Directory Server Attributes Synchronized for Authentication

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on May 18, 2018
Version 25Show Document
  • View in full screen mode
 

You must enable synchronization for identity source attributes if you want users to authenticate through the Cloud Authentication Service. For details, see:

Active Directory Attributes Synchronized for Authentication

If you want Active Directory users to authenticate through the Cloud Authentication Service, you must enable synchronization for the following attributes. These attributes are automatically mapped to your Active Directory.

                                                     
Field Name in the Cloud Administration Console Attribute Name in Active DirectoryUsage
First Name givenName User's first name
Last Name snUser's last name
Email Address mailUser's email address/User ID
SecurID Username sAMAccountName User ID for RADIUS and RSA SecurID authentication.
Primary Unique Identifier distinguishedName Used during device registration, LDAP password authentication (including primary authentication for relying parties and RADIUS), FIDO registration, and identity source synchronization.
Secondary Unique Identifier objectGUID Used to identify users during synchronization.
User Account StatususerAccountControl Indicates whether a user is enabled or disabled in Active Directory. A disabled user cannot authenticate using the Cloud Authentication Service.
User Account ExpirationaccountExpires

Indicates when the user’s Active Directory account expires, if applicable. An expired user is disabled in the Cloud Authentication Service and cannot authenticate.

Note:  If you are synchronizing from an Active Directory Global Catalog, RSA recommends that, in the directory server, you configure accountExpires to be replicated to the Active Directory Global Catalog. This ensures that user enablement status in the Cloud Authentication Service is synchronized with Active Directory.

Note:  SMS Tokencode Phone Number and Voice Tokencode Phone Number are also synchronized if you configure them when you add an identity source.

LDAPv3 Directory Server Attributes Synchronized for Authentication

If you want LDAPv3 users to authenticate through the Cloud Authentication Service, you must do the following when you add an identity source:

  • Map each of the following user attributes to its corresponding attribute in your LDAPv3 directory server.
  • Enable synchronization for these attributes.
                                                                                      
Cloud Authentication Service Attribute NameAttribute ValueName of Recommended Attribute in LDAPv3 Directory Server
Oracle Directory ServerApache Directory ServerOpenDJOpenLDAP
First NameUser's first name.givenNamegivenNamegivenNamegivenName
Last NameUser's last name.snsnsnsn
Email Address

User's email address.

Note:  This attribute must be named mail and must be in the LDAP directory's inetOrgPerson objectClass.

mailmailmailmail
SecurID Username

User's SecurID username. Typically, this is a short username, such as jdoe.

If your deployment does not include RSA Authentication Manager, set this attribute to the same value as the Primary Unique Identifier.

uiduiduiduid
Primary Unique IdentifierA unique identifying value (DN) for the user.entryDNentryDNentryDNentrydn
Secondary Unique IdentifierA unique and stable identifier for the user. The value of the Secondary Unique Identifier must not change, even if the user's name, email address, or DN changes over time.nsUniqueIdentryUUIDentryUUIDnsUniqueId
User Account Status

Indicates whether a user is enabled or disabled in the directory server. A disabled user cannot authenticate using the Cloud Authentication Service.

If you cannot use a recommended attribute, map to a similar boolean attribute. The Cloud Authentication Service treats the TRUE value as disabled status and FALSE value as enabled status.

nsAccountLockpwdAccountLockedTimeds-pwp-account-disabledpwdAccountLockedTime
User Account ExpirationIndicates when the user’s directory server account expires, if applicable. An expired user is disabled in the Cloud Authentication Service and cannot authenticate. Also see User Account Expiration Attributes for LDAPv3 Directory Servers.N/AN/A ds-pwp-account-expiration-time attribute.N/A

Note:  SMS Tokencode Phone Number and Voice Tokencode Phone Number are also synchronized if you configure them when you add an identity source.

User Account Expiration Attributes for LDAPv3 Directory Servers

If your directory server tracks expired user accounts through an LDAP attribute, you can map User Account Expiration to any attribute that accepts a value in LDAP GeneralizedTime type format, as described in https://tools.ietf.org/html/rfc4517#page-13. The time reflects the user's account end date. If detection is unsupported, leave this attribute blank. If you do not map this attribute or the value is blank, the Cloud Authentication Service assumes the account is not expired.

Where to Enable Attribute Synchronization

You enable attribute synchronization when you add an identity source on the Users > Identity Source wizard pages.

                   
If you want to do this...You must select...
Allow users to use the Cloud Authentication Service

For SSO Agent deployments, synchronization is required if at least one application is protected by a policy that requires additional authentication. If only password authentication is used, you do not need to synchronize.

Synchronization is also required if you configured the application portal or the Cloud Administration Console to require additional authentication.

Set up access policy rules to identify the target population based on user attributes and your deployment uses RADIUS or relying parties Use selected policy attributes with the Cloud Authentication Service on the User Attributes page, and also select which attributes you want to synchronize. Selecting this option automatically enables the Synchronize user attributes checkbox to synchronize the authentication attributes listed in the previous table.

Note:  In SSO Agent deployments, access policies are evaluated on the identity router, so you do not need to select attributes on the User Attributes page for synchronization.

 

 

You are here
Table of Contents > Identity Sources > Directory Server Attributes Synchronized for Authentication
1 person found this helpful

Attachments

    Outcomes