Active Directory Connector
The Active Directory (AD) Connector allows users to authenticate in Team assistant using either LDAP AD or Azure AD.
LDAP AD Authentication
Requirements
To enable LDAP authentication, you need:
- Access to an Active Directory server
- A principal user with read access to AD
- The principal user's credentials
Setup in Team assistant
- Go to Administration > Authentication > Add New
- Select LDAP as the module
- Edit the predefined script with your AD details:
{
"logoutParams": {
"url": "/authenticate"
},
"ldap": {
"server": "192.168.0.0",
"port": "389",
"rdn": "CN=Users,DC=Test,DC=CZ", //no need to change
"people": "CN=Users,DC=Test,DC=CZ", //org. structure from AD, TAS will search from people from this org. structure
"principalUser": "CN=administrator,CN=Users,DC=Test,DC=CZ", //user that has read access to AD via which TAS will enter AD to get data
"principalPassword": "pass", //to principalUser
"loginSuffix": "@test.ad.cz", //can be empty ""
"userFilter": "(&(objectClass=user)(!(userAccountControl:1.2.840.113516.1.4.803:=2))(|(memberOf:1.2.840.113516.1.4.1941:=CN=TAS\\ Users\\ -\\ ALL\\ -\\ System \\(UA\\),OU=ALL,OU=TAS\\ -\\ IS\\ Team\\ Assistant,OU=Groups\\ |\\ Users,OU=Organization,DC=cz,DC=CZ)(userPrincipalName:=tas@ad.cz)(memberOf:1.2.840.113516.1.4.1941:=CN=TAS\\ Users\\ -\\ ALL\\ -\\ System\\ \\(FA\\),OU=ALL,OU=TAS\\ -\\ IS\\ Team\\ Assistant,OU=Groups\\ |\\ Users,OU=Organization,DC=ce,DC=CZ)))",
"loginAttr": "sAMAccountName", //can be userPrincipalName or email, etc. it is based on the client
"externalId": "objectGUID", //stays
"timeout": 10000 //preffered
},
"config": {
"createUser": true, //if user logging in from AD is not existing in TAS yet, it will be automatically created based on AD
"updateOnLogin": false, //update on logging in of user in TAS with data in AD, preffered false
"updatePostInstructions": [], //can be specified what else should happen during logging in after authentication
"adUserMiddleware": "", //before authentication with AD you can change the logging in e-mail
"useCompetenceRules": false, //if you use competences in TAS syncing with AD
"recursiveMemberOf": false //if user is for ex. in group TAS and that group is under the group TAS-admins, by that I will go through both groups. This is connected to the filter set-up in "userFiter"
}
}Note: Remove all comments (//) before saving the script.
Azure AD Authentication
Requirements
To use Azure AD authentication, the client must register Team assistant in the Azure AD portal and configure authentication.
Setup in Azure AD Portal
- Register an app following Microsoft's guidelines with User.Read permissions.
- Ensure the app has:
- A callback URL defined
- Access tokens enabled (for profile pictures)
- ID tokens enabled (for login authentication)
https://backend_address/auth/azure-ad/callback/authentication_module_id
This URL may include/apidepending on the environment. Check your backend URL in Developer Console (F12). - In
local.js, ensure the hostname (backend URL) is correctly set.
Setup in Team assistant
- Go to Administration > Authentication > Add New
- Select Azure AD as the module
- Edit the predefined script with your Azure AD details:
{
"logoutParams": {
"url": "/authenticate"
},
"tenantID": "Azure tenant id", //authentication in Azure AD
"clientID": "Azure client id", //authentication in Azure AD
"responseType": "id_token token", //stays
"responseMode": "form_post", //stays
"scope": [ //stays - is scope of information that are taken about AD account
"profile",
"email",
"openid"
],
"includeUserProfilePicture": true, //user picture from AD to be synced - false is preffered
"allowHttpForRedirectUrl": false, //preffered false
"postAuthInstructions": [
"/* Retrieve values from the input */",
"const name = Holder.getTextProperty('name');",
"const email = Holder.getTextProperty('email');",
"const photo = Holder.getTextProperty('photo');",
"const userExternalId = Holder.getTextProperty('oid');",
"const userExternalSource = Holder.getTextProperty('source');",
"",
"/* Assign values, split if necessary */",
"const username = email;",
"const [ firstName, ...lastNames ] = Holder.getTextProperty('name').split(' ');",
"",
"/* Find or create a User with the given information */",
"const user = identity.findOrCreateUser(username, firstName, lastNames.join(' '));",
"",
"/* Set user email and photo */",
"user.USER_EMAIL = email;",
"user.USER_PHOTO = photo;",
"user.USER_EXTERNAL_SOURCE = userExternalSource;",
"user.EXTERNAL_ID = userExternalId;",
"return identity.store(user);"
]
}Note: Remove all comments (//) before saving the script.
Troubleshooting
Common Issues & Solutions
Issue | Cause | Solution |
Login fails with AADSTS90102 | Incorrect | Ensure backend URL is correctly set in |
Users not found in LDAP | Wrong principal user or user filter | Verify credentials and filter configuration |
Profile pictures not syncing |
| Change it to |
