After you add an Identity Source, the IDR connects to the AD or LDAP Server and parses all the available attributes. On the User Attributes page of the Identity Source, you will see a list of the discovered attributes:
You will also notice that next to each attribute there is a Mapping column with a pencil next to it. Upon clicking on that pencil you are able to change the Attribute Mapping:
There are a couple of use cases for changing the attribute mapping:
- With Multiple Identity Sources you can combine attribute names by setting their Target Attribute Name to be the same
- For example in AD you have sAMAccountName and in an LDAP server you might have uid
- Change the Target Attribute Type of a Discovered attribute (this is actually covered in SecurID Access: Change Attribute Mapping Type in Identity Sources)
- Let's say you wanted to treat a date as a string to use other policies operations
Let's check out the first scenario.
Combine Attributes Names
I have two Identity Sources, an LDAP server and an Active Directory server. In AD I use the sAMAccountName attribute for the User IDs, and in my LDAP server I use uid for User IDs. I have the same User ID in both Identity Sources:
And here are the regular and operational attributes for same user in the LDAP Server:
You will notice that the uid and sAMAaccountName attributes are the same. So I went ahead and added both as Identity Sources in my SecurID Access Environment:
Then on the LDAP Identity Source I searched for the uid attribute in the page:
Then I clicked on the Pencil under the Mapping column and set the Target Attribute Name to user_id:
Then if you go back to the User Attribute page, you can now search for the new name (user_id😞
Then I went to the AD Identity Source and did the same thing for the sAMAccountName attribute:
Now I can use that name under policies and it will show up a valid attribute that you can select. I created a simple policy saying that if user_id is equal to karim, allow access:
Don't forget to choose both of the Identity Sources when adding the policy:
Now if I can assign that policy to an application and if I authenticate with either of the Identity Sources, I will see the application.
Separate Attributes Names (No Attribute Mapping)
Let's use a similar scenario as above, I have an LDAP server and an AD server. A common attribute between those two servers is mail, you can't change the target name for more than one attribute with a unique name. For example I modified the mail attribute for both identity sources:
But if I try to use those new names only the second one shows up in the list:
If you are in a situation where you have multiple Identity Sources with same attributes and you want to create a policy that applies to only one, then just select the appropriate Identity Source when creating the policy:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.