RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Cloud
When adding an identity source to the RSA Cloud Authentication Service following Add, Delete, and Test the Connection for an Identity Source in Cloud Access Service | RSA Community article, you must specify a root (base DN) value and a user search filter value to define which user records will be synchronized from that Identity Source to the Cloud.
- The root determines the node in the Identity Source tree which is the starting point from where users will be synchronized. For example, DC=company, DC=com.
- The user search filter specifies which user records within the root should be synchronized to the RSA Cloud Authentication Service. Only synchronized users can use configured authentication methods. An example user Search Filter is (&(objectCategory=person)(objectClass=user)).
It can sometimes be difficult to determine the optimal root and user search filter combination that retrieves the exact set of users who should be synchronized to the cloud.
Syntax mistakes can easily be made when designing complex search filters, causing unwanted users to be synchronized or some required users to be omitted.
Experimentation is sometimes required to ensure that the search filter is both syntactically correct and retrieves the correct set of users.
The root and user search filter fields of an identity source use standard LDAP string representation of search filters.
RSA recommends using any suitable LDAP browser tool to develop and test base DN and user search filter values, instead of trying to synchronize and check in the RSA Cloud Administration Console itself.
The advantages of using an LDAP browser tool are:
- LDAP browsers more easily allow you to check the results of a search, compared to doing that from the RSA Cloud Administration Console.
- You can fix incorrect search filters and re-test quickly.
- User search filters specified for an identity source can use attributes that are not synchronized to the cloud. With an LDAP browser, you can review all the attributes on records retrieved, which is useful for checking why search results are not as expected.
In the RSA Cloud Administration Console, you cannot view attributes that are not synchronized to the cloud. - Some tools will also come with online help that explains base DN and search filter syntax.
- Define the correct base DN and user search filter values using an LDAP browser.
- Copy and paste them directly from the LDAP browser into the corresponding root and user search filter fields of the RSA Cloud Administration Console's Identity Source configuration.
Related Articles
RSA Authentication Agent for Microsoft Windows Is Not Authenticating Against the Correct Contact List Number of Views Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU Number of Views Getting started with the RSA SecurID Access Cloud Authentication Service Number of Views Download RSA SecurID Access Cloud Administration audit logs using Cloud Administration REST API CLU Number of Views How to obtain the bundle logs from an RSA Cloud Authentication Service Identity Router Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Governance & Lifecycle 8.0.0 Administrators Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory
