After setting up your AD/LDAP, you can configure the provisioning settings to define how user data are managed and updated.
- Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Click Directory Integration.
- In the Directory field, select a directory.
- Go to the Provisioning tab and perform the following actions as needed.
Provisioning to UniFi Identity Enterprise
- Specify how often you want UniFi Identity Enterprise to import users from the AD/LDAP directory.
- Select "Never" to prevent users from being automatically imported.
Scheduled Import Method: Select the import method for scheduled import.
- Full import: When selected, users of the selected OUs will be imported from the AD/LDAP server to UniFi Identity Enterprise.
Import by rule: The scheduled tasks will run according to the import rules you configured (if any). When selected, UniFi Identity Enterprise will only import the users who belong to the group of AD/LDAP directory that you have selected in the CONDITION field of import rules.
- Click Rule management (optional) to add or edit existing importing rules.
- UniFi Identity Enterprise Email Format: Specify the email format of the imported users. When you import users from the AD/LDAP directory, UniFi Identity Enterprise uses this attribute to generate the UniFi Identity Enterprise email format. You can also use custom expressions to create usernames for imported users.
- Modified User’s Group by Import Rules: Specify whether to sync the changes of the groups in the AD/LDAP directory to all UniFi Identity Enterprise users or to sync only new users based on the user import rules.
User Matching and Actions
You can use matching rules to define whether an imported user should be viewed as a new user or mapped to an already-existing UniFi Identity Enterprise user. Imported users that match the rules will be viewed as existing users and other users will be viewed as new users.
Imported user and existing UniFi Identity Enterprise user are an exact match if
- Email matches: If the email of an imported user fully matches that of an existing UniFi Identity Enterprise user, the user will be viewed as an existing user.
Imported user and existing UniFi Identity Enterprise user are a partial match if
- Both the first and last name match: This occurs when an imported user's first name and last name match those of an existing UniFi Identity Enterprise user, even if the user's email address does not match.
Actions for exact or partial match
- Automatically confirm the import of users with an exact match: When ticked, the exact match users will be auto-confirmed. When unticked, you must manually confirm the exact match users.
- Automatically confirm the import of users with a partial match: When ticked, the partial match users will be auto-confirmed. When unticked, you must manually confirm the partial match users.
Actions for new users
- Automatically confirm the import of new users: New users will be imported to UniFi Identity Enterprise automatically, without needing confirmation.
- Automatically activate the imported users: This option is displayed once the Auto-confirm new user option is enabled. Enable it to activate new users once they are imported to UniFi Identity Enterprise, without needing manual activation.
Import Safeguard enables you to specify the threshold of the unassigned user ratio. When the ratio of unassigned users reaches the set threshold, all import tasks of your workspace will be suspended.
- Enable Import Safeguard.
- Specify the percentage.
- Click Save Changes.
AD Integration Settings
OUs connected to UniFi Identity Enterprise: Select which users under the organizational units (OUs) will be imported to UniFi Identity Enterprise.
LDAP Integration Settings
You can modify the LDAP integration settings in Provisioning > Integration. Refer to Integrate LDAP with UniFi Identity Enterprise for more information about each field.
Delegated authentication allows users to use their AD/LDAP credentials to sign in to UniFi Identity Enterprise. When delegated authentication is enabled, user credentials will be saved in the AD/LDAP server and managed by it.
- This is an advanced feature. To apply for a free trial, use your owner account to sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) > Settings > Plan & Billing > Feature Usage > Apply for Plan Add-On.
- To enable “Delegated authentication“, the Identity Enterprise Agent on which your directory is deployed must be in “Active“ status.