000012688 - How to create an External Identity Source to Active Directory in AM 7.1 or later

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000012688
Applies ToAuthentication Manager 7.1 or later AM 8.0 AM 8.1

A new concept in AM 7.1 is the external Identity Source, where RSA users ?live? in an Active Directory Domain (or other LDAP Directory), while their tokens ?live? in the RSA AM Internal database.  This is like a Real-Time LDAP Synchronization in the 6.1.2 world, so if users are added or deleted in Active Directory, they are added or (disabled) in RSA in real time.  However if the network connection between RSA and Active Directory does down (or the Admin Password is changed), no one can authenticate because RSA AM cannot ?see? the users in AD. 

You can also migrate your 6.1.2 Users and their Tokens into AM 7.1.  If you would like to use an External Identity Source in 7.1, and your current 6.1.2 (Appliance 2.0) Users originally came from Active Directory, you can migrate in that fashion.  See KB a63122 or KB a63192

Authentication Manager 7.1, AM 7.1 SP4, AM 8.0, AM 8.1
IssueHow to create an External Identity Source to Active Directory in AM 7.1 or later, How do I create an external Identity source?
Export Failed: There is an error with the user record. The identity source contains no value for the attribute set as the Unique Identifier for the user. Edit the user record in the directory to add a value.  This indicates you are not using objectGUID as the unique Identifier in your external IS, and are using something else such as exuid or employeeNumber, and there is at least 1 blank entry in this unique Identifier field in at least 1 record

You create an External Identity source in RSA from the Operations Console, https://<RSA_Server>:7072/operations-console/
Navigate to Deployment Configuration - Identity Sources - Add New (or Manage Existing if already created)
You?ll need the Identity Source Name and URL.  Typically you point to a Domain Controller.  You will need to configure an AD Administrator and Password, or RSA will not work.  Configure:
URL: ldap://<FQDN of Domain Controller>          e.g. ldap://dc01.example.local
UserID:  rsasync@example.local
    (needs Full AD admin rights or not supported)
Password: could be entered by AD Admin, unknown by RSA Admin
Test Access should be successful or we won't be able to read the directory.  This is at the bottom of this first, Connect, Tab
If the Test Connection is successful you can click next or go to the Map Tab on an existing ID source.
Here you configure:
User Base DN: dc=example, dc=local
Group Base DN:  <same>
UserID nearly always maps to samAccountName e.g. GuilletJ.  UPN/email=jay.guillette@example.local, but users complain about input
Unique Identifier maps to ObjectGUID
1st name typically maps to givenName
MI maps to initials
Last name maps to sn
eMail maps to mail
Cert DN                     comment?
Password maps to unicodePwd
Either (drill down to Group called RSACitrixAccess)
Search Filter: (&(objectClass=User)(objectcategory=person)(memberOf=CN=RSACitrixAccess))
Search Filter: (&(objectClass=User)(objectcategory=person))
Search all levels
Object Classes: user,organizationalPerson,person
User Group name maps to cn
Search Filer: (&(objectClass=group)
Search all levels
Object Classes: group, top
Membership Attribute: member
Enable use of Membership attributes
MemberOf Attribute:  memberOf


This should be a good basis for a user to start.

Legacy Article IDa63091