Add, Delete, and Test the Connection for an Identity Source in Cloud Access Service
2 days ago

Add, Delete, and Test the Connection for an Identity Source in Cloud Access Service

An identity source is a repository in the Cloud Access Service (CAS) that represents one primary LDAP directory server, its replicas, and Unified Directory.

To learn about how identity sources and synchronization work, see Identity Sources for Cloud Access Service.

This topic describes how to:

You must be a Super Admin for the Cloud Administration Console to perform these tasks.

Add an Identity Source

Use the Cloud Administration Console to add a connection to an Active Directory and LDAPv3 identity source for CAS. You can add up to 30 identity sources.

For information about other types of identity sources, see Unified Directory Identity Sources.

WatchtheVideoGraphic

Before you begin 

  • Complete the "Plan" section in your Quick Setup Guide.

  • Confirm that your LDAPv3 directory server supports the Simple Paged Results control, identified by controlType 1.2.

  • Obtain the administrator username and password for the directory server. For Active Directory, the administrator must have permissions that equal or exceed those given to the Domain Users group.

    • The username must be in the User Principal Name (UPN) format, such as joeuser@example.com. The account must be enabled to search from the specified directory search root. For Active Directory, the name must be unique in a forest of trees, and the user can be part of the Domain User group.

    • The password must not expire. If the password expires, no user will be able to authenticate to the application portal until the password is reset.

  • Understand how user attributes are used in access policies. For more information, see Access Policies.

  • Have the directory server SSL/TLS certificate. For more information, see Cloud Access Service Certificates.

  • Make sure your identity router software is up-to-date so you can take advantage of new features and avoid synchronization problems.

  • For IDR SSO Agent deployments, you can allow users to change their identity source passwords using the application portal:

    • The directory server must support read and write access from the identity router.

    • You must select Use SSL/TLS and Allow Users to Change Passwords in the following procedure.

    • Ensure that the directory server is configured to accept SSL/TLS connections.

    • For Active Directory identity sources, the administrator whose credentials are used in the Username and Password fields must be a member of the Domain Admins or Administrators group.

    Note:  Identity routers use TLS 1.2 or later encryption protocols to connect to identity sources.

Procedure 

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. Click Add an Identity Source.
  3. Click Select next to the type of identity source you want to add.
  4. In the Identity Source Name field, enter a name for the identity source.
  5. (Optional) In the Description field, enter a description for the identity source.
  6. In the Root field, enter the Base DN for users. See your Quick Setup Guide for this value.

  7. In the User Tag field, do the following:

    • For SSO service deployments using the Identity Router based application portal, specify an attribute to use as a sign-in name for the application portal. For example, this attribute can contain a username or a user email address.

    • For a non-SSO service deployment, in which users will use Authenticate Tokencodes to access agent-protected resources using the Identity Router API, your LDAP attributes must match those in Authentication Manager. By default, Authentication Manager uses sAMAccountName for Active Directory, but UPN or email address attributes may also be used. The attribute mapping for CAS and AM should be configured in a similar manner. The User Tag does not affect RADIUS or relying party deployments.

    In certain circumstances, you might need separate identity sources for SSO Agent and non-SSO Agent deployments. For example, this is the case if you use mail for SSO, you want to use Authenticate OTPs, and AM is sending sAMAccountName.

    Note:  For RADIUS and relying party deployments, only two identity source attributes are supported as username credentials when prompting users for primary authentication. Active Directory supports sAMAccountName or mail. LDAP supports uid or mail. These attributes are not configurable.

  8. In the Object Class field, enter the object class of the user tag. For example, the default for Active Directory is user which synchronizes all users in the subtree. The default for LDAPv3 identity sources is inetOrgPerson.
  9. In the Reset Interval field, enter the minimum number of seconds before RSA attempts to reconnect to a directory server in the identity source that was previously unreachable.

    The reset interval does not apply if all directory servers in an identity source are unreachable, or if the identity source has one directory server and it is unreachable. When no directory server is reachable, CAS tries to reconnect to the unavailable directory servers for every authentication attempt.

  10. (Optional) Select Follow Referrals to allow queries to the identity source to follow referrals across partitions or between domain controllers. Following referrals can increase the likelihood of finding a requested object. Not following referrals can increase security by limiting a query to a specific domain with known security measures.
  11. In the Directory Servers section, add each directory server in the identity source. Each directory server must contain identical values for the Root, User Tag, and Object Class attributes. For each directory server:
    1. Click Add.
    2. In the Server field, enter the fully qualified hostname or IP address for this directory server from your Quick Setup Guide.
    3. In the Port field, enter the port used for communication to the directory server. The default port for SSL/TLS-encrypted communication is 636. The default port for non-SSL/TLS communication is 389.
    4. In the Cluster field, select the cluster that contains the identity routers that send authentication requests to this directory server (to validate credentials) during authentication.
    5. In the Routing Interface field, Private is automatically selected, so that on-premises identity routers connect to the directory server using the management interface. This setting does not affect identity routers in the Amazon cloud.
    6. In the Username field, enter the username for the directory server administrator account that handles the connection to RSA. For LDAPv3 identity sources, include the bind DN details.
    7. In the Password field, enter the password for the directory server administrator account.
    8. In the Connection Timeout field, enter the number of seconds that the identity router will attempt to connect to the directory server before it times out.
    9. Click Save.
    10. (Optional) To test the connection to the directory server, click the ngx_g_directoryservertesticon icon. If the connection is successful, the Connection Test dialog box displays a list of attributes read from the directory server.
  12. In the SSL/TLS Certificates section:
    1. If you are using SSL/TLS, select Use SSL/TLSencryption to connect to the directory servers.
    2. Click Add and select the LDAP server root certificate.
  13. Click Next Step.
  14. On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.
  15. To view only attributes that are already selected to use in access policies, select Hide Unavailable Attributes

  16. The Synchronize the selected attributes with the Cloud Authentication Service checkbox enables or disables the synchronization of your organization's selected identity source attributes from the User Attributes table to the Cloud. This checkbox works as follows:

    • If selected: All attributes selected in the Apps and the Policies columns of the User Attributes table are synchronized with CAS. Selecting this option also automatically enables the Synchronize User Attributes option on the Synchronize User Attributes tab (see step 21 a).

    • If not selected: Only attributes with a grey checkbox in the Policies and Apps columns will be synchronized to CAS. The additional attributes that your organization has selected with a blue checkbox in the Apps and the Policies columns of the User Attributes table will not be synchronized to CAS and will instead have empty/null values for every user in the identity source.

Important Notes

  • Attributes with a grey checkbox in the Apps and Policies columns are selected by default and cannot be deselected. These attributes are required by CAS for user management and will always be synchronized, regardless of the Synchronize the selected attributes with the Cloud Authentication Service checkbox setting. However, they will remain unavailable for policy evaluation and application attributes unless the Synchronize the selected attributes with the Cloud Authentication Service checkbox is also checked.

  • If the Synchronize the selected attributes with the Cloud Authentication Service checkbox is not selected, none of the attributes will be available for CAS policies or applications, except for policies evaluated on the IDR. Although the Cloud Administration Console may allow you to select these attributes in policy and application settings, they will have empty/null values for all users at runtime.

  • For IDR SSO Agent authentications, access policies are evaluated on the Identity Router (IDR). If all selected attributes are used only in access policies specific to the IDR SSO Agent, you can leave the Synchronize the selected attributes with the Cloud Authentication Service checkbox cleared.

  1. Attributes that are selected in the Policies column of the table will be available for the following:

  • Access Policy Rules: User Attributes

  • IDR SSO Agent Trusted Headers & HTTP Federation: Custom Headers

  • My Page My Applications SAML: User Identity and Statement Attributes

  • Relying Party SAML: User Identity and Statement Attributes

  • RADIUS RADIUS Profile: Return List Attributes

  • My Page Enrollment and Recovery Validation Code Settings: Source for Email Address

Important Notes

  • RSA recommends that you do not select the userParameters attribute unless your company requires it. Selecting this attribute occasionally prevents identity source synchronization.

  • If the Synchronize the selected attributes with the Cloud Authentication Service checkbox is not selected, the attributes you have selected in the Policies column (with a blue tick) can still be used for the above-listed items. However, since they are not synchronized, these attributes will contain empty/null values for all users in the identity source, which may cause issues with certain applications.

  1. Attributes that are selected in the Apps column of the table will be available for the following:

  • IDR SSO Agent SAML: User Identity and Statement Attributes

Important Notes

  • RSA recommends that you do not select the userParameters attribute unless your company requires it. Selecting this attribute occasionally prevents identity source synchronization.

  • If the Synchronize the selected attributes with the Cloud Authentication Service checkbox is not selected, the attributes you have selected in the Apps column ((marked with a blue checkbox) can still be used for the above-listed items. However, since they are not synchronized, these attributes will contain empty/null values for all users in the identity source, which may cause issues with certain applications.

  1. (Optional) You can change an attribute's mapping. Before you do this, know the following:

  • If you change the default Target Attribute Type, make sure the new type is compatible with both the original attribute type and the value of the attribute in the directory.

  • If you change the default in the Target Attribute Name field to "mail" (for example, if you change Active Directory default “userPrincipalName” to “mail”), confirm that the user's LDAP or Active Directory attribute is not empty, and that it uses valid email format. This ensures that users will be able to authenticate.

To change the mapping:

  1. Click the icon in the Mapping column.

  2. Edit the Target Attribute Name and Target Attribute Type fields and click Save.

  1. Click Next Step.
  2. (Optional) Configure user attributes to synchronize with CAS. These attributes are used to validate user authentication requests and register devices.
    1. Select Synchronize user attributes. This checkbox is selected by default if you selected Synchronize the selected policy attributes with the Cloud Authentication Service on the User Attributes page.
    2. Enter a User Search Filter, which is an LDAP filter that specifies which users within the identity source to synchronize. For example, the User Search Filter (&(objectClass=user)(memberOf=cn=qe,ou=engineering,dc=mycom,dc=local)) specifies that only users that are members of a specific group within the identity source will be synchronized and able to use configured authentication methods.
    3. For LDAPv3, specify a directory server attribute to map to each RSA user attribute for synchronization. These fields are automatically mapped for Active Directory identity sources, but you can edit them.

      • In the First Name field, enter the LDAP attribute used to identify a user's first name, for example, givenName.

      • In the Last Name field, enter the LDAP attribute used to identify a user's last name, for example, sn.

      • In the Email Address field, enter the LDAP attribute used to identify a user's email address, for example, "mail." If you use an attribute other than "mail," confirm that the user's LDAP or Active Directory attribute is not empty, and that it uses valid email format. This ensures that the attribute can be synchronized to CAS.

      • In the Primary Username field, enter a primary user identifier for multifactor authentication through CAS, including SecurID, RADIUS, and third-party MFA clients. Typically, this is a short username, such as jdoe.

      • In the Primary Unique Identifier field, enter a unique identifying value (DN) for the user, for example, entryDN.

      • In the Secondary Unique Identifier field, enter unique and stable identifier for the user. For example, entryUUID.

      • The User Account Status and User Account Expiration attributes are automatically mapped for Active Directory identity sources and therefore always synchronized to CAS. If you want to synchronize these attributes for LDAPv3 identity sources, you must manually map these attributes. For detailed information on mapping, see Directory Server Attributes Synchronized for Authentication.

        The User Account Status attribute indicates whether a user is enabled or disabled in the directory server. Disabled users cannot authenticate using CAS or register devices.

        The User Account Expiration attribute indicates when the user’s directory server account expires, if applicable.

        Note:  In the next two optional fields, SMS Tokencode Phone Number and Voice Tokencode Phone Number, to ensure that SMS and Voice tokencodes are correctly routed during transmission, the country code is required. RSA recommends using the E.123 international format, +<country_code> <national_number>. For example, +1 555 555 5555 is a U.S. phone number that includes the country code +1.

      • In the SMS Tokencode Phone Number (Optional) field, enter the LDAP attribute used to identify a user's mobile phone number that can receive text messages for SMS Tokencode. If the attribute has multiple values, the first value is used for authentication. You can override the attribute value by manually entering a different number for a user using the Cloud Administration Console (Users > Management). If left blank and users are required to use SMS Tokencode, you must manually enter a phone number for each user.

      • In the Voice Tokencode Phone Number (Optional) field, enter the LDAP attribute used to identify a user's phone number for Voice Tokencode. If the attribute has multiple values, the first value is used for authentication. You can override the attribute value by manually entering a different number for a user using the Cloud Administration Console (Users > Management). If left blank and users are required to use Voice Tokencode, you must manually enter a phone number for each user.

      • In the Alternate Username (Optional) field, enter an attribute that can be used as an additional user identifier. For example, you can use this attribute for the Active Directory userPrincipalName. This attribute cannot be used with SSO Agents.

    Note:  If an attribute you specify does not exist in the LDAP directory server, synchronization fails.

  3. Click Next Step.
  4. On the Password Settings page:
  1. Select Allow Users to Change Passwords to enable users to change their directory passwords using the application portal or My Page. This option can be enabled only if the Use SSL/TLS encryption to connect to the directory servers option is selected. By enabling this option, users will be able to do the following on both the identity router (IDR) application portal and My Page:

  • Users who log in with an expired password will be able to reset their password.

  • Users who want to change their password after logging in will also be able to change their password.

  1. If you selected the Allow Users to Change Passwords option, enter the password policy requirements which are configured in their LDAP server in the Password Strength Criteria field. The configured password requirements will be displayed on the Change Password page for the users. Ensure the criteria are concise and listed on separate lines. For example:

    • Password must be at least 10 characters long.

    • Password must contain at least one uppercase letter.

    • Password must contain at least one lowercase letter.

    • Password must contain at least one special character.

    • Make sure not to repeat any of the last 3 passwords.    

24. Click Save and Finish.
25. (Optional) Click Publish Changes to activate the settings immediately.

 

Test the Connection Between an Identity Router and a Directory Server

Use the Cloud Administration Console to test the connection between the identity router and a directory server within an identity source. This option is applicable only for Active Directory and LDAP identity sources.

Procedure 

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. In the Directory Servers section, click the ngx_g_directoryservertesticon icon for the directory server that you want to test.
    The Connection Test dialog box appears. If the connection is successful, the dialog box displays the attributes read from the directory server.

Delete an Identity Source

You can use the Cloud Administration Console to delete an identity source that is no longer needed. Expect the following behavior when you delete an identity source:

  • After you confirm the deletion but do not publish, you can no longer edit the identity source or synchronize users. You can still use the Cloud Administration Console to find users in that identity source and the users can continue to authenticate.
  • After you publish the changes, all users from the identity source are deleted from CAS and can no longer authenticate. The identity source configuration settings are deleted from CAS.

Procedure 

  1. Sign into the Cloud Administration Console.

  2. Remove the identity source you will be deleting from all custom and system access policies.

    Note:  Skip the preconfigured policies. The identity source will be automatically removed from these policies when you delete the identity source.

    1. Click Access > Policies.

    2. For each custom policy, click Edit and go to the Identity Sources tab. If the identity source to be deleted is included in the policy, deselect the box next to it, then click Next Step and Save and Finish. Otherwise, click Cancel.

    3. If any configurations in your deployment for relying party, RADIUS profiles, or SAML IDR SSO Agent use attributes from the identity source being deleted, delete the attributes from those configurations.

    4. If the Device Registration Using Password Policy is enabled, click Edit to see if the identity source to be deleted is included in the policy. If it is included, deselect the box next to it, then click Next Step and Save and Finish. If the policy is disabled, the identity source will be automatically removed from the policy.

  3. (Optional) Perform these steps only if you are preserving an identity source that is either a duplicate or a subset of the identity source you are deleting. You can ensure that users are synchronized into the preserved identity source, and that no users are associated with the identity source being deleted.
    1. Synchronize the identity source you are keeping. Click Users > Identity Sources. Next to the name of the identity source, select Synchronization from the drop-down menu. On the Synchronization page, in the Identity Source Details section, click Synchronize Now.
    2. Run a user report to confirm that the identity source being preserved contains the expected user population, and the identity source being deleted contains no users. Click Users > Reports > Generate > Download CSV. You can sort by identity source in the CSV file.
  4. Click Users > Identity Sources.
  5. Find the name of the identity source you want to delete and select Delete from the drop-down menu.

  6. Click Delete to confirm the change.

    Note:  After confirming, you cannot reverse this action, even if you do not immediately publish.

  7. Click Publish Changes if you want to activate the settings immediately.

 

Related Tasks

Manually (Bulk) Synchronize an Identity Source for Cloud Access Service

Reference Materials

Directory Server Attributes Synchronized for Authentication

LDAPv3 Server Requirements to Enable Expired Password Handling in the Application Portal

Identity Sources for Cloud Access Service

Don't see what you're looking for?