Identity Sources for the Cloud Authentication Service

Document created by RSA Information Design and Development on Jul 13, 2016Last modified by Joyce Cohen on Sep 15, 2017
Version 23Show Document
  • View in full screen mode

  

An identity source is a repository in the Cloud Authentication Service that represents one primary LDAP directory server and its replicas.

Supported Directory Servers

The Cloud Authentication Service supports Microsoft Active Directory 2008 and 2012 and LDAPv3 directories. The LDAPv3 servers must support Simple Paged Search. Your LDAP server must support control type 1.2.840.113556.1.4.319. See your LDAP server documentation to verify this support before adding an LDAPv3 identity source.

LDAP Synchronization Process

The Cloud Authentication Service has read-only access to the LDAP directory server. To manage LDAP users within RSA SecurID Access, register user Authenticate devices and FIDO Tokens, and ensure that attributes are available for access policies and SMS Tokencode authentication, user records must be synchronized between the Cloud Authentication Service and LDAP. During synchronization, the following takes place: 

  • New user records are added to the Cloud Authentication Service.

  • Existing user records are overwritten on the Cloud Authentication Service. All attribute values that were modified in the LDAP directory server since the previous synchronization are updated on the Cloud Authentication Service. Attribute values that did not originate in LDAP and exist only in RSA SecurID Access are not overwritten. For example, these include user devices and authentication methods.

During synchronization, RSA SecurID Access searches for an available identity source server. At least one server must be reachable. If a server cannot be reached, the synchronization process terminates.

Users who are moved to a different OU in the LDAP directory server cannot use their LDAP directory passwords for device registration until after synchronization.

Note: The identity router uses simple bind authentication for connections to LDAP clients.  

Synchronization Scope

The User Search Filter field determines which users get synchronized. If you synchronize immediately after adding the identity source, as recommended, then all users within the User Search Filter scope are added to the Cloud Authentication Service.

Note:  You can modify the User Search Filter to narrow the scope after the initial synchronization. Users who are no longer within scope are not automatically removed from the Cloud Authentication Service the next time you synchronize. These users can still authenticate. You must manually delete these records from the Cloud Authentication Service to disable authentication.

User Attributes Synchronized

RSA SecurID Access synchronizes a limited subset of user attributes from your directory server to identity sources and uses these attributes for different purposes, depending on which product components are included in your deployment.

                   
Deployment ComponentsSynchronized Attributes and Usage
SSO AgentIdentity source attributes are required to validate users for authentication and device registration. For a list of synchronized attributes, see LDAPv3 Directory Server Attributes Synchronized for Authentication and Active Directory Attributes Synchronized for Authentication. User passwords are not synchronized.

Relying parties and RADIUS clients. No SSO Agent.

RSA SecurID Access synchronizes the same attributes as it does in an SSO Agent deployment to obtain attributes for authentication and device registration.

In addition, you must configure a separate list of attributes to identify the target user population in access policies (not required if you use the policy All Authenticated Users). You select these attributes when you add an identity source, in the Policies column on the User Attributes page. Synchronization makes the selected user attributes available to access policies during authentication. If synchronization is disabled and access policies require LDAP attributes to select the target population, users cannot successfully authenticate. Without synchronization, only policies that allow all authenticated users allow successful authentication.

 

LDAP Synchronization Methods

Three methods are available for synchronizing your LDAP directory servers with the Cloud Authentication Service:

  • Just-in-time
  • Manual
  • Scheduled

The following sections describe each method.

Just-in-Time Synchronization

Just-in-time synchronization ensures that the identity source in the Cloud Authentication Service is updated every time a user attempts to perform one of the following actions:

  • Register a device using the RSA SecurID Authenticate app.
  • Access a protected resource using additional authentication after the LDAP password is validated.

After just-in-time synchronization is enabled, you never need to add user records through manual or scheduled synchronization. You enable this feature on My Account > Company Settings>Company Information. Enablement affects all identity sources in the Cloud Authentication Service deployment.

Note:  For a variety of reasons, the Cloud Authentication Service might not always be able to obtain the most current information about a user from the LDAP directory server. For example, the identity source connection may be down, or the user may have been deleted from the LDAP diretory server, or the search filter may no longer include that user within its scope. In these cases, the Cloud Authentication Service uses the information that was synchronized most recently. Consequently, a user whose record has been deleted from LDAP directory can still authenticate. You must manually delete the user from the Cloud Authentication Service to prevent authentication.

Manual Synchronization

You can manually request immediate synchronization at any time for an identity source. This method is recommended after you add an identity source, to initially load users to the Cloud Authentication Service. For instructions, see Manually Synchronize an Identity Source for the Cloud Authentication Service.

Scheduled Synchronization

You can add a schedule to automatically synchronize an identity source on selected days, weeks, or months. This feature ensures that an identity source is updated automatically, on a regular basis, without human intervention. You can edit, enable, or disable the schedule as needed. You can configure a schedule separately for each identity source. For instructions, see Schedule Identity Source Synchronization for the Cloud Authentication Service

 
 

Phone Number Synchronization for SMS Tokencode

Users can use SMS Tokencodes if these criteria are met:

  • RSA has enabled this feature for your company.
  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).
  • A phone number is stored for the user in the Cloud Authentication Service. The phone number can be synchronized from the LDAP directory server or entered manually by the administrator.

If the Cloud Authentication Service has multiple phone numbers for a user, you must use the Cloud Administration Console to select the one to use for authentication.

SMS Phone Number Attribute

If you want phone numbers to be synchronized from the identity source, you must enter an LDAP attribute for the phone number in the identity source configuration. If the phone number format for that attribute changes in the LDAP directory server, the format is also changed in the Cloud Authentication Service, but the actual phone number remains the same.

Note:  Do not reformat synchronized phone numbers on the Users > Management page. Synchronized formats from your LDAP directory server always take precedence.

If you do not configure an attribute and SMS Tokencode is required for authentication, you must manually enter phone numbers for users.

Overwriting the SMS Phone Number During Synchronization

During synchronization, all user information is updated in the cloud identity source. The following information applies only to the users' assigned SMS Tokencode phone numbers that are maintained on the Users > Management page.

If you configure a phone number attribute, users' assigned SMS Tokencode phone numbers are overwritten in the cloud identity source during synchronization when both of the following are true:

  • The phone number was not manually modified for the user on the Users > Management page in the Cloud Administration Console.
  • The phone number value has been changed on the LDAP directory server.

Users' assigned SMS Tokencode phone numbers are not overwritten in the cloud identity source during synchronization if you manually entered or changed those phone numbers on the Users > Management page. For example:

  • You manually modify a synchronized phone number, including by changing the country code.
  • You manually enter the phone number when no LDAP phone number attribute is configured in RSA SecurID Access. The phone number is not overwritten even if you add the LDAP attribute at a later date.
  • You manually delete an existing phone number (that was either manually-entered or synchronized) and did not manually enter a new number, leaving the field value blank.

Deleting User Records

If user records are synchronized to the Cloud Authentication Service and then subsequently deleted from the LDAP directory server, those records are not automatically deleted from the Cloud Authentication Service. These users cannot register a device or authenticate. You must manually delete their records from the Cloud Authentication Service or delete the identity source that contains the users.

Changing LDAP Passwords

When you add an identity source to a deployment that uses the SSO Agent, you can enable users to change their LDAP passwords using the application portal. To use this feature, you must provide directory server administrative credentials that have read and write permissions, and the identity source must be configured to use SSL connections.

 

SSL Encryption for Identity Sources

RSA strongly recommends that you enable SSL encryption to secure communication between an identity source and the identity routers. 

Provide the Certificate Authority (CA) root certificate for each directory server's SSL certificate or the SSL certificate itself if it is self-signed. The Cloud Authentication Service supports the X509 certificate file format.

If you modify an SSL-enabled identity source, you must do the following:
  • If you switch between enabling or disabling SSL encryption, you must change the directory server port.
  • If you change to a different directory server, you must replace the existing SSL certificate.

 

 

 

 

 

You are here

Table of Contents > Identity Sources > Identity Sources for the Cloud Authentication Service

Attachments

    Outcomes