In this article, you will learn:

  • How Tulip can connect to your Active Directory instance
  • Different ways to configure the Active Directory integration
  • Technical requirements for an Active Directory integration

Tulip currently integrates with LDAP via Microsoft’s Active Directory product. If your organization uses Active Directory, then you can set up your Tulip instance based on rules from Active Directory.

Note: This feature is only available on Enterprise Plans

Tulip User Overview

Tulip has two different user interfaces:

  1. Tulip, where app's are built and edited, and which can be connected to external databases
  2. The Tulip Player, where users and operators run the apps that were built in Tulip

A User's permission level is defined by a User's Role.

Tulip has multiple levels of user privileges. For information on these roles please see: Managing User Roles in Tulip

  1. Account Owners & various other listed roles have the ability to edit apps in Tulip
  2. Operators only have access to run apps via the Tulip Player. They cannot edit apps or access the Tulip interface.

Setup Options

To integrate LDAP with Tulip, you can either manage your Users roles based on Active Directory groups, or from within Tulip:

  • Managing User Roles from Active Directory groups: You'll need to appropriately group your users based on their desired permission level on your Active Directory Server, and provide your Tulip System Administrator with the appropriate mapping (Ex: Group A = Account Owners)
  • Managing User Roles from within Tulip: You'll need manually add each user from within Tulip, with their specified User Role, and have them create their account with the exact username that's in your Active Directory

There are four separate ways that you can configure your integration:

  1. Require all Tulip users to log into Tulip or Tulip Player using their Active Directory username and password. Roles within Tulip are specified based on Active Directory groups.
  2. Require all Tulip users to log into Tulip or Tulip Player using their Active Directory username and password. Roles are maintained within Tulip.
  3. Allow Tulip Operators to log into Tulip Player using only their badge ID, but require Tulip Account Owners & other roles to log into Tulip using their Active Directory username and password. Roles within Tulip are specified based on an Active Directory group.
  4. Allow Tulip Operators to log into Tulip Player using only their badge ID, but require Tulip Account Owners & other roles to log into Tulip using their Active Directory username and password. Roles are maintained within Tulip.

You can choose the configuration option based on your organization’s security protocols. Please not that enforcing the use of Active Directory username and password for all Tulip users is the most secure option. 

Coordinating Tulip Users With LDAP Users

Managing User Roles from within Tulip

If your organization chooses to manage User Roles from within Tulip, a Tulip Account Owners will first need to create a new user. Then, they must add a Tulip username that matches their LDAP username. Any email is acceptable.

When this Tulip user attempts to log in, they will need to add their LDAP username in the “Username” field, and their password in the “Password” field. Tulip will then authenticate them in your Active Directory instance. The login screen will look like the following:

In this case, a Tulip System Administrator will add your first Tulip user with the information that you provide.

Managing User Roles from Active Directory groups

If your organization chooses to define Tulip roles based on Active Directory groups, then there is no need to create individual users within Tulip. Instead, you can provide the names of your user groups and their mapped Tulip User Roles.

When the user logs into Tulip with their Active Directory credentials for the first time, Tulip will authenticate them with your Active Directory instance and then automatically create an account within Tulip. As mentioned previously, their capabilities will be dependent on their Active Directory group and what you've defined the group's mapped role to be.

If you choose a configuration option where Tulip Operators are allowed to log in using their badge ID, the Operator login screen in the Tulip Player will look like the following:

Technical Requirements

To configure an LDAP connection, you will need to provide your own LDAP server that is accessible by Tulip's Server and provide the following information:

  • The server address (e.g. ldaps://xxx.xxx.xxx:636)
  • A "Distinguished Name" to search (e.g. dc=tulip,dc=co )
  • The Certificate Authority used to sign the certificates of the LDAP server

Your IT System Administrator should be easily able to provide this information.

Summary

To configure the LDAP integration for your Tulip Account, please start by reaching out to your customer account representative with the following information:

  1. Which of the 4 previously mentioned authentication methods would you like to use.
  2. If applicable: A list mapping your Active Directory groups and their desired Tulip User Roles
  3. The technical requirements in the previous section.
  4. A window of time in which you'd like to make the change. Note that all clients will be logged out when the change is made and that everyone will need to re-authenticate to your Tulip site.

You can use the LDAP integration on both cloud and on-premises versions of Tulip.

Did this answer your question?