Integrating your on-premises Active Directory (AD) with Tutoolio LMS is quick and straightforward. We use Keycloak on our side to manage identity federation securely and efficiently.
User → Tutoolio LMS (SP) → Keycloak (Broker) → Active Directory (LDAP IdP)
To get started, you can prepare the Active Directory settings following the steps below. The final setup within Keycloak is best completed together in a joint session.
Pleas note: Menu labels and terminology may vary slightly depending on your Windows Server version and whether you’re using local Active Directory (on-prem) or Microsoft Entra Domain Services (cloud-based AD).
Active Directory Preparation – Step-by-Step
1. Create a Service Account (Bind User)
- Open the Active Directory Users and Computers console (
dsa.msc). - Create a new user account, e.g.:
- Username:
keycloak_bind - Set a strong, non-expiring password
- Username:
- Ensure the following settings are applied:
- ✅ Password never expires
- ❌ User must change password at next login → disabled
This account will be used by Keycloak to perform read-only LDAP queries.
2. Organize Your Users
- Place all users who should be able to log in via SSO into a dedicated Organizational Unit (OU) or security group, e.g.
SSO_Users. - This enables us to scope LDAP queries and synchronization specifically to those users.
3. Identify LDAP Connection Details
Please make note of the following information:
- Base DN: e.g.
DC=yourcompany,DC=com - User DN: e.g.
OU=SSO_Users,DC=yourcompany,DC=com - Login Attribute: Typically
sAMAccountNameoruserPrincipalName
Use tools like ldp.exe or ADSI Edit to verify paths and values.
Optional: LDAP User Filtering (OU and Group-Based)
To limit which users are visible to Keycloak, we recommend adding a filter to your LDAP configuration. This ensures that only users from a specific Organizational Unit (OU) or group are synced and allowed to authenticate.
🔹 1. OU-Based User Filtering
If you want to restrict Keycloak access to a specific OU (e.g. OU=SSO_Users,DC=yourcompany,DC=com), simply set that as the User DN (or „Users DN“ in Keycloak) and use this basic filter:
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))This filter:
- Matches all objects of class
user - Excludes disabled accounts (
userAccountControl:...:2)
🔹 2. Group-Based User Filtering (memberOf)
To restrict login to users who are members of a specific AD group (e.g. CN=TutoolioSSO,CN=Users,DC=yourcompany,DC=com), use a filter like:
(&(objectClass=user)(memberOf=CN=TutoolioSSO,CN=Users,DC=yourcompany,DC=com))You can also combine this with the exclusion of disabled accounts:
(&(objectClass=user)
(memberOf=CN=TutoolioSSO,CN=Users,DC=yourcompany,DC=com)
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
)You can provide us with your desired group or OU, and we will configure the appropriate LDAP filter in Keycloak for you.
4. Allow Network Access to the AD Server
Ensure that the Keycloak server can connect to your AD domain controller on the following ports:
- LDAP (non-secure): TCP 389
- LDAPS (secure, recommended): TCP 636
Ensure the AD server’s FQDN is DNS-resolvable from the Keycloak host.
5. Export the AD Server’s SSL Certificate (for LDAPS)
If you’re using LDAPS (recommended for secure communication):
- Export the domain controller’s certificate via
certlm.msc:- Navigate to Personal > Certificates
- Export the certificate in
.cerformat
- Import the certificate into the Java truststore on the Keycloak server:
keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts \
-storepass changeit -alias adcert -file cert.cer - Restart the Keycloak service to apply the changes.
Summary
Once the steps are completed, you’ll have:
- ✅ The Bind DN (e.g.
CN=keycloak_bind,CN=Users,DC=yourcompany,DC=com) - ✅ The Bind user’s password (securely shared)
- ✅ The Base DN or OU that contains your SSO-enabled users
- ✅ Whether we should use LDAP or LDAPS
- ✅ The AD server’s hostname or IP address
Remaining configuration within Keycloak will be managed by Tutoolio. To ensure a smooth integration, we recommend completing the final setup together in a short remote session.