Use LDAP in conjunction with SAML

In MKE, you can configure LDAP to work together with SAML, though you may need to overcome certain issues to do so.


To enable LDAP and SAML to be used in tandem:

  1. Enable and integrate SAML authentication.

  2. Log in to the MKE web UI.

  3. In the left-side navigation panel, navigate to user name > Admin Settings > Authentication & Authorization.

  4. Scroll down to the Identity Provider Integration section and verify that SAML is toggled to Enabled.

  5. Select the Also allow LDAP users checkbox.

  6. Integrate with an LDAP directory.


To sync teams with both LDAP and SAML users:

  1. Log in to the MKE web UI.

  2. Verify that LDAP and SAML teams are both enabled for syncing.

  3. In the left-side navigation panel, navigate to Access Control > Orgs & Teams

  4. Select the required organization and then select the required team.

  5. Click the gear icon in the upper right corner.

  6. On the Details tab, select ENABLE SYNC TEAM MEMBERS.

  7. Select ALLOW NON-LDAP MEMBERS.


To determine a user’s authentication protocol:

  1. Log in to the MKE web UI as an administrator.

  2. In the left-side navigation panel, navigate to Access Control > Users and select the target user.

    If an LDAP DN attribute is present next to Full Name and Admin, the user is managed by LDAP. If, however, the LDAP DN attribute is not present, the user is not managed by LDAP.

Overlapping user names

Unexpected behavior can result from having the same user name in both SAML and LDAP.

If just-in-time (JIT) provisioning is enabled in LDAP, MKE only allows log in attempts from the identity provider that first attempts to log in. MKE then blocks all log in attempts from the second identify provider.

If JIT provisioning is disabled in LDAP, the LDAP synchronization, which occurs at regular intervals, always overrides the ability of the SAML user account to log in.


To allow overlapping user names:

There may at times be a user who has the same name in both LDAP and SAML who you want to be able to sign in using either protocol.

  1. Define a custom SAML attribute with a name of dn and a value that is equivalent to the user account distinguished name (DN) with the LDAP provider. Refer to Define a custom SAML attribute in the Okta documentation for more information.

    Note

    MKE considers such users to be LDAP users. As such, should their LDAP DN change, the custom SAML attribute must be updated to match.

  2. Log in to the MKE web UI.

  3. From the left-side navigation panel, navigate to <user name> > Admin Settings > Authentication & Authorization and scroll down to the LDAP section.

  4. Under SAML integration, select Allow LDAP users to sign in using SAML.