LDAP & Active Directory Federation#
Novaza SSO can federate with an existing LDAP or Active Directory server so that users authenticate with their corporate directory credentials. User accounts, group memberships, and attributes are synchronized from the directory — you do not need to create and maintain users twice.
LDAP federation is available on Enterprise plans.
How Federation Works#
- Administrator configures a connection to the directory (host, bind DN, search base)
- Novaza queries the directory for users matching a filter
- Matching users are imported into Novaza and kept in sync
- When a user signs in, Novaza delegates password verification to the directory
- Group memberships from the directory are mapped to Novaza groups
At no point is the user’s directory password stored in Novaza.
Connection Settings#
| Field | Description |
|---|---|
| Host | Hostname or IP of the LDAP server |
| Port | Usually 389 (LDAP) or 636 (LDAPS) |
| Encryption | None, StartTLS, or LDAPS |
| Bind DN | Service account used to query the directory |
| Bind password | Credential for the service account |
| Search base | Root DN under which users are searched |
| User filter | LDAP filter selecting the users to import |
| Username attribute | Attribute used as the Novaza login (e.g. sAMAccountName, uid) |
Attribute Mapping#
Directory attributes are mapped to Novaza user fields. Typical mappings:
| Novaza field | LDAP / AD attribute |
|---|---|
mail | |
| First name | givenName |
| Last name | sn |
| Display name | displayName |
| Department | department |
Synchronization#
Federation runs on a schedule (default: every 15 minutes) and on demand. Each sync:
- Imports new matching users
- Updates changed attributes
- Deactivates users that no longer match the filter
- Recomputes group memberships
Deactivated users lose access immediately but their records and audit history are retained.
Troubleshooting#
- Bind failed — check the service account credentials and that the account is not locked
- No users imported — verify the search base and filter in an external LDAP browser
- TLS errors — make sure the LDAP server presents a certificate trusted by Novaza (upload the CA certificate if it is self-signed)