Welcome to the Topicus KeyHub best practice guide.

Topicus KeyHub ensures the authentication and authorisations of users. This best practice guide gives examples on how to link applications to Topicus KeyHub.

Layout of this guide

This guide contains example configurations of Topicus KeyHub and linked applications. Every chapter will describe the configuration used in both KeyHub and the linked application. This guide does not provide a comprehensive list of all option. For those, please read our manual.

This guide explains how to setup a link between Topicus KeyHub and an Active Directory. This AD can then be used for dynamic and static account provisioning.

1.1. Configuration details

In this example we used the configuration below. You should replace this with the details for your configuration.

A guide on how to prepare your AD can be found here: prepare AD

You need a group in KeyHub to connect to your application. See how to create a group here
  • Name: Linked AD

  • Technical administration group: KeyHub Administrators

  • Primary Host: linked-ad.keyhub.test

  • Trusted Certificate: Click on download to get the server certificate.

  • Bind DN: CN=KeyHub, CN=Users, DC=keyhub, DC=test

  • Bind password: the password for user KeyHub

  • Base DN: CN=KeyHub, DC=KeyHub, DC=test

  • Group DN: OU=Groups

  • User DN: OU=Users

Detailed info per item can be found in the manual (chapter 14.2)

1.1.1. Step 1


  • Click Add

link to ad001

1.1.2. Step 2

  • Choose Type: Active Directory

  • click NEXT

link to ad002

1.1.3. Step 3

  • Fill the details as mentioned above or your own

  • Click TEST

  • Click SAVE

link to ad003
link to ad004

To provision users to a group on the Active Directory you need to link it to a group in KeyHub.

  • Click your newly linked AD

  • Click Groups

  • Click ADD

  • Select the group you want to use

  • Select the group on the AD you want to use or select Create a new group

  • Click SAVE

link to ad005
link to ad006

1.1.5. Step 5

  • Done. Your linked Active Directory is ready for use

beacuse the group is provisioned dynamically by default it will appear on your dashboard where you can activate the group. If you want the group to be always 'on' you need to provision it statically. You can find how here

2. Configure client authentication for Active Directory

Client authentication is the most secure way of setting up a connection to the directory. This guide is split into 5 parts for setting up client authentication for Active Directory.

2.1. Prepare a client certificate

2.1.1. Step 1

  • log in to the Active Directory with the user "keyhub" (see Prepare AD)

  • open Microsoft Management Console (mmc.exe)

client cert ad001

2.1.2. Step 2

  • open FileAdd /Remove Snap-in

client cert ad002

2.1.3. Step 3

  • Select Certificates

  • Click Add

  • Click OK

client cert ad003

2.1.4. Step 4

  • Select My user account

  • Click Finish

  • Click `OK

client cert ad004
client cert ad005

2.1.5. Step 5

  • Right click Personal (from Console root → Certificates - Current User)

  • Select All tasksRequest New Certificate

client cert ad006

2.1.6. Step 6

  • Click Next

client cert ad007

2.1.7. Step 7

  • Select User

  • Expand details

  • Click Properties

client cert ad008

2.1.8. Step 8

  • Select Subject tab

  • Fill in cn=keyhub in the Full DN Value box

  • Click Add

  • Click OK

client cert ad009
client cert ad0010

2.1.9. Step 9

  • Click Enroll

client cert ad0011

2.1.10. Step 10

  • Done. Your client certificate is created

2.2. Export the client certificate and key

From the management console with user certificate snap in (see step 1 through 4 here )

2.2.1. Step 1

  • Right click the certificate you want to export

  • Select All tasks

  • Select Export

export cert ad001

2.2.2. Step 2

  • Click Next

export cert ad002

2.2.3. Step 3

  • Select Yes…​

  • Click Next