LDAP/Active Directory SSO
Files.com integrates with on-premise Active Directory, cloud-based Microsoft Entra ID, and hybrid setups. For integration with Microsoft Entra ID, see the Microsoft Entra ID documentation. To integrate with on-premise Microsoft Active Directory or LDAP, follow the details below.
Files.com connects to directory services using the LDAP protocol for user authentication and user provisioning. Secure LDAP (sometimes referred to as SLDAP) is supported using the LDAPS protocol, which encrypts LDAP communication with SSL/TLS on a dedicated port.
Single Sign-On (SSO) lets your users authenticate with the password specified in your corporate directory and lets administrators manage user credentials and privileges in one place.
Users can be provisioned within Files.com based on criteria defined within your directory service. For example, you can specify that only users who are members of a specified group receive Files.com user accounts.
Supported directory services include Active Directory, Apache Directory Server, OpenLDAP, and any other LDAP-compliant directory service.
Prerequisites for Connection
Files.com connects to your directory service using the LDAP protocol and supports both secure LDAPS (port 636) and non-secure LDAP (port 389).
Firewalls
Configure your firewall to allow inbound connections to your directory service from Files.com.
If your firewall is only capable of whitelisting or blacklisting using IP addresses, rather than domain names, see our published list of current IP addresses used by Files.com.
Ports
Port numbers are configurable, allowing you to use non-standard ports if required. Although 636 and 389 are standard, we recommend obfuscating your LDAP ports so that port scanners and bots cannot easily find your LDAP connection port.
TLS/SSL Security
Files.com supports secure LDAP through the LDAPS protocol, which encrypts LDAP communication with SSL/TLS on a dedicated port. We strongly recommend using secure LDAPS (port 636) rather than LDAP (port 389) so that your information is encrypted in transit between your directory service and Files.com.
When using LDAPS, use a valid and chained SSL Certificate. Do not use a self-signed SSL Certificate, and do not configure your firewall to tamper with or rewrite any transmitted data or data headers.
If your Active Directory server does not provide a secure connection, follow Microsoft's instructions for enabling LDAPS on a Microsoft Active Directory server to enable it.
LDAP Access Credentials
Files.com needs login credentials to connect to your directory service and is limited to the access privileges of the specified account.
We recommend that you create a "service account" login for Files.com and grant it access permissions to the areas of your directory that you want to use for Single Sign-On (SSO) and user provisioning.
Configuring SSO with LDAP/Active Directory
Single Sign-On (SSO) lets users access Files.com with their corporate credentials instead of separate passwords. When SSO is enabled, your directory service handles authentication and grants access only if the password matches. This applies to logins through the Files.com web portal, FTP, SFTP, WebDAV, Desktop App, Mobile App, and API.
Configure Single Sign-On (SSO) with LDAP/Active Directory by selecting the provider Active Directory/LDAP from the list of SSO providers.
The form contains the following fields:
| Field Name | Details |
|---|---|
| Enabled | Use this switch to enable and disable the connection to your directory service. This can be used to quickly disable your LDAP users from logging in to Files.com. |
| Host | The Fully Qualified Domain Name (FQDN) or IP address of your Active Directory/LDAP server. |
| Add Backup Host | You can add the backup Active Directory/LDAP server to use if the primary isn't reachable. Files.com will then automatically connect to the Backup host when the main server (Host) cannot be reached. The Backup host must be a replica of the main server (Host). Uses URL nomenclature. For example: ldaps://www.mysite.com:636. |
| Port | The port to be used to connect to your Active Directory/LDAP server. |
| Secure Connection | Specifies whether secure LDAPS or non-secure LDAP will be used to connect. |
| Username Field | Specifies the Active Directory/LDAP field to be used to match the login attempt to Files.com. Typically sAMAccountName is the most commonly used but userPrincipalName is provided as an alternative option.Active Directory limits the sAMAccountName attribute to 20 characters so usernames synchronized from Active Directory will be limited to 20 characters (not including the domain). The userPrincipalName attribute is not subject to this 20 character limitation. Check with your Active Directory/LDAP server administrator to see which field is used by your organization. |
| Username | The username that Files.com will use to login to your Active Directory/LDAP server. For example: Check with your Active Directory/LDAP server administrator that this user has access permissions to read the user and group items in your directory. |
| Password | The password that Files.com will use to login to your Active Directory/LDAP server. |
| Distinguished Name · Base Search Path | The Distinguished Name (DN) of the location to begin searches within your directory. For example: Searches will only find items at or below this location in your directory. |
| Domain | The domain suffix to be added to Files.com usernames. This is used to make sure that usernames are unique. For example, specifying local.mydomain.com will create usernames as user@local.mydomain.com. |
These settings let users created within your Files.com account authenticate with their Active Directory/LDAP password.
The user must already exist within Files.com, and the username must match the pattern specified in the settings above. For example, if you specified sAMAccountName as the LDAP username field and mydomain.com as the domain suffix, then a user in your directory named janedoe needs a corresponding Files.com user account named janedoe@mydomain.com in order to log in.
We strongly recommend keeping at least one site administrator with password-based authentication, rather than assigning all administrators to SSO, to prevent being locked out of Files.com in case of IdP or SSO issues.
Configuring Automatic Provisioning
Files.com offers several automatic provisioning configuration options when you integrate your Active Directory/LDAP using SCIM Provisioning. Each time you configure and save the automatic provisioning options, a synchronization runs, and it continues to run every 60 minutes.
Troubleshooting
Several items can cause Single Sign-On (SSO) or provisioning issues.
Invalid or Expired SSL Certificates
When using a secure LDAPS connection to your Active Directory/LDAP server, check that the SSL Certificate is not expired. Use an online SSL Certificate checker, such as SSL Shopper. Confirm that the SSL Certificate is valid and chained. Do not use Self-Signed Certificates.
Invalid or Expired Access Credentials to Active Directory/LDAP
Files.com connects to your Active Directory/LDAP server using the credentials you supplied.
Confirm that these credentials are valid and can log in to Active Directory/LDAP using another LDAP tool such as ADExplorer (Windows) or ldapsearch (Linux).
If possible, test using a different set of credentials to determine whether the problem lies with one set of credentials or with all of them.
Incorrect Permissions to Active Directory/LDAP
Files.com connects to your Active Directory/LDAP server using the credentials you supplied.
Confirm that these credentials have at minimum read permissions to the parts of the directory that contain user and group items.
If possible, test using a different set of credentials to determine whether the problem lies with the permissions of one set of credentials or with all of them.
Firewall Settings
Files.com connects to your Active Directory/LDAP server using the LDAPS or LDAP port that you specified. Confirm that your firewall is not blocking these ports. From outside your corporate network, try using an LDAP tool to connect, such as ADExplorer (Windows) or ldapsearch (Linux).
Confirm that your firewall is not packet-inspecting these ports. If packet inspection rewrites any part of the data transmission or its headers, the TLS/SSL transport encryption treats it as a man-in-the-middle attack and terminates the connection.
Incorrect Group Memberships
Files.com provisions users and groups based on the configuration you provided.
If no users, or only a subset of users, are being provisioned, check your configuration to confirm that you entered the correct Group names. Confirm that within your Active Directory/LDAP, the users you want to provision are members of the specified Groups. Also check the memberOf attribute of the Active Directory/LDAP users.
Incorrect Distinguished Name (DN) Settings
Files.com provisions users and groups based on the configuration you provided. The Distinguished Name (DN) specifies the part of the directory that Files.com has access to. Files.com can only search within the Distinguished Name (DN) location.
Confirm that you have specified the correct Distinguished Name (DN). For example, CN=Users,DC=mydomain,DC=local is not the same as OU=Users,DC=mydomain,DC=local. Also confirm that the users and groups exist within this Distinguished Name (DN) location.