|Applies To||RSA Product Set: SecurID|
RSA Product/Service Type: Authentication Agent for Active Directory Federation Services (AD FS)
RSA Version/Condition: 1.0.1
|Cause||Since Microsoft AD FS owns the format of the username displayed (that is, domain>\jon.smith, the Authentication Agent for AD FS needs to alter the AD FS behavior through a GPO. However, this GPO must be in place before the agent is registered with both AD FS and with Authentication Manager.|
The SecurIDAuthProvider(MicrosoftIdentityServer...).log for the AD FS agent will show the claim type, in this case windowsaccountname, when it should be UPN.
|Resolution||In this situation you will need to un-register the agent with AD FS, then re-register it after the GPO is in place.|
Be sure to close IE to clear the browser cache before trying after this fix.
|Workaround||A workaround would be to use an alias for the samAccountName in Authentication Manager for the UPN user name.|
|Notes||Also, the display will not change; company\jon.smith will still show, but the Authentication Manager logs, including the Real Time Monitor Authentication Activity Monitor, will show the UPN email@example.com.|