Use the Cloud Administration Console to add a connection to an Active Directory or LDAPv3 identity source for the Cloud Authentication Service. You can add up to 30 identity sources.
Before you begin
Complete the "Plan" section in your Quick Setup Guide.
Confirm that your LDAPv3 directory server supports the Simple Paged Results control, identified by controlType 1.2.840.113522.214.171.1249. This step is not required for Active Directory servers.
Obtain the administrator username and password for the directory server. For Active Directory, the administrator must have permissions that equal or exceed those given to the Domain Users group. For LDAP, the administrator must have root privileges on the directory server.
The username must be in the User Principal Name (UPN) format, such as firstname.lastname@example.org. The account must be enabled to search from the specified directory search root. For Active Directory, the name must be unique in a forest of trees, and the user can be part of the Domain User group.
The password must not expire. If the password expires, no user will be able to authenticate to the application portal until the password is reset.
Understand how user attributes are used in access policies. For more information, see Access Policies.
Make sure your identity router software is up-to-date so you can take advantage of new features and avoid synchronization problems.
For SSO Agent deployments, you can allow users to change their identity source passwords using the application portal:
The directory server must support read and write access from the identity router.
You must select Use SSL/TLS and Allow Users to Change Passwords in the following procedure.
Ensure that the directory server is configured to accept SSL/TLS connections.
For Active Directory identity sources, the administrator whose credentials are used in the Username and Password fields must be a member of the Domain Admins or Administrators group.
In the Cloud Administration Console, click Users > Identity Sources.
Click Add an Identity Source.
Click Select next to the type of identity source you want to add.
In the Identity Source Name field, enter a name for the identity source.
(Optional) In the Description field, enter a description for the identity source.
In the Root field, enter the Base DN for users. See your Quick Setup Guide for this value.
In the User Tag field, do the following:
For SSO Agent deployments, specify the attribute to use as a sign-in name for the application portal. For example, you can enter an attribute that contains usernames, or an attribute that contains user email addresses. See your Quick Setup Guide for this value.
For non-SSO Agent deployments in which users will use Authenticate Tokencode to access agent-protected resources, your LDAP attributes must match those in Authentication Manager. By default, Authentication Manager uses sAMAccountName for Active Directory, but UPN or email address attributes may also be used. The attribute mapping for the Cloud Authentication Service and Authentication Manager should be configured in a similar manner. The User Tag does not affect RADIUS or relying party deployments.
In certain circumstances, you might need separate identity sources for SSO Agent and non-SSO Agent deployments. For example, this is the case if you use mail for SSO, you want to use Authenticate Tokencodes, and Authentication Manager is sending sAMAccountName.
Note:For RADIUS and relying party deployments, only two identity source attributes are supported as username credentials when prompting users for primary authentication. Active Directory supports sAMAccountName or mail. LDAP supports uid or mail. These attributes are not configurable.
In the Object Class field, enter the object class of the user tag. For example, the default for Active Directory is user which synchronizes all users in the subtree. The default for LDAPv3 identity sources is inetOrgPerson.
In the Reset Interval field, enter the minimum number of seconds before RSA SecurID Access attempts to reconnect to a directory server in the identity source that was previously unreachable.
The reset interval does not apply if all directory servers in an identity source are unreachable, or if the identity source has one directory server and it is unreachable. When no directory server is reachable, the Cloud Authentication Service tries to reconnect to the unavailable directory servers for every authentication attempt.
(Optional) Select Follow Referrals to allow queries to the identity source to follow referrals across partitions or between domain controllers. Following referrals can increase the likelihood of finding a requested object. Not following referrals can increase security by limiting a query to a specific domain with known security measures.
In the Directory Servers section, add each directory server in the identity source. Each directory server must contain identical values for the Root, User Tag, and Object Class attributes. For each directory server:
In the Server field, enter the fully qualified hostname or IP address for this directory server from your Quick Setup Guide.
In the Port field, enter the port used for communication to the directory server. The default port for SSL/TLS-encrypted communication is 636. The default port for non-SSL/TLS communication is 389.
In the Cluster field, select the cluster that contains the identity routers that send authentication requests to this directory server (to validate credentials) during authentication.
In the Routing Interface field, Private is automatically selected, so that on-premises identity routers connect to the directory server using the management interface. This setting does not affect identity routers in the Amazon cloud.
In the Username field, enter the username for the directory server administrator account that handles the connection to RSA SecurID Access. For LDAPv3 identity sources, include the bind DN details.
In the Password field, enter the password for the directory server administrator account.
In the Connection Timeout field, enter the number of seconds that the identity router will attempt to connect to the directory server before it times out.
(Optional) To test the connection to the directory server, click the icon. If the connection is successful, the Connection Test dialog box displays a list of attributes read from the directory server.
In the SSL/TLS Certificates section:
If you are using SSL/TLS, select Use SSL/TLSencryption to connect to the directory servers.
(Optional) Select Allow users to change passwords to allow users to change their directory passwords using the application portal.
Click Add and select the LDAP server root certificate.
Click Next Step.
On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.
To view only attributes that are already selected to use in access policies, select Hide Unavailable Attributes
The Synchronize the selected attributes in the Policies column with the Cloud Authentication Service checkbox is for deployments that use a configured relying party or RADIUS.
Access policies can use the attributes selected in the Policies column on this page for selecting the target population. These selected attributes and the authentication attributes are synchronized to the Cloud Authentication Service during scheduled or manual synchronizations. For a list of authentication attributes synchronized, see and Directory Server Attributes Synchronized for Authentication.
Attributes selected in the Policies column are not synchronized. Authentication attributes are synchronized only if you select Synchronize user attributes for additional authentication on t he Additional Authentication page in this wizard.
Note:If left unselected, you should avoid using LDAP attributes in access policies that use a relying party or RADIUS. Only policies that allow all authenticated users can allow users to successfully authenticate.
To use an attribute to configure access policies, select the checkbox in the Policies column. The attributes selected here are available on the Access Policies page.
Note:This box must be checked for an attribute to be sent in SAML assertions.
Note:RSA recommends that you do not select the userParameters attribute unless your company requires it. Selecting this attribute occasionally prevents identity source synchronization.
Select the checkbox in the Apps column to allow an attribute to be sent in HTTP headers when the Pass Headers option is enabled for an application. Selected attributes will be available when you configure SAML applications or relying parties.
(Optional) You can change an attribute's mapping. Before you do this, know the following:
If you change the default Target Attribute Type, make sure the new type is compatible with both the original attribute type and the value of the attribute in the directory.
If you change the default in the Target Attribute Name field to "mail" (for example, if you change Active Directory default “userPrincipalName” to “mail”), confirm that the user's LDAP or Active Directory attribute is not empty, and that it uses valid email format. This ensures that users will be able to authenticate.
To change the mapping:
Click the icon in the Mapping column.
Edit the Target Attribute Name and Target Attribute Type fields and click Save.
Click Next Step.
(Optional) Configure user attributes to synchronize with the Cloud Authentication Service. These attributes are used to validate user authentication requests and register devices.
Select Synchronize user attributes. This checkbox is selected by default if you selected Synchronize the selected policy attributes with the Cloud Authentication Service on the User Attributes page.
Enter a User Search Filter, which is an LDAP filter that specifies which users within the identity source to synchronize. For example, the User Search Filter (&(objectClass=user)(memberOf=cn=qe,ou=engineering,dc=mycom,dc=local)) specifies that only users that are members of a specific group within the identity source will be synchronized and able to use configured authentication methods.
For LDAPv3, specify a directory server attribute to map to each RSA SecurID Access user attribute for synchronization. These fields are automatically mapped for Active Directory identity sources, but you can edit them.
In the First Name field, enter the LDAP attribute used to identify a user's first name, for example, givenName.
In the Last Name field, enter the LDAP attribute used to identify a user's last name, for example, sn.
In the Email Address field, enter the LDAP attribute used to identify a user's email address, for example, "mail." If you use an attribute other than "mail," confirm that the user's LDAP or Active Directory attribute is not empty, and that it uses valid email format. This ensures that the attribute can be synchronized to the Cloud Authentication Service.
In the Primary Username field, enter a primary user identifier for multifactor authentication through the Cloud Authentication Service, including RSA SecurID, RADIUS, and third-party MFA clients. Typically, this is a short username, such as jdoe.
In the Primary Unique Identifier field, enter a unique identifying value (DN) for the user, for example, entryDN.
In the Secondary Unique Identifier field, enter unique and stable identifier for the user. For example, entryUUID.
The User Account Status and User Account Expiration attributes are automatically mapped for Active Directory identity sources and therefore always synchronized to the Cloud Authentication Service. If you want to synchronize these attributes for LDAPv3 identity sources, you must manually map these attributes. For detailed information on mapping, see Directory Server Attributes Synchronized for Authentication.
The User Account Status attribute indicates whether a user is enabled or disabled in the directory server. Disabled users cannot authenticate using the Cloud Authentication Service or register devices.
The User Account Expiration attribute indicates when the user’s directory server account expires, if applicable.
Note:In the next two optional fields, SMS Tokencode Phone Number and Voice Tokencode Phone Number, to ensure that SMS and Voice tokencodes are correctly routed during transmission, the country code is required. RSA recommends using the E.123 international format, +<country_code> <national_number>. For example, +1 555 555 5555 is a U.S. phone number that includes the country code +1.
In the SMS Tokencode Phone Number (Optional) field, enter the LDAP attribute used to identify a user's mobile phone number that can receive text messages for SMS Tokencode. If the attribute has multiple values, the first value is used for authentication. You can override the attribute value by manually entering a different number for a user using the Cloud Administration Console (Users > Management). If left blank and users are required to use SMS Tokencode, you must manually enter a phone number for each user.
In the Voice Tokencode Phone Number (Optional) field, enter the LDAP attribute used to identify a user's phone number for Voice Tokencode. If the attribute has multiple values, the first value is used for authentication. You can override the attribute value by manually entering a different number for a user using the Cloud Administration Console (Users > Management). If left blank and users are required to use Voice Tokencode, you must manually enter a phone number for each user.
In the Alternate Username (Optional) field, enter an attribute that can be used as an additional user identifier. For example, you can use this attribute for the Active Directory userPrincipalName. This attribute cannot be used with SSO Agents.
Note:If an attribute you specify does not exist in the LDAP directory server, synchronization fails.
Click Save and Finish.
(Optional) Click Publish Changes to activate the settings immediately.
Test the Connection Between an Identity Router and a Directory Server
Use the Cloud Administration Console to test the connection between the identity router and a directory server within an identity source.
In the Cloud Administration Console, click Users > Identity Sources.
In the Directory Servers section, click the icon for the directory server that you want to test. The Connection Test dialog box appears. If the connection is successful, the dialog box displays the attributes read from the directory server.
You can use the Cloud Administration Console to delete an identity source that is no longer needed. Expect the following behavior when you delete an identity source:
After you confirm the deletion but do not publish, you can no longer edit the identity source or synchronize users. You can still use the Cloud Administration Console to find users in that identity source and the users can continue to authenticate.
After you publish the changes, all users from the identity source are deleted from the Cloud Authentication Service and can no longer authenticate. The identity source configuration settings are deleted from the Cloud Authentication Service.
Sign into the Cloud Administration Console.
Remove the identity source you will be deleting from all custom and system access policies.
Note:Skip the preconfigured policies. The identity source will be automatically removed from these policies when you delete the identity source.
Click Access > Policies.
For each custom policy, click Edit and go to the Identity Sources tab. If the identity source to be deleted is included in the policy, deselect the box next to it, then click Next Step and Save and Finish. Otherwise, click Cancel.
If any configurations in your deployment for relying party, RADIUS profiles, or SAML SSO Agent use attributes from the identity source being deleted, delete the attributes from those configurations.
If the Device Registration Using Password Policy is enabled, click Edit to see if the identity source to be deleted is included in the policy. If it is included, deselect the box next to it, then click Next Step and Save and Finish. If the policy is disabled, the identity source will be automatically removed from the policy.
(Optional) Perform these steps only if you are preserving an identity source that is either a duplicate or a subset of the identity source you are deleting. You can ensure that users are synchronized into the preserved identity source, and that no users are associated with the identity source being deleted.
Disable scheduled synchronization for the identity source you want to delete. Click Users > Identity Sources. Next to the name of the identity source, select Synchronization from the drop-down menu. On the Synchronization page, in the Synchronization Schedule section, under Automatic Synchronization, select Off.
If just-in-time synchronization is enabled, disable it for all identity sources. Click My Account > Company Settings and select the Company Information tab. In the Just-in-Time Synchronization field, select Disabled.
Synchronize the identity source you are keeping. Click Users > Identity Sources. Next to the name of the identity source, select Synchronization from the drop-down menu. On the Synchronization page, in the Identity Source Details section, click Synchronize Now.
Run a user report to confirm that the identity source being preserved contains the expected user population, and the identity source being deleted contains no users. Click Users > Reports > Generate > Download CSV. You can sort by identity source in the CSV file.
Click Users > Identity Sources.
Find the name of the identity source you want to delete and select Delete from the drop-down menu.
Click Delete to confirm the change.
Note:After confirming, you cannot reverse this action, even if you do not immediately publish.
If necessary, re-enable just-in-time synchronization.
Click Publish Changes if you want to activate the settings immediately.