Migrating users from one identity source to another in Authentication Manager
3 months ago
Article Number
000073625
Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.7 SP1 or later

Issue

Environment:

- Authentication Manager deployment (at least one primary instance)

- Identity Sources x2
 -- Active Directory (DC=securid,DC=local) - mapping users to Authentication Manager (AM). These mapped users have hardware and software tokens assigned.
 -- Active Directory (DC=rsa,DC=local) - contains users using the same SamAccountName as those found in the older domain suffix (securid.local). These users can be searched via the Security Console but are not registered users (where user meta-data does not exist in the Authentication Manager database).

 

 

NOTE: mapped users from an identity source with a token assigned will generate user meta-data in the Authentication Manager database, making them registered users.

 

Requirement:

- Company has recently changed its Domain Suffix from 'securid.local' to 'rsa.local'. Mapped users with tokens assigned need to be migrated to the new domain suffix (rsa.local) in Authentication Manager.

Tasks

Tasks for the migration process:

 

1. Perform an Authentication Manager backup to preserve the state of the data in the Authentication Manager before any changes are made. Backup procedure is found at URL https://community.securid.com/t5/securid-authentication-manager/create-a-backup-using-back-up-now/ta-p/630217.

 

2. Perform a manual cleanup of unresolvable users for the identity source (DC=securid,DC=local) using the procedure provided at URL https://community.rsa.com/s/article/Clean-Up-Unresolvable-Users-Manually-d13c75b9.

Example:
 

 

3. Create a Security Domain for the export of tokens and users using the procedure provided at URL https://community.securid.com/t5/securid-authentication-manager/add-a-security-domain/ta-p/629384.

Example:

 

4. Move the users to be migrated into the new Security Domain using the 'Move Users Between Security Domains' procedure at URL https://community.securid.com/t5/securid-authentication-manager/move-users-between-security-domains/ta-p/629419.

Example, select User IDs, choose Move to Security Domain from down-down menu and click Go:

..select -Export Tokens and Users for the Move to Security Domain and click Move button:

..selected users are moved to the new Security Domain (e.g. Export Tokens and Users):


5. Download an encryption key for the export of tokens and users using the procedure provided at URL https://community.securid.com/t5/securid-authentication-manager/export-users-with-tokens/ta-p/629963.

Example, click Download Now to down the encryption key file:


6. Export tokens and users using the procedure provided at URL https://community.securid.com/t5/securid-authentication-manager/export-users-with-tokens/ta-p/629963.

Example, choose the encryption key file, select Users with Tokens and click Next button:

 

..select -Export Tokens and Users for the Security Domain, select Export all users with tokens in domain and click Export button:

..click Download File to download the exported package file:

 

7. Update the user and group LDAP search filters so users and user groups are no longer mapped from the identity source (DC=securid,DC=local) to Authentication Manager.

 

By default, the user LDAP search filter is '(&(objectClass=User)(objectcategory=person))' and the user group LDAP search filter is '(objectClass=group)'.

 

An example of updating the default LDAP search filter so users and user groups are no longer mapped from Active Directory would be as follows:

 

    user LDAP Search Filter : (&(objectClass=User)(objectcategory=person)(!(samAccountName=*)))

    user group LDAP Search Filter: (&(objectClass=group)(!(cn=*)))

 

8. Perform a manual cleanup of unresolvable users for the identity source (DC=securid,DC=local) using the procedure provided at URL https://community.rsa.com/s/article/Clean-Up-Unresolvable-Users-Manually-d13c75b9.

NOTE: this is to remove any user meta-data from the Authentication Manager database and avoid any duplicate User ID issues.

 

..after clicking Next a list of unresolvable users is displayed:

..click the Clean Up Now button to complete the clean up. User meta-data will be removed from Authentication Manager.

 

9. Remove the identity source (DC=securid,DC=local) from Authentication Manager using the procedure provided at URL https://community.rsa.com/s/article/Remove-an-Identity-Source-59dce1e1.

Example, unlink the identity source before deleting the identity source:

..confirm you are deleing the identity source before clicking Delete Identity Source button:

 

10. Import tokens with users from the exported package file using the procedure provided at URL https://community.securid.com/t5/securid-authentication-manager/import-users-with-tokens/ta-p/629961. This process will map the User IDs found in the exported package file against the User IDs mapped from the identity source (DC=rsa,DC=local) and associate the assigned tokens.

 

Example, choose the encryption package file and click Next button:

..select the Security Domain (by default, SystemDomain) and click the Next button:

..choose an option for the 'Maps to:' (e.g. 'Sales' for the new identity source) and click the Next button:

..check the pre-import summary and click Import button:

..import status:

 

11. Use the ‘Imported Users with Tokens Report’ report template to generate a report to review the Warnings reported during the import process. Reporting topics are available at from URL https://community.securid.com/t5/securid-authentication-manager/reports/ta-p/629966.

Example or running the report:

 

..reports results - warning 'The imported token matches an unassigned token in the target deployment. The unassigned token was overwritten by the token in the export file.':

NOTE: the warnings in the report are expected as the tokens being imported still exist in the Authentication Manager database.

Notes

This migration process is similar for migrating Internal Database users to an identity source. The Internal Database User ID must match the identity source User ID for the mapped user. Users will need to be removed from the Internal Database before performing an import of tokens and users.

 

- Both identity sources are configured in Authentication Manager via the Operations Console. The procedure to 'Add an Identity Source' is available at URL https://community.rsa.com/s/article/Add-an-Identity-Source-3e5cdccf. Identity Source topics are available at URL https://community.rsa.com/s/article/Identity-Sources-075d641c.

 

- Tokens are already assigned to the users mapped from the old domain suffix 'securid.local'. RSA SecurID Token topics are available at URL https://community.rsa.com/s/article/RSA-SecurID-Tokens-970b1126.

 

- Exports and Imports Tokens and Users Between Deployments topics are available from URL https://community.rsa.com/s/article/Exports-and-Imports-Tokens-and-Users-Between-Deployments-6ff73b52. The 'Exports and Imports Tokens and Users' feature is used to migrate the users from one domain suffix to another in Authentication Manager.

Related Articles

Trending Articles

Don't see what you're looking for?