Skip to main content

Celonis Product Documentation

LDAP Sync Tool


The LDAP Sync tool can be used but it is not maintained and we don't offer support. It has been deprecated in favor of Just-In-Time Provisioning via SAML.

LDAP (Lightweight Directory Access Protocol) is an application protocol for querying and modifying items in directory service providers like Active Directory (AD), which supports a form of LDAP.

Active Directory is a directory services database, and LDAP is one of the protocols you can use to talk to it.

In LDAP, directory entries are arranged in a hierarchical tree-like structure.

For a comprehensive overview, refer to the Wikipedia articles about LDAP and Active Directory.

Tree-like structure of an LDAP directory entry
Synchronizing Active Directory members with your team in Celonis Execution Management System

Synchronization of AD with the Celonis EMS creates accounts in the Celonis EMS team and allows people to log in via SSO, or can facilitate provisioning accounts for a large number of users. Without an account on the team, a user will not be able to use SSO

The tool with which to accomplish this is documented here. A regular sync (e.g. via cron job installed on the customer side) will automatically sync new users that correspond to the LDAP search filter to the Celonis EMS user database and add them to the team. Users who are not part of the sync anymore (e.g. because they left the company or changed departments) will automatically be removed from the team. If an LDAP sync is set up after team members have already been invited to the team, the Celonis EMS will check if the email addresses of the newly synced users are already part of the team. If that is the case, the status of this user will change from “manually managed” to “managed by LDAP sync”.

Permission handling

The best way to assign permissions is to assign the permissions not to individual team members directly but to the groups they belong to. This way, a new-joiner on the customer side who is synced via LDAP for the first time to Celonis EMS will automatically inherit the right permission profile form the LDAP group into which he or she was synced.

Manually managed users and groups vs. LDAP managed users and groups

Users & groups who were synced via LDAP are also managed by the LDAP sync. The reason for this is that any manual changes performed by the Team Admin would be undone with the next LDAP sync: e.g. the team admin manually removes a member from a specific group in the team and the next LDAP sync would add this user to the same group again.

A team admin will still be able to manually invite team members (whose email addresses are currently not included in the LDAP sync load) and create groups. The manually created team members & groups can then be fully managed by the team admin.

How does Single Sign-On work in combination with LDAP?

In order to easily administrate users, groups, and permissions, it is highly recommended to set up an LDAP sync in combination with an SSO configuration.

This is an overview of the complete setup of SSO (SAML) and LDAP for a given Team:




Users and groups are synchronized to Celonis EMS user database via LDAP sync


LDAP-client.jar pulls from active directory users and groups that fit the search criteria defined in the yml file


LDAP-client.jar pushes these users & groups to Celonis EMS

User log in via SAML (SSO)


The user tries to log in to the Customers Celonis EMS Team; if SAML has been configured for the team:


Celonis EMS responds by generating a SAML request & redirecting the request to IdP


The browser redirects the user to an SSO URL with Identity Provider (IdP); IdP parses the SAML request


IdP authenticates the user (this could be via username and password or even a two-factor authentication; if the user is already authenticated with IdP and has an active IdP session, log in with IdP will be skipped) and generates a SAML response.


IdP returns the SAML response to the browser. IdP triggers redirect to callback URL of Celonis EMS Service provider and send SAML response for verification.


The browser executes the redirect that has been initiated and passes SAML response to Celonis EMS


Service Provider verifies on user database that user is part of the team (based on email address)


If verification is successful, the user will be logged in to the customer's Celonis EMS team and granted access to the resources for which he has the required permissions.