.e., groups)
  2. New user enters credentials into Metric Insights
  3. Metric Insights passes credentials to the configurd LDAP / Active Directory service
  4. LDAP verifies that the user is authorized
  5. User is logged into Metric Insights
  6. Metric Insights issues an API call to obtain other information about the new user, including name, email, and LDAP group assignments
  7. Metric Insights will assign the new user to all groups that are mapped to LDAP organizational units

Example:  Metric Insights' Finance group is mapped to LDAP organizational unit finance_group. A new user is a member of this LDAP organizational unit finance_group, so Metric Insights assigns the user to the Metric Insights Finance group. If applicable, Metric Insights will assign the user to multiple groups in the application.

Note: The Metric Insights API can be leveraged for this mapping. It is not necessary to do it manually in the Metric Insights User and Group Editors.

3. User-case for Users that change Groups

User-case for Users that change Groups
  1. An Administrator can establish optional configuration parameters to auto-remove users from MI groups based upon LDAP group membership
  2. When appropriately set, Metric Insights issues an API call each time a user logs into Metric Insights
    • API call returns LDAP / Active Directory LDAP organizational unit assignments
    • Metric Insights updates a user's group membership based on information returned from the API call

To read more about configuring this, see Configuring LDAP Authentication

4. Optional settings for new Users

Optional settings for new Users

An Admin can set an optional configuration parameter that will prevent new user accounts from being created automatically. This permits LDAP / Active Directory integration while giving Administrators direct control over the creation of new user accounts.

To read more about configuring this, see Configuring LDAP Authentication