RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Cloud
When adding an identity source to the RSA Cloud Authentication Service following Add, Delete, and Test the Connection for an Identity Source in Cloud Access Service | RSA Community article, you must specify a root (base DN) value and a user search filter value to define which user records will be synchronized from that Identity Source to the Cloud.
- The root determines the node in the Identity Source tree which is the starting point from where users will be synchronized. For example, DC=company, DC=com.
- The user search filter specifies which user records within the root should be synchronized to the RSA Cloud Authentication Service. Only synchronized users can use configured authentication methods. An example user Search Filter is (&(objectCategory=person)(objectClass=user)).
It can sometimes be difficult to determine the optimal root and user search filter combination that retrieves the exact set of users who should be synchronized to the cloud.
Syntax mistakes can easily be made when designing complex search filters, causing unwanted users to be synchronized or some required users to be omitted.
Experimentation is sometimes required to ensure that the search filter is both syntactically correct and retrieves the correct set of users.
The root and user search filter fields of an identity source use standard LDAP string representation of search filters.
RSA recommends using any suitable LDAP browser tool to develop and test base DN and user search filter values, instead of trying to synchronize and check in the RSA Cloud Administration Console itself.
The advantages of using an LDAP browser tool are:
- LDAP browsers more easily allow you to check the results of a search, compared to doing that from the RSA Cloud Administration Console.
- You can fix incorrect search filters and re-test quickly.
- User search filters specified for an identity source can use attributes that are not synchronized to the cloud. With an LDAP browser, you can review all the attributes on records retrieved, which is useful for checking why search results are not as expected.
In the RSA Cloud Administration Console, you cannot view attributes that are not synchronized to the cloud. - Some tools will also come with online help that explains base DN and search filter syntax.
- Define the correct base DN and user search filter values using an LDAP browser.
- Copy and paste them directly from the LDAP browser into the corresponding root and user search filter fields of the RSA Cloud Administration Console's Identity Source configuration.
Related Articles
Unsupported Search Filter when calling the User Search SCIM API Number of Views Remove the attribute ID and attribute name appended to the user RADIUS attribute in RSA Authentication Manager 8.x Number of Views RSA Authentication Manager – Unable to Add or Manage Users with Error “The specified ID is already in use” Number of Views How to map a RADIUS attribute to a value that equals a user group for access control Number of Views Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
