Identity Sources for Cloud Access Service
An identity source in the RSA Cloud Access Service (CAS) is a repository that represents users. CAS supports the following types of identity sources:
LDAP Directory Server
Microsoft Active Directory (on-premise)
Local
SCIM-Managed
Entra ID / Azure Active Directory (SCIM): A limited form of a SCIM-managed identity source that only works with Entra ID.
RSA Authentication Manager Internal Database
For more information about each identity source type, see Unified Directory Identity Sources.
Note: Super Administrators can manage identity sources in the Cloud Administration Console. Help Desk Administrators can manage users.
Users can be provisioned into and managed within an identity source using various methods, depending on the identity source type. The following table outlines the available methods for creating, modifying, and deleting users based on the identity source type.
| Identity Source Type | Create User | Modify User | Delete User |
|---|---|---|---|
| LDAP |
|
|
|
| Active Directory |
|
|
|
| Local |
|
|
|
| SCIM-Managed |
|
|
|
| Entra ID (Azure AD) |
|
|
|
| RSA Authentication Manager (AM) Internal Database |
|
|
|
Use the Identity Sources page to view the identity sources in your deployment and to perform related tasks. You must be a Super Administrator for the Cloud Administration Console to manage identity sources.
| Action | Description |
|---|---|
| View identity sources. | Click Users > Identity Sources. |
| Add an identity source. |
|
| Edit an identity source. | On the Identity Sources page, select Edit from the drop-down menu to the right of the identity source. |
| Synchronize an identity source. | |
| Disable an identity source | To disable a Unified Directory identity source (for example, Local), see the "Disable a Unified Directory Identity Source" section on Unified Directory Identity Sources. |
| Delete an identity source. | See Delete an Identity Source. |
| Test the connection between an identity router and a directory server within an identity source. | See Test the Connection Between an Identity Router and a Directory Server. |
This topic describes:
Synchronizing Identity Sources with the LDAP Directory Server
Automatic Removal of Users Who Have Never Used the Cloud Access Service
Supported Directory Servers
CAS supports Microsoft Active Directory and LDAPv3 directories. The LDAPv3 servers must support Simple Paged Search. Your LDAP server must support control type 1.2.840.113556.1.4.319. See your LDAP server documentation to verify this support before adding an LDAPv3 identity source.
Note: The identity router uses simple bind authentication for connections to LDAP directory servers.
Synchronizing Identity Sources with the LDAP Directory Server
Synchronization is the process by which CAS copies the latest user information from the LDAP directory server to the CAS identity source. CAS has read-only access to the LDAP directory server. CAS needs the latest information from the directory server about each user so the user can register authenticators and use them to access protected resources. Synchronization ensures that the latest user attributes are available to CAS for access policies and SMS OTP and Voice OTP authentication. User passwords are not synchronized.
During synchronization, RSA searches for an available identity source server. At least one server must be reachable. If a server cannot be reached, the synchronization process terminates.
Synchronization Methods
The following synchronization methods are available:
Just-in-Time Synchronization
Each time CAS processes a user authentication, the identity source in CAS updates the user's identity source record with the latest information from the directory server. One user record is updated per authentication attempt. This is called just-in-time synchronization.
Just-in-time synchronization can occur once every five minutes per user. After a user’s record is updated, it cannot be updated again for the next five minutes. However, updates for other users can still occur at any time. If there is an issue and the data cannot be retrieved, CAS will attempt to update the user’s record during the next authentication attempt, without waiting for the five-minute interval.
Just-in-time synchronization produces the following results:
If the user is new, a record is added to CAS.
If the user already has a record in CAS, the record is overwritten. All attribute values that were modified in the LDAP directory server since the previous synchronization are updated in the cloud. Attribute values that did not originate in LDAP and exist only in the cloud are not overwritten. For example, these include user devices and authentication methods.
CAS automatically disables or re-enables the user depending on whether the user is expired, disabled, or out-of-scope (as described in Synchronization Scope ) in the directory server.
Just-in-time synchronization does not occur when a user authenticates using only a password through the identity router application portal because CAS is not performing the authentication.
Manual Bulk Synchronization
Manual bulk synchronization is available when you need to update an entire identity source. For example, suppose you have users who have been disabled in the directory server or moved out of scope from the identity source, and their presence in CAS exceeds the license limit. You can use manual bulk synchronization to disable those users in CAS before they attempt to authenticate. Those users will eventually be deleted from CAS if they are marked for automatic bulk deletion as described in Mark a User for Automatic Bulk Deletion from Cloud Access Service. In contrast, just-in-time synchronization updates users only when they attempt to authenticate.
Note: CAS synchronizes only a limited number of users during manual synchronization. Any users who exceed this limit are not synchronized.
Manual bulk synchronization is being phased out. It can be used during initial setup to synchronize all users at once, but RSA recommends using automatic Just-in-Time (JIT) synchronization or synchronizing single users one at a time when needed.
For information on using bulk synchronization, see Manually (Bulk) Synchronize an Identity Source for Cloud Access Service
Single User Synchronization
A Super Admin or Help Desk Admin can synchronize a single user by clicking Synchronize on the User Management page for the user.
When you search for an unsynchronized user in the Cloud Administration Console, that user is automatically added to CAS when you click Include users not yet synchronized to the Cloud Authentication Service in your search. Exact matches only. For more information, see View User Information.
Periodic User Refresh
To keep CAS user accounts current, a daily automatic User Accounts Refresh process will auto-select from the on-prem directory server (LDAP) up to 1000 of those users whose CAS accounts have not authenticated within a set number of days for further inspection.
Based on the directory server response, account details are updated for all refreshed user accounts. The system will disable those accounts that are either expired on the directory server, or in which user information is determined to be out of scope, or have been deleted. Once disabled, these accounts will lose access to CAS.
You can configure the non-authenticating user status check interval from the Users > Bulk User Maintenance page by setting the number of days in the Update status of users who haven’t authenticated for field. You can adjust this setting to control how frequently the system reviews and updates the status of users who have not authenticated. The default value is 30 days, and the minimum allowed value is 7 days.
Synchronization and User Status in CAS
Synchronization may update the user status in CAS based on the status in the directory server. The relevant attributes are automatically mapped for Active Directory identity sources, but you can customize these mappings. Manual mapping is required for LDAPv3 identity sources. If you map only one attribute for an LDAPv3 identity source, that attribute provides the user status from the directory server. If you do not map any attributes for LDAPv3, CAS views the user as enabled in the directory server and the status in CAS is never overridden during synchronization. If you map both attributes for an LDAPv3 identity source, expect the following synchronization results for both LDAPv3 and Active Directory identity sources:
| User Status in Directory Server | User Status in CAS | User Status Result After Next Synchronization |
|---|---|---|
| Disabled or expired | No existing records | These users are not added to CAS. |
| Disabled or expired | Enabled (from previous synchronization) | These users become disabled in CAS. You cannot manually re-enable them in CAS. |
| Enabled, disabled, or expired | Manually disabled | These users remain disabled after synchronization even if they are enabled in the directory server. |
| Re-enabled or no longer expired | Disabled through synchronization | These users automatically become re-enabled in CAS. |
| Re-enabled or no longer expired | Disabled through synchronization, then Pending Deletion | These users automatically become re-enabled in CAS (no longer pending deletion). |
| Missing (users who were deleted or are not in scope defined for the identity source) | Enabled, disabled, pending deletion | Users who were previously enabled are disabled in CAS. Users who were previously disabled or pending deletion (and disabled) remain in that state. |
Synchronization Scope
The User Search Filter field determines which users get synchronized. If you synchronize immediately after adding the identity source, as recommended, then all users within the User Search Filter scope are added to CAS.
Note: You can modify the User Search Filter to narrow the scope after the initial synchronization. Over time, users who are no longer in scope will be automatically disabled and deleted from CAS. A user may become disabled when you initiate a Synchronize Now operation for them, when the Periodic User Refresh job runs and updates their status, or when the user attempts to authenticate. Once disabled, they are deleted from CAS after the configured number of days, as described in Manage Users for Cloud Access Service - Configure or Disable Automatic User Deletion - Bulk Maintenance.
If a user becomes out of scope of the identity source, the User Management page might still show them as active. However, they will not be able to authenticate. When they try to authenticate, a just-in-time synchronization will run for that user and change their status to disabled. Similarly, if you perform a single user synchronization on the out-of-scope user, their status will also be updated to disabled. If no action is taken, the "Periodic User Refresh" job will eventually update their status automatically.
User Attributes Synchronized
RSA synchronizes a limited subset of user attributes from your directory server to identity sources and uses these attributes for different purposes, depending on which product components are included in your deployment.
| Deployment Components | Synchronized Attributes and Usage |
|---|---|
| IDR SSO Agent | Identity source attributes are required to validate users for authentication and authenticator registration. For a list of synchronized attributes, see Directory Server Attributes Synchronized for Authentication. User passwords are not synchronized. |
Relying parties, RADIUS clients, and My Page | RSA synchronizes the same attributes as it does in an IDR SSO Agent deployment to obtain attributes for authentication and authenticator registration. In addition, you must configure a separate list of attributes to identify the target user population in access policies (not required if you use the policy All Authenticated Users). You select these attributes when you add an identity source, in the Policies column on the User Attributes page. Synchronization makes the selected user attributes available to access policies during authentication. If synchronization is disabled and access policies require LDAP attributes to select the target population, users cannot successfully authenticate. Without synchronization, only policies that allow all authenticated users allow successful authentication. For more information on making identity source attributes available to access policies, see Access Policies. |
Phone Number Synchronization for SMS and Voice OTPs
Users can use SMS OTP or Voice OTP if each method meets the following criteria:
- RSA has enabled the method for your company.
- Users' required identity source information is synchronized with CAS (similar to other authentication methods).
- Phone numbers for these methods are stored for the user in CAS. Phone numbers can be synchronized from the LDAP directory server or entered manually by the administrator.
You configure SMS OTP and Voice OTP separately. You are not required to make both methods available to users.
Phone Number Attributes
If you want phone numbers to be synchronized from the identity source, you must enter an LDAP attribute for the SMS and Voice phone numbers in the identity source configuration. If the phone number format for that attribute changes in the LDAP directory server, the format is also changed in CAS, but the actual phone number remains the same.
If you do not configure an attribute and SMS OTP or Voice OTP is required for authentication, you must manually enter phone numbers for users on the Users > Management page.
If CAS has multiple phone numbers for a user for either SMS OTP or Voice OTP, the first number in the list for each method is used as the default number for that method. You can use the Cloud Administration Console to select a different phone number to use for authentication.
Overwriting Phone Numbers During Synchronization
During synchronization, all user information is updated in the cloud identity source. The following information applies only to the users' assigned SMS OTP and Voice OTP phone numbers that are maintained on the Users > Management page.
If you configure a phone number attribute for SMS or Voice, users' assigned phone numbers are overwritten in the cloud identity source during synchronization when both of the following are true:
The phone number was not manually modified for the user on the Users > Management page in theCloud Administration Console.
The phone number value has been changed on the LDAP directory server.
Users' assigned SMS and Voice phone numbers are not overwritten in the cloud identity source during synchronization if you manually entered or changed those phone numbers on the Users > Management page. For example:
You manually modify a synchronized phone number, including by changing the country code.
You manually enter the phone number when no LDAP phone number attribute is configured in RSA. The phone number is not overwritten even if you add the LDAP attribute at a later date.
You manually delete an existing phone number (that was either manually-entered or synchronized) and did not manually enter a new number, leaving the field value blank.
Note: The LDAP directory server determines the phone number format. If you modify the phone number format on the Users > Management page after synchronization, the next synchronization overwrites your changes. For example, if the LDAP directory server synchronizes the phone number +1 555-5555 and you change the format on the Users > Management page to +1 555.5555, the next synchronization will replace your change with +1 555-5555.
Automatic Removal of Users Who Have Never Used the Cloud Access Service
CAS runs an automatic clean-up process, which removes the data for users who have never used CAS. This includes identifying the users who have not used CAS for at least 30 days after their user records were initially created in CAS, disabling and marking them for deletion, and deleting their data. CAS automatically deletes all users who have been Pending Deletion (disabled and marked for deletion) for seven days. The deleted user records can be added back if the users need to use CAS.
Preventing Deleted, Disabled, and Expired Users from Authenticating
Just-in-time synchronization prevents deleted, disabled, and expired users from authenticating by automatically disabling those users during the authentication attempt. Disabled users cannot authenticate.
You can require users to provide directory server credentials prior to additional (step-up) authentication to further ensure that deleted, disabled, and expired users are blocked from accessing protected resources.
Rarely, a network issue or slow response from the directory server may prevent the synchronization from completing within the allowed time frame. In these cases, CAS refers to the most recent cached information it has about the user in order to continue the authentication process. The cached data will be updated with the next just-in-time synchronization and the user will be disabled and denied access during a subsequent authentication attempt.
Changing LDAP Passwords in an IDR SSO Agent Deployment
When you add an identity source to a deployment that uses the IDR SSO Agent, you can enable users to change their LDAP passwords using the application portal. To use this feature, the service account used to connect to the directory server must be delegated the "reset user password" task, and the identity source must be configured to use SSL/TLS connections. In the Cloud Administration Console, you must select the Allow users to change password option for an identity source.
On the identity router (IDR) application portal, users can change their passwords if they log in using the application portal's login page. If users access the portal through Integrated Windows Authentication (IWA) or SAML IDP, the change password feature will not be supported.
Navigate to next topics:
Related Tasks
Add, Delete, and Test the Connection for an Identity Source in Cloud Access Service
Manually (Bulk) Synchronize an Identity Source for Cloud Access Service
Reference Materials
Directory Server Attributes Synchronized for Authentication
LDAPv3 Server Requirements to Enable Expired Password Handling in the Application Portal
Related Articles
Troubleshooting Cloud Access Service Identity Source Synchronization Number of Views Manually (Bulk) Synchronize an Identity Source for Cloud Access Service Number of Views Unified Directory Identity Sources Number of Views Identity Sources Number of Views Delete the Connection Between the Cloud Authentication Service and RSA Authentication Manager Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
