OAuth 2.0 Authorization Framework
Federating with Active Directory through the AD/LDAP Connector
The AD/LDAP connector makes it easy for your users to authenticate when they are on a domain-joined machine within the corporate network.
To activate this feature for Active Directory/LDAP, simply enable the option in the Dashboard.
Go to the Connections > Enterprise > Active Directory > LDAP, select the connection you want configure, and click the Settings icon.
After enabling it, you'll also be able to configure the IP Ranges. When users originate from these IP address ranges Auth0 will be able to redirect to the AD/LDAP identity provider and leverage their native authentication mechanisms.
The IP addresses are configured using the CIDR-notation. Note that these should be ranges that are visible by Auth0. If Auth0 is deployed on-premises you'll typically enter internal IP address ranges of your users.
When Auth0 is running in the cloud, it won't be able to see your user's internal IP address. In that case you'd configure the public facing/WAN IP address(es) of your company.
Auto-detected range for Kerberos
When Kerberos authentication is enabled, the visible IP address of the server where the AD Connector is running is implicitly added to the network IP range.
This means that if a user's requests originate from the same visible IP address as that of the AD Connector, then Kerberos authentication will be attempted.
Depending on the location of the user the authentication flow will be different when IP ranges are set. Let's take Fabrikam as an example. Since Fabrikam uses the SaaS version of Auth0 they configured their Public IP Address (
18.104.22.168/32) in the connection.
Users connecting from within the building will all originate from
22.214.171.124 (as configured on the connection). When they authenticate, the users can follow the AD/LDAP native flow and have a seamless Access TokenSingle Sign-on (SSO) experience.
On the other hand, when users are not in the corporate network (for example, at a customer site, working from home without VPN) they won't be able to access the AD/LDAP Connector directly. The users will need to enter their username/password, and Auth0 will validate these credentials with the AD/LDAP Connector (which will in turn use Active Directory to validate those credentials).
Auto-login with Lock
When an application is using Lock 10 or 11 within the Login Page hosted by Auth0 (typically used for JSON Web Token (JWT)SAML/WS-Federation protocols and audienceSingle Sign-on (SSO) Integrations), there will be a button which allows users to authenticate using "Windows Authentication".
In some cases the requirement could be to automatically sign in the user if Kerberos is possible (based on the IP-address of the end user). The following changes can be added to the Auth0 Login Page to automatically sign in the user if Kerberos is possible:
Skipping Kerberos at runtime
You can prevent Kerberos from being used, even if the user is logging in from an IP address within the range configured in the connection's settings, by passing
rememberLastLogin: false to
How response type works
To enable verbose logging of Kerberos requests, add a system level environment variable
DEBUG=kerberos-server. Then restart the Connector. Try logging in again, and check the logs for more information.
How response mode works
Firefox support for Kerberos
By default, Firefox rejects all "negotiate" requests required to authenticate users with Kerberos. If you wish to use Firefox with Kerberos, you need to whitelist the server where the connector is installed. To do that:
- Open a Firefox tab and type
about:configin the address bar.
- Dismiss any warning message, and in the search box type
- Locate the
network.negotiate-auth.trusted-urisitem and double click to change its value.
- Type the domain name of the server where the connector is installed. If you have multiple instances of the connector behind a load balancer, add the dns name of the balancer.
The value accepts a comma-separated list of URL prefixes or domains in the form of
- Click Ok. You don't need to restart the server for the changes to take effect.