RSA Product Set: ID Plus
RSA Product/Service Type: Cloud Authentication Service

The evaluation and application of a Cloud Authentication Service (CAS) access policy that relies on an identity source attribute results in an unexpected outcome for a user that is synced to the CAS from an external identity source, such as Active Directory (AD), when there has been a change in the attribute for the user's account in AD. However, the evaluation and application of the access policy for the user results in the expected outcome after waiting 5 minutes from when the attribute was changed.

Example: A resource configured with the CAS is using an access policy that has a rule set that is targeted to a set of users based on group membership in AD using the "memberOf" attribute. If a user is added or removed from the group in AD, they experience the wrong behavior when trying to access the resource (such as incorrectly being denied access, unexpectedly being prompted/not prompted for MFA, etc.) However, if the user waits 5 minutes, they get the expected behavior when attempting to access the resource.

Just-in-Time (JIT) Sync has a rate limit of once per 5-minute interval.

This can create an issue in the following scenario:

A user performs an action with the CAS where they are JIT synced, there is an attribute changed on their account in AD, and then the user attempts to access a resource configured with CAS within the same 5-minute of the initial JIT sync. If the access policy the resource is using relies on the attribute that was changed for the user's account in AD during this interval, then the access attempt could result in an unexpected outcome because the user's account is unable to be JIT synced again within the 5-minute interval (and thus the attribute will not be updated on the CAS side for the access policy to use) at that time.

The user can wait 5 minutes before trying to access the resource integrated with the CAS, or a manual sync of the user can be performed.