Security

This section describes the security controls that Connect to AD uses to protect customer data.

Connect to AD communicates with only 2 services to perform its functions:

  1. [source-object]
  2. [target-system]
Employee data is exclusively stored locally. The only required services are the UKG APIs and [target-system].
UKG to Active Directory Security.jpg
UKG to Entra Security.jpg

 

UKG

All communications to the UKG API are encrypted and authenticated using . The transmission channel that is used to transmit data is secured via Transport Layer Security (TLS).

Connect to AD requires a valid UKG service account to establish a connection with the UKG API. The [source-object] is encrypted using RFC 2898 and securely stored within the configuration file.

For more information on setting up a valid connection to the UKG API, click

here
here
here
 
 

Entra ID

All communications to Entra ID are authenticated using a valid Entra ID application (with a client secret) that can read, insert, and update user records in Entra.Entra ID uses TLS to secure the transmission channel used to transmit data.
 

Active Directory

All communications to Active Directory are authenticated using a valid Windows account that can read, insert and update user records in Active Directory. The permissions may be modified based on your configurations. The security level of the transmission channel that is used to transmit data to Active Directory is determined by your AD configuration (with or without SSL/TLS).
 
Connect to AD supports both LDAP and LDAPS.
For more information on using LDAPS with Active Directory, you can reference: For more information on setting up a valid connection to Active Directory, click here.

 

Encryption

All connection details managed by the Connect to AD agent are encrypted at rest using industry-standard encryption protocols. Sensitive credentials and configuration data are securely stored (in the local config.db file) using strong encryption algorithms. This ensures that connection information remains confidential and tamper-proof throughout the deployment's lifecycle.

For more information on the encryption algorithms we use, please reference:

 

IP Whitelisting

If you choose to implement IP Whitelisting, please include your UKG API host (https://service?.ultipro.com) in the allowed list of IP addresses as that is the only external service required by Connect to AD.

Was this article helpful?

Comments

0 comments

Please sign in to leave a comment.