AD Gateway Stack Parameters

This page documents the meaning and use of each parameter to the CLICK AD Gateway CloudFormation template.

AdExtraAttributes

By default, the CLICK AD Gateway will capture a minimal set of attributes from the User, Group, and OU objects it observes. If you wish for additional attributes to be sent to CLICK, enter them here as a comma separated list.

AdGroupsOUs

The CLICK AD Gateway does not capture your entire AD forest structure. Here, you specify one or more OUs that the CLICK AD Gateway should query for Group information. Enter one or more pipe-delimited Distinguished Names (e.g. ou=OuName,DC=DomainName,DC=com).

AdGroupsQuery

An optional LDAP filter string to limit or modify the query the CLICK AD Gateway performs to retrieve Group information.

AdHost

The fully qualified domain name of one or more Domain Controllers that the CLICK AD Gateway should contact when performing its queries. Separate multiple entries with a comma.

AdPeopleOUs

Specify one or more OUs that the CLICK AD Gateway should query for User information. Enter one or more pipe-delimited Distinguished Names (e.g. ou=OuName,DC=DomainName,DC=com).

AdPeopleQuery

An optional LDAP filter string to limit or modify the query the CLICK AD Gateway performs to retrieve User information.

AdPort

The port on which the CLICK AD Gateway should open a connection to the Domain Controller. The default port for LDAP is 389, and the default port for Secure LDAP is 636.

AdUser

The UPN of the Active Directory user the CLICK AD Gateway should use to authenticate with the Domain Controller. We recommend creating a read-only service account. The password will be configured separately as an encrypted AWS Systems Manager (SSM) Parameter.

ClickKMSKeyAdminArn

The ARN of the IAM Role or IAM User that will be creating the SSM Parameters that will be read by the CLICK AD Gateway. This ARN will be the only resources granted the ability to administer the KMS Key.

ClickKMSKeyEncrypterArn

The ARN of the IAM Role or IAM User that will be deploying the CloudFormation stack. This resource will be granted the necessary permission to use the KMS Key, enabling the CLICK AD Gateway to use the SSM parameters that it was used to encrypt.

CodeDeployBucket

If you are performing a custom deployment of the CLICK AD Gateway, you may need to modify this parameter. However, in most cases, the default value of click-ad-gateway should not be changed.

Endpoint

This URL is automatically populated when deploying the stack from within the SynchroNet Customer Portal. It will contain a unique, automatically-generated URL that the CLICK AD Gateway will use to deliver data to CLICK.

KMSPolicySubscriptionEmail

The e-mail address that should be contacted whenever the Policy on the KMS Key created by the stack is modified. This should be used to alert a system administrator in the event of a user attempting to tamper with the KMS Key.

SSMPrefix

Specify the prefix to be expected for all SSM Parameters. The default is /click/, but any valid value is acceptable here (though we do recommend the prefix begin and end with a forward slash for readability). The most important thing is to ensure consistency between the value you specify here and the way you name your SSM Parameters as you create them.

ScheduleRate

Specifies the interval at which the CLICK AD Gateway will perform LDAP queries and deliver data to CLICK. The default expression is rate(1 hour). Any valid rate expression is acceptable here.

SecurityGroupIds

Select one or more security groups to apply to the CLICK AD Gateway Lambda function. The Lambda must be able to reach the Domain Controllers you have specified in the AdHost parameter, so be sure to pick Security Group(s) that allow that connectivity.

SubnetIds

Select one or more subnets in which the CLICK AD Gateway Lambda function should run. The Lambda must be able to reach the Domain Controllers you have specified in the AdHost parameter, so be sure to select subnets that have the appropriate routes configured.

TrustExternalId

This value is automatically populated when deploying the stack from within the SynchroNet Customer Portal. It will contain a unique, automatically-generated value that is used to authenticate incoming sts:AssumeRole requests from CLICK. It will be specified as the External ID in the trust policy of the IAM Role the CloudFormation stack creates.

TrustRoleArn

This value is automatically populated when deploying the stack from within the SynchroNet Customer Portal. It will contain an ARN for an IAM Role created in the CLICK SaaS account specifically for connecting to this CLICK AD Gateway deployment. It will be specified in the trust policy of the IAM Role the CloudFormation stack creates.

UseSecureLdap

Set this value to true if you will be using Secure LDAP to communicate with the Domain Controller. Note that this requires the creation of an additional SSM Parameter to store the certificate public key. Additional information can be found in the full CLICK Deployment guide.