The ThoughtFarmer Employee Directory Connector (EDC) allows for connecting your instance of ThoughtFarmer to an external identity provider. This provides the following possibilities:
- For clients with a cloud instance of ThoughtFarmer, this lets you integrate with your local Active Directory for authentication and user management.
- You can use a 3rd party identity provider like OKTA, or any other SAML 2.0 identity provider to authenticate to your ThoughtFarmer intranet.
- You can link multiple combinations of identity providers for your users. This includes multiple Active Directories (where a trust is not possible) and hybrid user type scenarios.
This document highlights a high-level view of the architecture involved when integrating with an on-premise Active Directory as an Identity Provider.
The first component of the EDC is a login site that allows users to use their AD credentials. Once validated, a secure token is passed back to ThoughtFarmer to confirm the identity of the authenticated user.
The EDC Service allows for automatic user management tasks with Active Directory. It will run on your EDC service on your network and send data via secure HTTPS to your ThoughtFarmer intranet by means of API calls. This means no more holes in your firewall to allow for connections in. All updates are pushed from the service directly to ThoughtFarmer when sync operations occur.
The sync operations the service handles are:
- Bulk user creation
- Bulk user update (updates profile field information)
- Bulk user deactivation
- Update synced group memberships
- Update synced security group memberships
Advanced multi AD configuration
With the components of the EDC installed and configured it now becomes possible to integrate multiple Active Directories into a single ThoughtFarmer instance. This integration can bring together ADs that otherwise are not connected.
Using an on-premise installation as an example, the following diagram depicts such a configuration. Here you can see 2 ADs are integrated to a single instance of ThoughtFarmer that is being hosted on the internal network of only one of them. Users will see a selection screen when they first access the intranet. They can then choose which identity provider they belong to. That will redirect them to the appropriate login site and initiate the authentication process. Their choice is remembered for subsequent visits and they will be redirected automatically.
An in-depth look at an on-premise ThoughtFarmer installation integrated with two Active Directories: