000038760 - Determine the correct root (base DN) and user search filter when configuring an identity source for the RSA SecurID Access Cloud Authentication Service

Document created by RSA Customer Support Employee on May 18, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000038760
Applies ToRSA Product Set: RSA SecurID Access
RSA Product/Service Type: Cloud
IssueWhen adding an identity source to the RSA Cloud Authentication Service, you must specify a root (base DN) value and a user search filter value to define which user records will be synchronized from that Identity Source to the Cloud.
  • The root determines the node in the Identity Source tree which is the starting point from where users will be synchronized.  For example, DC=company, DC=com.
  • The user search filter specifies which user records within the root should be synchronized to the RSA Cloud Authentication Service.  Only synchronized users can use configured authentication methods.  An example user Search Filter is (&(objectCategory=person)(objectClass=user)).
It can sometimes be difficult to determine the optimal root and user search filter combination that retrieves the exact set of users who should be synchronized to the cloud.  Syntax mistakes can easily be made when designing complex search filters, causing unwanted users to be synchronized or some required users to be omitted.  Experimentation is sometimes required to ensure that the search filter is both syntactically correct and retrieves the correct set of users.
TasksThe root and user search filter fields of an identity source use standard LDAP string representation of search filters.  RSA recommends using any suitable LDAP browser tool to develop and test base DN and user search filter values, instead of trying to synchronize and check in the RSA Cloud Administration Console itself.   The advantages of using an LDAP browser tool are:
  • LDAP browsers more easily allow you to check the results of a search, compared to doing that from the RSA Cloud Administration Console.
  • You can fix incorrect search filters and re-test quickly.
  • User search filters specified for an identity source can use attributes that are not synchronized to the cloud.  With an LDAP browser, you can review all the attributes on records retrieved, which is useful for checking why search results are not as expected.   In the RSA Cloud Administration Console, you cannot view attributes that are not synchronized to the cloud.
  • Some tools will also come with online help that explains base DN and search filter syntax.
  1. Define the correct base DN and user search filter values using an LDAP browser.
  2. Copy and paste them directly from the LDAP browser into the corresponding root and user search filter fields of the RSA Cloud Administration Console's Identity Source configuration.