This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
  • RSA.com
  • Products
    • Archer®
      • Archer®
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Archer® Exchange
      • Training
      • Upcoming Events
      • Videos
    • RSA® Fraud & Risk Intelligence Suite
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Web Threat Detection
      • Upcoming Events
      • Videos
    • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Cloud
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Patch Content
      • Videos
    • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication Mobile SDK
      • Advisories
      • Events
      • Ideas
      • Knowledge Base
      • Request Access
      • Training
    • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 7.x
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication for eCommerce
      • RSA® Adaptive Authentication for eCommerce
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® FraudAction Services
      • RSA® FraudAction Services
      • Advisories
      • Discussions
      • Documentation
      • Ideas
      • Videos
    • RSA® Web Threat Detection
      • RSA® Web Threat Detection
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Videos
    • RSA NetWitness® Platform
      • RSA NetWitness® Platform
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA NetWitness® Detect AI
      • RSA NetWitness® Detect AI
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Investigator
      • RSA NetWitness® Investigator
      • Documentation
      • Download the Client
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Orchestrator
      • RSA NetWitness® Orchestrator
      • Overview
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA SecurID® Suite
      • RSA SecurID® Suite
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Knowledge Base
      • Ideas
      • Integrations
      • Training
      • Videos
    • RSA® Identity Governance & Lifecycle
      • RSA® Identity Governance & Lifecycle
      • Advisories
      • Blog
      • Community Exchange
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA SecurID® Access
      • RSA SecurID® Access
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • Other RSA® Products
      • Other RSA® Products
      • RSA® Access Manager
      • RSA® Data Loss Prevention
      • RSA® Digital Certificate Solutions
      • RSA enVision®
      • RSA® Federated Identity Manager
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
  • Resources
    • Advisories
      • Product Advisories on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Hosted
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Product Advisories
    • Blogs
      • Blogs on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Blogs on RSA Link
    • Discussion Forums
      • Discussion Forums
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Discussion Forums on RSA Link
    • Documentation
      • Product Documentation
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Downloads
      • Product Downloads
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Downloads on RSA Link
    • Ideas
      • Idea Exchange
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Knowledge Base
      • Knowledge Base
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Knowledge Base Pages on RSA Link
    • Upcoming Events on RSA Link
      • Upcoming Events
    • Videos
      • Videos on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Videos on RSA Link
  • Support
    • RSA Link Support
      • RSA Link Support
      • News & Announcements
      • Getting Started
      • Support Forum
      • Support Knowledge Base
      • Ideas & Suggestions
    • RSA Product Support
      • RSA Product Support
      • General Security Advisories and Statements
      • Product Life Cycle
      • Support Information
      •  
      •  
      •  
      •  
      •  
  • RSA Ready
  • RSA University
    • Certification Program
      • Certification Program
    • Course Catalogs
      • Course Catalogs
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • On-Demand Subscriptions
      • On-Demand Subscriptions
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • Product Training
      • Product Training
      • Archer®
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
    • Student Resources
      • Student Resources
      • Access On-Demand Learning
      • Access Virtual Labs
      • Contact RSA University
      • Enrollments & Transcripts
      • Frequently Asked Questions
      • Getting Started
      • Learning Modalities
      • Payments & Cancellations
      • Private Training
      • Training Center Locations
      • Training Credits
      • YouTube Channel
    • Upcoming Events
      • Upcoming Events
      • Full Calendar
      • Conferences
      • Live Classroom Training
      • Live Virtual Classroom Training
      • Webinars
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA SecurID® Access Cloud Authentication Service Documentation

Browse the official RSA SecurID Access Cloud Authentication Service documentation for helpful resources for the product, step-by-step instructions, and other valuable resources.
  • RSA Link
  • :
  • Products
  • :
  • RSA SecurID Suite
  • :
  • RSA SecurID Access
  • :
  • Cloud Authentication Service
  • :
  • Documentation
  • :
  • Identity Sources for the Cloud Authentication Serv...
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
  • Options
    • Subscribe to RSS Feed
    • Bookmark
    • Subscribe
    • Email to a Friend
    • Printer Friendly Page
    • Report Inappropriate Content
Versions
Collections
All Downloads

Table of Contents

  •   Introduction
    •   Overview
    •   Educating Your Users
    •   Release Notes
    •   Videos
  •   Planning and Deployment
    •   Deployment Overview
    •   Quick Setup for RADIUS Client Deployment
    •   Quick Setup for SAML App Deployment
    •   Quick Setup for SSO Deployment
    •   Quick Setup for POC Deployment
  •   Administration
    •   View All Administration Documentation
    •   Protect Resources
    •   RSA Authentication Manager Integration
    •   Manage Identity Routers
    •   Manage Access Policies
  •   Developer Information
    •   RSA SecurID Authentication API
    •   Custom Web Application Portals
    •   Cloud Administration APIs

Product Resources

  •   Advisories
    •   Product Advisories
    •   Security Advisories
    •   Service Notifications
    •   Technical Advisories
  •   Blog
  •   Discussions
  •   Documentation
    •   Authentication Agents
      •   API / SDK
      •   Apache Web Server
      •   Citrix StoreFront
      •   IIS Web Server
      •   Microsoft AD FS
      •   Microsoft Windows
      •   PAM
    •   Authentication Engine
    •   Authentication Manager
    •   Cloud Authentication Service
    •   Hardware Appliance Component Updates
    •   Hardware Tokens
    •   MFA Agents
      •   macOS
      •   Microsoft Windows
    •   Software Tokens
      •   Android
      •   Blackberry
      •   Blackberry 10
      •   iOS
      •   macOS
      •   Token Converter
      •   Windows
      •   Windows Phone
  •   Downloads
    •   Authentication Agents
      •   API / SDK
      •   Apache Web Server
      •   Citrix StoreFront
      •   IIS Web Server
      •   Microsoft AD FS
      •   Microsoft Windows
      •   PAM
    •   Authentication Engine
    •   Authentication Manager
    •   Cloud Authentication Service
    •   MFA Agents
      •   macOS
      •   Microsoft Windows
    •   Software Tokens
      •   Android
      •   Blackberry
      •   Blackberry 10
      •   iOS
      •   macOS
      •   Token Converter
      •   Windows
      •   Windows Phone
  •   Events
  •   Ideas
  •   Integrations
  •   Knowledge Base
  •   RSA SecurID Access Prime
  •   Training
  •   Videos
Identity Sources for the Cloud Authentication Service

Identity Sources for the Cloud Authentication Service

An identity source is a repository in the SSO Agent that represents one primary LDAP directory server and its replicas.

An identity source is a repository in the Cloud Authentication Service that represents one primary LDAP directory server and its replicas. This topic describes:

  • Supported Directory Servers

  • Synchronization Process

  • Synchronization and User Status in the Cloud Authentication Service

  • Synchronization Scope

  • User Attributes Synchronized

  • Synchronization Methods

  • Phone Number Synchronization for SMS and Voice Tokencodes

  • Using Just-in-Time Synchronization to Prevent Expired or Disabled Users from Authenticating

  • Deleting Users from the Directory Server

  • Changing LDAP Passwords in an SSO Agent Deployment

To add an identity source, see Add, Delete, and Test the Connection for an Identity Source in the Cloud Authentication Service.

​Supported Directory Servers

The Cloud Authentication Service supports Microsoft Active Directory and LDAPv3 directories. The LDAPv3 servers must support Simple Paged Search. Your LDAP server must support control type 1.2.840.113556.1.4.319. See your LDAP server documentation to verify this support before adding an LDAPv3 identity source.

​Synchronization Process

The Cloud Authentication Service has read-only access to the LDAP directory server. To manage LDAP users within RSA SecurID Access, register user authenticators, and ensure that attributes are available for access policies and SMS Tokencode and Voice Tokencode authentication, user records must be synchronized between the Cloud Authentication Service and the directory server.

Identity source synchronization produces the following results:

  • New user records are added to the cloud.

  • Existing user records are overwritten in the cloud. All attribute values that were modified in the LDAP directory server since the previous synchronization are updated in the cloud. Attribute values that did not originate in LDAP and exist only in the cloud are not overwritten. For example, these include user devices and authentication methods.

  • The Cloud Authentication Service automatically disables or re-enables users depending on whether they are expired, disabled, or missing in the directory server. For details, see Synchronization and User Status in the Cloud Authentication Service.

During synchronization, RSA SecurID Access searches for an available identity source server. At least one server must be reachable. If a server cannot be reached, the synchronization process terminates.

Users who are moved to a different organizational unit (OU) in the LDAP directory server cannot use their LDAP directory passwords for authenticator registration until after synchronization. You can enable just-in-time synchronization to avoid this issue.

Note:  The identity router uses simple bind authentication for connections to LDAP directory servers.

​Synchronization and User Status in the Cloud Authentication Service

Synchronization may update the user status in the Cloud Authentication Service based on the status in the directory server. The relevant attributes are automatically mapped for Active Directory identity sources, but you can customize these mappings. Manual mapping is required for LDAPv3 identity sources. If you map only one attribute for an LDAPv3 identity source, that attribute provides the user status from the directory server. If you do not map any attributes for LDAPv3, the Cloud Authentication Service views the user as enabled in the directory server and the status in the Cloud Authentication Service is never overridden during synchronization. If you map both attributes for an LDAPv3 identity source, expect the following synchronization results for both LDAPv3 and Active Directory identity sources:

User Status in Directory ServerUser Status in Cloud Authentication ServiceUser Status Result After Next Synchronization
Disabled or expiredNo existing records

These users are not added to the Cloud Authentication Service.

Disabled or expiredEnabled (from previous synchronization)These users become disabled in the Cloud Authentication Service. You cannot manually re-enable them in the Cloud Authentication Service.
Enabled, disabled, or expiredManually disabledThese users remain disabled after synchronization even if they are enabled in the directory server.
Re-enabled or no longer expiredDisabled through synchronizationThese users automatically become re-enabled in the Cloud Authentication Service.
Re-enabled or no longer expiredDisabled through synchronization, then Pending DeletionThese users automatically become re-enabled in the Cloud Authentication Service (no longer pending deletion).
Missing (users who were deleted or are not in scope defined for the identity source)Enabled, disabled, pending deletionUsers who were previously enabled are disabled in the Cloud Authentication Service. Users who were previously disabled or pending deletion (and disabled) remain in that state.

​Synchronization Scope

The User Search Filter field determines which users get synchronized. If you synchronize immediately after adding the identity source, as recommended, then all users within the User Search Filter scope are added to the Cloud Authentication Service.

Note:  You can modify the User Search Filter to narrow the scope after the initial synchronization. Users who are no longer within scope are automatically disabled and cannot authenticate. They are deleted from the Cloud Authentication Service after the configured number of days, as described in Manage Users for the Cloud Authentication Service - Configure or Disable Automatic User Deletion - B....

​User Attributes Synchronized

RSA SecurID Access synchronizes a limited subset of user attributes from your directory server to identity sources and uses these attributes for different purposes, depending on which product components are included in your deployment.

Deployment ComponentsSynchronized Attributes and Usage
SSO Agent Identity source attributes are required to validate users for authentication and authenticator registration. For a list of synchronized attributes, see Directory Server Attributes Synchronized for Authentication. User passwords are not synchronized.

Relying parties, RADIUS clients, and MyPage

RSA SecurID Access synchronizes the same attributes as it does in an SSO Agent deployment to obtain attributes for authentication and authenticator registration.

In addition, you must configure a separate list of attributes to identify the target user population in access policies (not required if you use the policy All Authenticated Users). You select these attributes when you add an identity source, in the Policies column on the User Attributes page. Synchronization makes the selected user attributes available to access policies during authentication. If synchronization is disabled and access policies require LDAP attributes to select the target population, users cannot successfully authenticate. Without synchronization, only policies that allow all authenticated users allow successful authentication.

For more information on making identity source attributes available to access policies, see Access Policies.

​Synchronization Methods

Three methods are available for synchronizing your LDAP directory servers with the Cloud Authentication Service:

  • Just-in-Time Synchronization

  • Manual Synchronization

  • Scheduled Synchronization

  • Single-User Synchronization

The following sections describe each method.

Note:  The Cloud Authentication Service synchronizes a limited number of users during manual and scheduled synchronization operations. Any users who exceed this limit are not synchronized. Therefore, RSA recommends that you enable just -in-time synchronization to ensure that the Cloud Authentication Service is always up-to-date and every user who needs to be added to the identity source gets added. See Configure Company Information and Certificates for enablement instructions.

​ Just-in-Time Synchronization

Just-in-time synchronization ensures that the identity source in the Cloud Authentication Service is updated every time a user attempts to perform one of the following actions:

  • Register a device using the RSA SecurID Authenticate app.

  • Access a protected resource using additional authentication after the LDAP password is validated.

  • Sign in to My Page.

Just-in-time synchronization is the preferred and most convenient method for synchronizing users to the Cloud Authentication Service because it ensures that the Cloud Authentication Service always stays current with the directory server. When this feature is enabled, you never need to add user records through manual or scheduled synchronization. Enablement affects all identity sources in the Cloud Authentication Service deployment.

Note:  For a variety of reasons, the Cloud Authentication Service might not always be able to obtain the most current information about a user from the LDAP directory server. For example, the identity source connection may be down, or the user may have been deleted from the LDAP diretory server, or the search filter may no longer include that user within its scope. In these cases, the Cloud Authentication Service uses the information that was synchronized most recently. Consequently, a user whose record has been deleted from LDAP directory can still authenticate. You must manually delete the user from the Cloud Authentication Service to prevent authentication.

​Manual Synchronization

You can manually request immediate synchronization at any time for an identity source.For instructions, see Manually Synchronize an Identity Source.

​Scheduled Synchronization

You can add a schedule to automatically synchronize an identity source on selected days, weeks, or months. This feature ensures that an identity source is updated automatically, on a regular basis, without human intervention. You can edit, enable, or disable the schedule as needed. You can configure a schedule separately for each identity source. For instructions, see Schedule Identity Source Synchronization.

​Single-User Synchronization

A Super Admin or Help Desk Admin can synchronize a single user by clicking Synchronize on the User Management page for the user.

When you search for an unsynchronized user in the Cloud Administration Console, that user is automatically added to the Cloud Authentication Service. For instructions, see View User Information.

​Phone Number Synchronization for SMS and Voice Tokencodes

Users can use SMS Tokencode or Voice Tokencode if each method meets the following criteria:

  • RSA has enabled the method for your company.
  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).
  • Phone numbers for these methods are stored for the user in the Cloud Authentication Service. Phone numbers can be synchronized from the LDAP directory server or entered manually by the administrator.

You configure SMS Tokencode and Voice Tokencode separately. You are not required to make both methods available to users.

Phone Number Attributes

If you want phone numbers to be synchronized from the identity source, you must enter an LDAP attribute for the SMS and Voice phone numbers in the identity source configuration. If the phone number format for that attribute changes in the LDAP directory server, the format is also changed in the Cloud Authentication Service, but the actual phone number remains the same.

If you do not configure an attribute and SMS Tokencode or Voice Tokencode is required for authentication, you must manually enter phone numbers for users on the Users > Management page.

If the Cloud Authentication Service has multiple phone numbers for a user for either SMS Tokencode or Voice Tokencode, the first number in the list for each method is used as the default number for that method. You can use the Cloud Administration Console to select a different phone number to use for authentication.

Overwriting Phone Numbers During Synchronization

During synchronization, all user information is updated in the cloud identity source. The following information applies only to the users' assigned SMS Tokencode and Voice Tokencode phone numbers that are maintained on the Users > Management page.

If you configure a phone number attribute for SMS or Voice, users' assigned phone numbers are overwritten in the cloud identity source during synchronization when both of the following are true:

  • The phone number was not manually modified for the user on the Users > Management page in the Cloud Administration Console.

  • The phone number value has been changed on the LDAP directory server.

Users' assigned SMS and Voice phone numbers are not overwritten in the cloud identity source during synchronization if you manually entered or changed those phone numbers on the Users > Management page. For example:

  • You manually modify a synchronized phone number, including by changing the country code.

  • You manually enter the phone number when no LDAP phone number attribute is configured in RSA SecurID Access. The phone number is not overwritten even if you add the LDAP attribute at a later date.

  • You manually delete an existing phone number (that was either manually-entered or synchronized) and did not manually enter a new number, leaving the field value blank.

Note:  The LDAP directory server determines the phone number format. If you modify the phone number format on the Users > Management page after synchronization, the next synchronization overwrites your changes. For example, if the LDAP directory server synchronizes the phone number +1 555-5555 and you change the format on the Users > Management page to +1 555.5555, the next synchronization will replace your change with +1 555-5555.

​Using Just-in-Time Synchronization to Prevent Expired or Disabled Users from Authenticating

RSA SecurID Access evaluates the user's account expiration date and enabled/disabled status in the Cloud Authentication Service only during synchronization. As a result, a user with an expired or disabled account in the LDAP directory server can successfully authenticate to the Cloud Authentication Service if the Cloud Authentication Service is not handling primary authentication and the identity source was not synchronized after the account expired or became disabled.

For example, suppose a user's account expires on February 10, 2018, the account is scheduled to be synchronized on February 13, 2018, and primary authentication is not required to access the resource. The expired user can access the resource on February 11 and 12 before the synchronization takes place. The Cloud Authentication Service only knows the user is expired after the user is synchronized.

Just-in-time synchronization prevents unauthorized access under these circumstances because when the expired or disabled user tries to authenticate, the account is synchronized and the user automatically becomes disabled in the Cloud Authentication Service.

Note:  If the identity router does not respond to the authentication request within five seconds, the user's account in the Cloud Authentication Service is not updated in time and the expired or disabled user is granted access. However, for subsequent authentications, the user's account will be correctly updated in the Cloud Authentication Service and the user will be denied access.

​Deleting Users from the Directory Server

User records that are synchronized to the Cloud Authentication Service and then subsequently deleted from the directory server are not automatically deleted from the Cloud Authentication Service. These users cannot register an authenticator or use the directory server password to authenticate. Until these users are disabled in the Cloud Authentication Service, they can still use authentication methods that do not require an LDAP password, for example, SMS tokencode. After you manually delete these users' records from the Cloud Authentication Service or delete the identity source containing these users, the users will no longer be able to access resources through the Cloud Authentication Service using any method.

​Changing LDAP Passwords in an SSO Agent Deployment

When you add an identity source to a deployment that uses the SSO Agent, you can enable users to change their LDAP passwords using the application portal. To use this feature, you must provide directory server administrative credentials that have read and write permissions, and the identity source must be configured to use SSL/TLS connections.

 

 

 

Previous Topic:Update Identity Router Software
Next Topic:LDAPv3 Server Requirements to Enable Expired Password Handling in the Application Portal
You are here
Table of Contents > Identity Sources > Identity Sources for the Cloud Authentication Service
Labels (1)
Labels:
  • Configuration

Tags (21)
  • Active Directory
  • attribute map
  • CAS
  • Cloud
  • Cloud Auth Service
  • Cloud Authentication
  • Cloud Authentication Service
  • Config
  • Configuration
  • Docs
  • Documentation
  • identity source
  • LDAP
  • Product Docs
  • Product Documentation
  • RSA SecurID
  • RSA SecurID Access
  • SecurID
  • ssl
  • synchronization
  • user data
0 Likes
Was this article helpful? Yes No
Share
No ratings

On this page

Powered by Khoros
  • Products
  • Resources
  • Solutions
  • RSA University
  • Support
  • RSA Labs
  • RSA Ready
  • About RSA Link
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2021 RSA Security LLC or its affiliates.
All rights reserved.