Migrating from AD/LDAP to SSO

Owned by Karl Henselin
Last updated: Jun 08, 2023
2 min read

Many customers are migrating from AD/LDAP to SSO to take advantage of Single sign on, 2 factor MFA, etc.

 

SAML and External Realm users are compatible with each other, so existing users will work fine using SAML instead, as long as their username matches up. To modify the username that is received by FlexDeploy, change the Unique User Identifier (Name ID) claim in the SAML provider. No changes are needed in FlexDeploy for this. If the username format doesn’t match, users will be asked to setup new accounts. Have a downtime window and test with a known user. If the user gets to the new user screen, then it didn’t work. Don’t have them complete the screen, instead go back and work on the name claim again.

If you can’t get the names to match for your users, you can also run a sql update to modify the names already in FlexDeploy to match. If you prefer to do that, open a support ticket for assistance.

 

Additionally, ensure that you have claims for the the email, first, and last name. They are used to help setup new users.

 

However, if you have group mapping enabled with an LDAP realm, that isn’t yet supported on for SSO, with either SAML or OIDC. This is something that Flexagon is considering adding to our road map, but it isn’t there yet. If you want to transfer your current groups from your LDAP mapped groups, there is a sql query you can use to transfer data for this purpose. If you don’t do that, then the groups will be missing. Future groups won’t be added for you after the transition, so if group mapping is important to you, it may not be time to transition yet.

 

The following macros are not currently supported in the footer:
  • style