Directory Server Attributes for Authentication
The identity source attributes configured on the Synchronize User Attributes tab are always synchronized with Cloud Access Service (CAS).
To configure identity source attributes, see Add an Identity Source.
Active Directory Attributes for Authentication
When you add an Active Directory identity source, the attributes in the following table are mapped to their corresponding attributes in Active Directory. The table shows the default mapping, but you can customize the mapping.
| Field Name in the Cloud Administration Console | Attribute Name in Active Directory | Usage |
|---|---|---|
| First Name | givenName | User's first name |
| Last Name | sn | User's last name |
| Email Address | User's email address/User ID | |
Primary Username | sAMAccountName | Primary user identifier for multifactor authentication through CAS, including SecurID, RADIUS, and third-party MFA clients. Typically, this is a short username, such as jdoe. |
| Primary Unique Identifier | distinguishedName | Used during device registration, LDAP password authentication (including primary authentication for relying parties and RADIUS), FIDO registration, and identity source synchronization. |
| Secondary Unique Identifier | objectGUID | Used to identify users during synchronization. |
| User Account Status | userAccountControl | Indicates whether a user is enabled or disabled in Active Directory. A disabled user cannot authenticate using CAS. |
| User Account Expiration | accountExpires | Indicates when the user’s Active Directory account expires, if applicable. An expired user is disabled in the CAS and cannot authenticate. Note: If you are synchronizing from an Active Directory Global Catalog, RSA recommends that, in the directory server, you configure accountExpires to be replicated to the Active Directory Global Catalog. This ensures that user enablement status in CAS is synchronized with Active Directory. |
LDAPv3 Directory Server Attributes for Authentication
If you want LDAPv3 users to authenticate through CAS, you must map each of the following user attributes to its corresponding attribute in your LDAPv3 directory server when you add an identity source.
| CAS Attribute Name | Attribute Value | Name of Recommended Attribute in LDAPv3 Directory Server | |||
|---|---|---|---|---|---|
| Oracle Directory Server | Apache Directory Server | OpenDJ | OpenLDAP | ||
| First Name | User's first name. | givenName | givenName | givenName | givenName |
| Last Name | User's last name. | sn | sn | sn | sn |
| Email Address | User's email address. Note: This attribute must be named mail and must be in the LDAP directory's inetOrgPerson objectClass. | ||||
SecurID Username Primary Username | Primary user identifier for multifactor authentication through the Cloud Access Service, including SecurID, RADIUS, and third-party MFA clients. Typically, this is a short username, such as jdoe. | uid | uid | uid | uid |
| Primary Unique Identifier | A unique identifying value (DN) for the user. | entryDN | entryDN | entryDN | entrydn |
| Secondary Unique Identifier | A unique and stable identifier for the user. The value of the Secondary Unique Identifier must not change, even if the user's name, email address, or DN changes over time. | nsUniqueId | entryUUID | entryUUID | nsUniqueId |
| User Account Status | Indicates whether a user is enabled or disabled in the directory server. A disabled user cannot authenticate using CAS. If you cannot use a recommended attribute, map to a similar boolean attribute. CAS treats the TRUE value as disabled status and FALSE value as enabled status. | nsAccountLock | pwdAccountLockedTime | ds-pwp-account-disabled | pwdAccountLockedTime |
| User Account Expiration | Indicates when the user’s directory server account expires, if applicable. An expired user is disabled in CAS and cannot authenticate. Also see User Account Expiration Attributes for LDAPv3 Directory Servers. | N/A | N/A | ds-pwp-account-expiration-time attribute. | N/A |
Optional Attributes
The following attributes are synchronized if you configure them when you add an identity source. This applies to both Active Directory and LDAPv3 directory servers. These attributes are intended only for specific environments.
| Attribute | Usage |
|---|---|
| SMS Tokencode Phone Number | LDAP attribute used to identify a user's mobile phone number that can receive text messages for SMS OTP. SMS Tokencode is a six-digit code that CAS sends to the user's phone in an SMS message when the user attempts to access an application. |
| Voice Tokencode Phone Number | LDAP attribute used to identify a user's phone number for Voice OTP. Voice Tokencode is a six-digit code that CAS provides by calling the user's phone when the user attempts to access an application. |
| Alternate Username | An attribute that can be used as an additional user identifier. For example, you can use this attribute for the Active Directory userPrincipalName. This attribute can be used with all applications protected by CAS except those in IDR SSO Agent deployments. This feature is useful for relying party deployments that need to provide multiple ways for users to specify their usernames. If configured, users can provide either primary or alternate username and be correctly identified. |
| Manager | An attribute that is used as a distinguished name of the user's manager. |
User Account Expiration Attributes for LDAPv3 Directory Servers
If your directory server tracks expired user accounts through an LDAP attribute, you can map User Account Expiration to any attribute that accepts a value in LDAP GeneralizedTime type format, as described in https://tools.ietf.org/html/rfc4517#page-13. The time reflects the user's account end date. If detection is unsupported, leave this attribute blank. If you do not map this attribute or the value is blank, CAS assumes the account is not expired.
Related Articles
Manage User Profile and Notifications Number of Views Enable or Disable RADIUS User Attributes Number of Views View the Identity Sources in Your Deployment Number of Views View Identity Sources Linked to the System Number of Views Manage User Groups Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process How to Update the Root (Server) and Client Certificates in RSA Identity Governance & Lifecycle RSA Authenticator 6.2.2 for Windows Administrator Guide RSA SecurID software token .sdtid file fails to import into RSA SecurID Software Token 5.0 for Windows RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide
