# Integrate Applications #

Now that we have the Xiid Agent securely running on our domain controller, we’re ready to start integrating third-party applications into our secure Xiid environment.

## Authenticator Setup ##

The first step is to set up an Authenticator to integrate with your LDAP service to handle credentials and authentications securely.

In the Xiid Agent Management Portal, navigate to the __Authenticators__ tab.

Click the blue __Add New Authenticator__ button in the top left.

Provide a friendly name for the Authenticator. We recommend a name that will help you associate the authenticator to your LDAP Service and Active Directory Authentication Agent.

Ensure that you have selected the Agent Friendly Name defined in the last section. Select __LDAP__ in the __Authenticator Type__ dropdown. This will populate more fields down below.

For the LDAP Server, enter the IP address of the server running Active Directory. Leave the default LDAP Port unless you have changed that on your LDAP Server.

Last, enter the username and password of an existing Active Directory user that can be used to query your LDAP server. The user you provide only needs access to query the LDAP server. We recommend that you do not associate other permissions with this user to keep the service user as secure as possible. After entering this information click the blue __Create__ button at the bottom.

After clicking the Create button, the Xiid Agent Management Portal may take a few moments to verify all of the Authenticator information. You should see a green notification pop up that the Authenticator was created successfully.

You can test your authenticator to ensure that it is working properly by navigating to the __Authenticators__ tab, locating your Authenticator in the table, and clicking the blue checkmark button next to the Authenticator information. (Shown below in the red box)

![Xiid Authenticator Page and Example](images/authenticatorsgeneric.PNG)
 

## Translator Setup ##

We’ve now defined how to communicate with our LDAP service, however there may be a problem with our external applications. Some of them may ask for an email address to sign in as opposed to your domain credentials.

We can solve this problem seamlessly using Xiid Translators.
Sign in to the Xiid Agent Management Portal and navigate to the __Translators__ tab.

We’ll start first by creating an External to Internal Translator group. This group of translators will be integrated into Xiid to translate various forms of external usernames into the username that LDAP will expect.

On the Translators page, click the dropdown at the top under __Groups__ and select __Add New Translator Group__.
Provide a friendly name for the Translator Group that helps you associate the types of external usernames you would expect and how they are translated internally to the LDAP service.

For the __Scope__, we will choose __External__.

Click the purple __Create__ button to finish creating the Translator Group.

Now that we have our External Translators Group, we can define a way to translate our external usernames to our internal LDAP server usernames.

__For purposes of this example, our domain tied to our activate directory users will be called testdomain.local.__

Ensure that you have your new Translator Group selected in the __Groups__ dropdown, and then click the blue __Add New Translator__ button at the top left of the screen.

In the next screen, we will select __Domain__ for the __Type__.

The standard External to Internal translator that we will set up will simply take in our domain: testdomain.local and convert it to our LDAP directory domain, which is also testdomain.local.

Enter your LDAP domain in the __Token Internal__ field and enter your LDAP domain in the Token External field.

Click the purple __Create__ button to finish your External to Internal Translator.

If you expect an email address to come in as a username, you can add an additional translator in this group and set the __Token Internal__ field to your domain (i.e. testdomain.local) and for the __Token External__ field, enter your email domain (i.e. example.com). This would convert the username example@example.com to example@testdomain.local for consumption by your LDAP service.

Next, we need to set up the Internal to External Translator, which will define how to convert from your LDAP domain usernames back to your external usernames.

First, we will create another Translator Group by expanding the Groups dropdown and selecting Add New Translator Group.
In the Translator Group Screen give the group a friendly name that helps you associate the internal LDAP domains to your external domains.

Select __Internal__ for the __Scope__.

Click the purple __Create__ button to finish creating the Translator Group.

With our new Internal Translator Group selected, click the blue __Add New Translator__ button in the top left.

In the Translator creation screen, select __Domain__ for the __Type__.

Enter your LDAP domain for the __Token Internal__ and __Token External__ fields.

Click the purple __Create__ button to finish creating your Internal to External Translator.

Additionally, if you followed the optional step above to translate email addresses, create a second Internal to External Translator and enter your LDAP domain for the __Token Internal__ field and your email address domain for the __Token External__ field.

Now you have your translators configured to convert to and from other domains and usernames to your LDAP usernames and back!

## Application Setup ##

Now that Xiid is fully integrated with LDAP, we can create an Xiid Application. The Xiid Application will act as an umbrella for all third-party applications that we want to integrate with Xiid’s Single Sign-On Portal.

Sign in to the Xiid Agent Management Portal and navigate to the __Applications__ tab.

Click the blue __Add New Applications__ button in the top left to get started.

Provide a friendly name that helps associate the group of applications that will operate under this umbrella Xiid Application.

Provide a Display Name that will be used in Xiid’s systems to identify the Xiid Application. This Display Name will also be shown in the Single Sign-On Portal for users.

You can choose between different tokenization algorithms to use for your applications. The JWT token is used by Xiid to anonymize credentials.

Click the __Generate__ button on the right side of the JWT Secret to create a new secret used in generating the tokens.

You may adjust the duration of time in which the tokens generated for sign in are valid. We recommend a default of 60 seconds.

Click the __Next__ button and select the Authenticator created in the Authenticator Setup section.

Hit the __Next__ button through the 2FA screen. (We will skip 2FA for now)

On the Translators External to Internal screen, select the External to Internal (E2I) Group created in the above section.

For the Translators Internal to External screen, select the Internal to External (I2E) Group created above.

Last, you may select a firewall to enhance network security between your collector and Xiid Agent service. These firewalls will allow users to whitelist, blacklist and safelist IP addresses coming into the collector that are known to be safe. i.e. if you are running a private subnet on your domain. Xiid also provides a default firewall for use. A firewall is not required to create an Xiid Application.

Click the green __Create Application__ button to finish.

![Xiid Applications Page and Example](images/applicationsgeneric.png)