To authorize user access to applications in Enterprise Application Access (EAA), you add directories to EAA and associate them with connectors. Then you add groups with permissions and specify user membership. For new accounts, Enterprise Application Access (EAA) creates a default Cloud Directory that you can use to add users and groups. You should also assign directories to identity providers (IdP), to provide identity as a service.

EAA supports these directory services:

EAA Cloud Directory. Every tenant is provisioned with an EAA Cloud Directory to provide quick access to applications without Active Directory (AD) integration or to extend third party or contractor access to applications without VPN. By default all users are part of the main Users group. EAA doesn’t store or cache passwords for users.

AD. Active Directory is a directory service that automates domain network management. In order to integrate an AD to Enterprise Application Access (EAA), the AD must be able to communicate with Connectors and associate with an identity provider (IdP). The connector must be ready and reachable, and in the same private network as your AD. You also need to have a functional Active Directory setup with admin privileges. In AD integration, the connector works as an LDAP client and synchronizes the user database and other attributes, such as group, in the EAA management edge for authentication. The AD authenticates with the connector through host information such as an IP address or URL for the directory, and the internal port number. EAA supports multi-Active Directory or multi-AD configuration to authenticate end users against multiple, on-premise AD forests to provide access to enterprise applications.

LDAP. Lightweight Directory Access Protocol is a platform-independent software protocol that enables location of organizations, individuals, and other resources such as files and devices in a network, on the public Internet or internal intranet. Select this directory type if you are using an LDAP or OpenLDAP directory.

AD LDS. Active Directory Lightweight Directory Access Protocol is a directory service designed for use with directory-enabled applications. It operates independently of the AD and AD domains or forests, yet provides dedicated directory services for applications.

Note: To use AD LDS with EAA, you must configure an application partition in the AD LDS to hold application data such as users and groups.

You can have the account administrator configure a user as a directory administrator to perform directory configurations or have a custom administrator to manage the administration tasks for multiple resources using role-based access control in the Control Center.

If you have more than twenty directories configured, you will only see the first twenty directories listed, when you want to assign a directory to the identity provider.