LDAPv3 Directory Server Attributes Synchronized for Authentication

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Feb 9, 2018
Version 22Show Document
  • View in full screen mode

RSA SecurID Access synchronizes six user attributes from your LDAPv3 directory server to the Cloud Authentication Service and uses these attributes to validate users for authentication. When you add an identity source by clicking Users > Identity Sources, you can enable synchronization for these attributes in either of two places:

  • If your deployment uses the SSO Agent in RSA SecurID Access, on the Additional Authentication page, you can select Synchronize user attributes for additional authentication to synchronize only the six attributes listed in the following table.
  • If your deployment uses a relying party, on the User Attributes page, you can select Use selected policy attributes with the Cloud Authentication Service. This checkbox enables synchronization of both the authentication attributes listed below and the policy attributes you select on that page to use for identifying the target user population in access policies.

When you add an identity source you must also map each user attribute to its corresponding attribute in your LDAPv3 directory server.

RSA SecurID Access Attribute NameAttribute ValueExample Attribute Name in LDAP Directory Server
Oracle Directory ServerApache Directory ServerOpenDJOpenLDAP
First NameUser's first name.givenNamegivenNamegivenNamegivenName
Last NameUser's last name.snsnsnsn
Email Address

User's email address.

Note:  This attribute must be named mail and must be in the LDAP directory's inetOrgPerson objectClass.

SecurID Username

User's SecurID username. Typically, this is a short username, such as jdoe.

If your deployment does not include RSA Authentication Manager, set this attribute to the same value as the Primary Unique Identifier.

Primary Unique IdentifierA unique identifying value (DN) for the user.entryDNentryDNentryDNentrydn
Secondary Unique IdentifierA unique and stable identifier for the user. The value of the Secondary Unique Identifier must not change, even if the user's name, email address, or DN changes over time.nsUniqueIdentryUUIDentryUUIDnsUniqueId

Note:  SMS Tokenocde Phone Number and Voice Tokencode Phone Number are also synchronized if you configure them when you add an identity source.



You are here
Table of Contents > Identity Sources > LDAPv3 Directory Server Attributes Synchronized for Authentication