Authenticate users using Active Directory or OpenLDAP - Enable users to authenticate to Cortex XSOAR using their existing Active Directory or OpenLDAP credentials and manage their permissions based on directory group mapping - Administrator Guide - 8.13 - Cortex XSOAR - Cortex

Authenticate users using Active Directory or OpenLDAP - Enable users to authenticate to Cortex XSOAR using their existing Active Directory or OpenLDAP credentials and manage their permissions based on directory group mapping - Administrator Guide - 8.13 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product

Cortex XSOAR

Version

8.13

Creation date

2026-02-12

Last date published

2026-05-27

Note

For Active Directory deployments, only plain Active Directory is currently supported. Kerberos and NTLM binding are not supported.

Before you begin

Ensure you have your server IP or host name, port, user DN, and base DN.
Verify your directory uses the supported group types: posixGroup and groupOfUniqueNames.
Custom LDAP group objects and configurations must be managed by your organization's IT department.

In Cortex XSOAR, navigate to Settings & Info → Settings → Authentication Settings and select the LDAP Options tab.
Click Add Connection and choose Active Directory or OpenLDAP.
Enter General parameters.
- Server IP or Host Name: Default is 10.10.10.10
- Port: Default is 389 for LDAP.
- User DN: A credential to log in to the LDAP server. Default is cn=John Smith,ou=users,dc=example,dc=com
- Base DN: The top of the directory tree that is searched. All items below the top of the directory tree are searched. Default is dc=example,dc=com
- Password: Your LDAP server login password.
(Optional) Configure Advanced settings.
Enter the names as they appear in your LDAP settings. The commonly used names are provided as defaults but can be edited
1. Groups Object Class: The name used for groups in your LDAP. Default is possixGroup.
2. User Object Class: The name used for users in your LDAP. Default is possixAccount.
3. Group Membership Identifier Attribute: The attribute of a group membership that is the unique identifier. Default is memberUid.
4. User Unique Identifier Attribute: The attribute of a user that is the unique identifier. Default is uid.
5. Trust any certificate: Disable this to support connections using self-signed certificates. Default is unselected.
6. Connection Type: Possible values are Start TLS, LDAPS, and None (default - plain text communication).
7. (For SSL only) SSL Version: Default is TLS v1.2.
Click Test Connection to validate your settings.
Click Save.
You can add multiple AD or OpenLDAP configurations. You can also disable or delete a connection.

For authenticated users to have roles assigned, their directory group must be mapped to a Cortex XSOAR User Group.

In Cortex XSOAR, navigate to Settings & Info → Settings → Access Management → User Groups.
Create or edit a user group.
Map the user group to a role.
1. Select a role, for example Instance Administrator.
2. Select users.
3. Set the AD Group Mapping or OpenLDAP Group Mapping to the full static group DN, exactly as it appears in your directory.
  You can map both AD and OpenLDAP groups within the same user group if needed.
4. Click Save.

Users will automatically appear in the Users table with the type LDAP after their first successful login.

Troubleshooting

Login errors

If a user logs in and their password does not match, they will see a password mismatch error. However, if the failure is due to a mapping error, a DN error, or a binding error, they will receive a generic contact administrator message.

Missing permissions

If a user authenticates successfully but does not exist in any of the AD/LDAP groups that were mapped to a role, they will receive an access denied message and will be blocked from logging in.