Use the Cloud Administration Console to add a connection to an Active Directory or LDAPv3 identity source for the Cloud Authentication Service.
Before you begin
- You must be a Super Admin in the Cloud Administration Console.
- Understand how synchronization works for identity sources. See Identity Sources for the Cloud Authentication Service
- Complete the Planning Checklist in the RSA SecurID Access Cloud Authentication Service Planning Guide.
- Confirm that your LDAPv3 directory server supports Simple Paged Search for control type 1.2.840.113522.214.171.1249.
Obtain the administrator username and password for the directory server. For Active Directory, the administrator must have permissions that equal or exceed those given to the Domain Users group. For LDAP, the administrator must have root privileges on the directory server.
The username must be in the User Principal Name (UPN) format, such as email@example.com. The account must be enabled to search from the directory search root specified above. For Active Directory, the name must be unique in a forest of trees, and the user can be part of the Domain User group.
The password must not expire. If the password expires, no user will be able to authenticate to the application portal until the password is reset.
- Understand how user attributes are used in access policies. For more information, see Access Policies.
Have the Certificate Authority (CA) root certificate for the directory server's SSL certificate or the SSL certificate itself if it is self-signed. The Cloud Authentication Service supports the X509 certificate file format.
If relying parties or RADIUS clients are configured, make sure your identity router software is up-to-date. If your identity router is not updated to the latest version, you might not be able to synchronize the identity source with the Cloud Authentication Service.
- For SSO Agent deployments, you can allow users to change their identity source passwords using the application portal:
- The directory server must support read and write access from the identity router.
- You must select Use SSL and Allow Users to Change Passwords in the following procedure.
- Ensure that the directory server is configured to accept SSL connections.
- For Active Directory identity sources, the administrator whose credentials are used in the Username and Password fields must be a member of the Domain Admins or Administrators group.
- In the Cloud Administration Console, click Users > Identity Sources.
- Click Add an Identity Source.
- Click Add next to the type of identity source you want to add.
- In the Identity Source Name field, enter a name for the identity source.
- (Optional) In the Description field, enter a description for the identity source.
- In the Root field, enter the Base DN for users. See the Planning Checklist for this value.
(Required for SSO Agent deployments only.) In the User Tag field, enter the directory attribute with which you want users to sign in to the application portal. For example, you can enter an attribute that contains usernames, or an attribute that contains user email addresses. See the Planning Checklist for this value.
- In the Object Class field, enter the object class of the user tag. For example, the default for Active Directory is user which synchronizes all users in the subtree. The default for LDAPv3 identity sources is inetOrgPerson.
- In the Reset Interval field, enter the minimum number of seconds before RSA SecurID Access attempts to reconnect to a directory server in the identity source that was previously unreachable.
- (Optional) Select Follow Referrals to allow queries to the identity source to follow referrals across partitions or between domain controllers. Following referrals can increase the likelihood of finding a requested object. Not following referrals can increase security by limiting a query to a specific domain with known security measures.
- In the Directory Servers section, add each directory server in the identity source. Each directory server must contain identical values for the Root, User Tag, and Object Class attributes. For each directory server:
- Click Add.
- In the Server field, enter the fully qualified hostname or IP address for this directory server from the Active Directory Server(s) section of the RSA SecurID Access Solution Architecture Workbook.
- In the Port field, enter the port used for communication to the directory server. The default port for SSL-encrypted communication is 636. The default port for non-SSL communication is 389.
- In the Cluster field, select the cluster that contains the identity routers that send authentication requests to this directory server (to validate credentials) during authentication.
- In the Routing Interface field, select Private to have the identity router connect to the directory server using the management interface or Public to have the identity router connect to the directory server using the proxy interface.
- In the Username field, enter the username for the directory server administrator account that handles the connection to RSA SecurID Access. For LDAPv3 identity sources, include the bind DN details.
- In the Password field, enter the password for the directory server administrator account.
- In the Connection Timeout field, enter the number of seconds that the identity router will attempt to connect to the directory server before it times out.
- Click Save.
- (Optional) To test the connection to the directory server, click the icon. If the connection is successful, the Connection Test dialog box displays a list of attributes read from the directory server.
- In the SSL Certificates section:
- If you are using SSL, select Use SSL encryption to connect to the directory servers.
- (Optional) Select Allow Users to Change Passwords to allow users to change their directory passwords using the application portal.
- Click Add and select the SSL certificate.
- Click Next Step.
- On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.
The Use selected policy attributes with the Cloud Authentication Service checkbox is for deployments that use a configured relying party or RADIUS.
Checkbox Value Result Selected
Access policies can use the attributes selected in the Policies column on this page for selecting the target population. These selected attributes and the authentication attributes are synchronized to the Cloud Authentication Service during scheduled or manual synchronizations. For a list of authentication attributes synchronized, see LDAPv3 Directory Server Attributes Synchronized for Authentication and Active Directory Attributes Synchronized for Authentication.
Attributes selected in the Policies column are not synchronized. Authentication attributes are synchronized only if you select Synchronize user attributes for additional authentication on the Additional Authentication page in this wizard.
Note: If left unselected, you should avoid using LDAP attributes in access policies that use a relying party or RADIUS. Only policies that allow all authenticated users can allow users to successfully authenticate.
- To view only attributes that are selected to use in access policies, select Hide Unavailable Attributes.
- To use an attribute to configure access policies, select the checkbox in the Policies column. The attributes selected here are available on the Access Policies page.
- Select the checkbox in the Apps column to allow an attribute to be sent in HTTP headers when the Pass Headers option is enabled for an application.
- (Optional) To change an attribute's mapping:
- Click the icon in the Mapping column.
Edit the Target Attribute Name and Target Attribute Type fields, and click Save.
Note: If you change the default in the Target Attribute Name field to "mail" (for example, if you change Active Directory default “userPrincipalName” to “mail”), confirm that the user's LDAP or Active Directory attribute is not empty, and that it uses valid email format. This ensures that users will be able to authenticate.
- Click Next Step.
- (Optional) To allow users from this identity source to use additional authentication:
- Select Synchronize user attributes for additional authentication. This checkbox is selected by default if you selected Use selected policy attributes with the Cloud Authentication Service on the User Attributes page.
- Enter a User Search Filter, which is an LDAP filter that specifies which users within the identity source to synchronize. For example, the User Search Filter (&(objectClass=user)(memberOf=cn=qe,ou=engineering,dc=mycom,dc=local)) specifies that only users that are members of a specific group within the identity source will be synchronized and able to use configured authentication methods.
- (LDAP identity sources only) Specify an LDAP directory server attribute to map to each RSA SecurID Access user attribute for synchronization. These fields are read-only for Active Directory identity sources. To map the LDAP user attributes for synchronization:
- In the First Name field, enter the LDAP attribute used to identify a user's first name, for example, givenName.
- In the Last Name field, enter the LDAP attribute used to identify a user's last name, for example, sn.
- In the Email Address field, enter the LDAP attribute used to identify a user's email address, for example, "mail." If you use an attribute other than "mail," confirm that the user's LDAP or Active Directory attribute is not empty, and that it uses valid email format. This ensures that the attribute can be synchronized to the Cloud Authentication Service.
- In the SecurID Username field, enter the attribute used to identify a user's SecurID username, for example, uid. If your deployment does not include RSA Authentication Manager, set this attribute to the same value as the Primary Unique Identifier.
- In the Primary Unique Identifier field, enter a unique identifying value (DN) for the user, for example, entryDN.
In the Secondary Unique Identifier field, enter unique and stable identifier for the user. For example, entryUUID.
Note: To ensure that SMS and Voice tokencodes are correctly routed during
transmission, the country code is required. RSA recommends using the E.123
international format, +<country_code> <national_number>. For example, +1 555 555
5555 is a U.S. phone number that includes the country code +1.
In the SMS Tokencode Phone Number (Optional) field, enter the LDAP attribute used to identify a user's mobile phone number that can receive text messages for SMS Tokencode. If the attribute has multiple values, the first value is used for authentication. You can override the attribute value by manually entering a different number for a user using the Cloud Administration Console (Users > Management). If left blank and users are required to use SMS Tokencode, you must manually enter a phone number for each user.
- In the Voice Tokencode Phone Number (Optional) field, enter the LDAP attribute used to identify a user's phone number for Voice Tokencode. If the attribute has multiple values, the first value is used for authentication. You can override the attribute value by manually entering a different number for a user using the Cloud Administration Console (Users > Management). If left blank and users are required to use Voice Tokencode, you must manually enter a phone number for each user.
Note: If an attribute you specify does not exist in the LDAP directory server, synchronization fails.
- Click Save and Finish.
- (Optional) Click Publish Changes to activate the settings immediately.
Table of Contents > Identity Sources > Add an Identity Source for the Cloud Authentication Service