Skip to main content

LDAP Authentication

USP supports integration with external LDAP directory services to authenticate Users and Accounts.

This feature allows organizations to centralize credential validation through established enterprise identity providers.

Configuring LDAP

To enable LDAP in USP, first create these two Authentication Items:

  • LDAP Connection: Defines how USP reaches the directory (hostname, port, optional TLS, timeouts).
  • LDAP Query: Defines the logic used to perform authentication against the directory.

After creating these items, you must reference them from the appropriate configuration depending on whether LDAP is used to authenticate Users or Accounts.

LDAP for Users

LDAP can be configured as an external Auth Source for USP Admin UI, allowing Users to authenticate using their LDAP credentials. Just-in-Time (JIT) provisioning automatically creates User records on successful login.

Only one LDAP provider can be configured per USP Manager instance. When LDAP is configured as an Auth Source:

  1. Users can authenticate to the USP Admin UI using their LDAP credentials.
  2. USP Manager uses the configured LDAP Connection and LDAP Query to validate the credentials and retrieve User attributes.
  3. On first successful login, the User is automatically provisioned in USP Manager with attributes (Username, Name, Email, Role) populated according to the configured attribute mappings.
  4. On subsequent logins, USP updates the User if changes are detected in LDAP.
info

For step-by-step setup, testing guidance, and JIT provisioning details, see User LDAP Authentication.

LDAP for Accounts

LDAP can serve as the Inbound Authentication Source for validating client credentials during inbound connections.

When a Rule is configured to use LDAP:

  1. The external client connection reaches a Listener (linked to a Route that has an Inbound Node that uses this Rule).
  2. The USP Server uses the defined LDAP Connection and LDAP Query to locate the directory server and validate the client's credentials.
  3. If authentication succeeds, the connection is forwarded to the designated internal target.
info

For a detailed explanation, refer to Rules.