Add, Delete, and Test the Connection for an Identity Source in the Cloud Authentication Service

An identity source is a repository in the Cloud Authentication Service that represents one primary LDAP directory server and its replicas. RSA Unified Directory is a new user identity store for the Cloud Authentication Service that will enable full Cloud-only deployments in the future.

To learn about how identity sources and synchronization work, see Identity Sources for the Cloud Authentication Service.

This topic describes how to:

You must be a Super Admin for the Cloud Administration Console to perform these tasks.

Add an Identity Source

Use the Cloud Administration Console to add a connection to an Active Directory and LDAPv3 identity source for the Cloud Authentication Service and to add a local identity source. You can add up to 30 identity sources. For adding a local directory, see Add a Local Identity Source

securid_watchthevideographic.png

Before you begin

  • Complete the "Plan" section in your Quick Setup Guide.

  • Confirm that your LDAPv3 directory server supports the Simple Paged Results control, identified by controlType 1.2.

  • Obtain the administrator username and password for the directory server. For Active Directory, the administrator must have permissions that equal or exceed those given to the Domain Users group.

    • The username must be in the User Principal Name (UPN) format, such as joeuser@example.com. The account must be enabled to search from the specified directory search root. For Active Directory, the name must be unique in a forest of trees, and the user can be part of the Domain User group.

    • The password must not expire. If the password expires, no user will be able to authenticate to the application portal until the password is reset.

  • Understand how user attributes are used in access policies. For more information, see Access Policies.

  • Have the directory server SSL/TLS certificate. For more information, see Cloud Authentication Service Certificates.

  • Make sure your identity router software is up-to-date so you can take advantage of new features and avoid synchronization problems.

  • For IDR SSO Agent deployments, you can allow users to change their identity source passwords using the application portal:
    • The directory server must support read and write access from the identity router.

    • You must select Use SSL/TLS and Allow Users to Change Passwords in the following procedure.

    • Ensure that the directory server is configured to accept SSL/TLS connections.

    • For Active Directory identity sources, the administrator whose credentials are used in the Username and Password fields must be a member of the Domain Admins or Administrators group.

    Note: Identity routers use TLS 1.2 or later encryption protocols to connect to identity sources.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. Click Add an Identity Source.
  3. Click Select next to the type of identity source you want to add.
  4. In the Identity Source Name field, enter a name for the identity source.
  5. (Optional) In the Description field, enter a description for the identity source.
  6. In the Root field, enter the Base DN for users. See your Quick Setup Guide for this value.
  7. In the User Tag field, do the following:

    • For SSO service deployments using the Identity Router based application portal, specify an attribute to use as a sign-in name for the application portal. For example, this attribute can contain a username or a user email address.

    • For a non-SSO service deployment, in which users will use Authenticate Tokencodes to access agent-protected resources using the Identity Router API, your LDAP attributes must match those in Authentication Manager. By default, Authentication Manager uses sAMAccountName for Active Directory, but UPN or email address attributes may also be used. The attribute mapping for the Cloud Authentication Service and Authentication Manager should be configured in a similar manner. The User Tag does not affect RADIUS or relying party deployments.

    In certain circumstances, you might need separate identity sources for SSO Agent and non-SSO Agent deployments. For example, this is the case if you use mail for SSO, you want to use Authenticate OTPs, and Authentication Manager is sending sAMAccountName.

    Note: For RADIUS and relying party deployments, only two identity source attributes are supported as username credentials when prompting users for primary authentication. Active Directory supports sAMAccountName or mail. LDAP supports uid or mail. These attributes are not configurable.

  8. In the Object Class field, enter the object class of the user tag. For example, the default for Active Directory is user which synchronizes all users in the subtree. The default for LDAPv3 identity sources is inetOrgPerson.
  9. In the Reset Interval field, enter the minimum number of seconds before SecurID attempts to reconnect to a directory server in the identity source that was previously unreachable.

    The reset interval does not apply if all directory servers in an identity source are unreachable, or if the identity source has one directory server and it is unreachable. When no directory server is reachable, the Cloud Authentication Service tries to reconnect to the unavailable directory servers for every authentication attempt.

  10. (Optional) Select Follow Referrals to allow queries to the identity source to follow referrals across partitions or between domain controllers. Following referrals can increase the likelihood of finding a requested object. Not following referrals can increase security by limiting a query to a specific domain with known security measures.
  11. In the Directory Servers section, add each directory server in the identity source. Each directory server must contain identical values for the Root, User Tag, and Object Class attributes. For each directory server:
    1. Click Add.
    2. In the Server field, enter the fully qualified hostname or IP address for this directory server from your Quick Setup Guide.
    3. In the Port field, enter the port used for communication to the directory server. The default port for SSL/TLS-encrypted communication is 636. The default port for non-SSL/TLS communication is 389.
    4. In the Cluster field, select the cluster that contains the identity routers that send authentication requests to this directory server (to validate credentials) during authentication.
    5. In the Routing Interface field, Private is automatically selected, so that on-premises identity routers connect to the directory server using the management interface. This setting does not affect identity routers in the Amazon cloud.
    6. In the Username field, enter the username for the directory server administrator account that handles the connection to SecurID. For LDAPv3 identity sources, include the bind DN details.
    7. In the Password field, enter the password for the directory server administrator account.
    8. In the Connection Timeout field, enter the number of seconds that the identity router will attempt to connect to the directory server before it times out.
    9. Click Save.
    10. (Optional) To test the connection to the directory server, click the securid_ngx_g_directoryservertesticon.png icon. If the connection is successful, the Connection Test dialog box displays a list of attributes read from the directory server.
  12. In the SSL/TLS Certificates section:
    1. If you are using SSL/TLS, select Use SSL/TLS encryption to connect to the directory servers.
    2. Click Add and select the LDAP server root certificate.
  13. Click Next Step.
  14. On the User Attributes page, click Refresh Attributes, and verify that a valid list of attributes appears.
  15. To view only attributes that are already selected to use in access policies, select Hide Unavailable Attributes
  16. The Synchronize the selected attributes in the Policies column with the Cloud Authentication Service checkbox is for deployments that use a configured relying party or RADIUS.

    Check box Value Result
    Selected

    Access policies can use the attributes selected in the Policies column on this page for selecting the target population. These selected attributes and the authentication attributes are synchronized to the Cloud Authentication Service during just-in-time or manual synchronizations. For a list of authentication attributes synchronized, see and Directory Server Attributes Synchronized for Authentication.

    Unselected

    Attributes selected in the Policies column are not synchronized. Authentication attributes are synchronized only if you select Synchronize user attributes for additional authentication on t he Additional Authentication page in this wizard.

    Note: If left unselected, you should avoid using LDAP attributes in access policies that use a relying party or RADIUS. Only policies that allow all authenticated users can allow users to successfully authenticate.

  17. To use an attribute to configure access policies, select the check box in the Policies column. The attributes selected here are available on the Access Policies page.

    Note: This check box must be selected for an attribute to be sent in SAML assertions. Only the attributes selected in Policies column are available for selection in SAML Service Provider in SAML application’s Connection Profile.

    Note: SecurID recommends that you do not select the userParameters attribute unless your company requires it. Selecting this attribute occasionally prevents identity source synchronization.

  18. Select the check box in the Apps column to allow an attribute to be sent in HTTP headers when the Pass Headers option is enabled for an application. Selected attributes will be available when you configure SAML applications or relying parties.
  19. (Optional) You can change an attribute's mapping. Before you do this, know the following:

    • If you change the default Target Attribute Type, make sure the new type is compatible with both the original attribute type and the value of the attribute in the directory.

    • If you change the default in the Target Attribute Name field to "mail" (for example, if you change Active Directory default “userPrincipalName” to “mail”), confirm that the user's LDAP or Active Directory attribute is not empty, and that it uses valid email format. This ensures that users will be able to authenticate.

    To change the mapping:

    1. Click the icon in the Mapping column.

    2. Edit the Target Attribute Name and Target Attribute Type fields and click Save.

  20. Click Next Step.
  21. (Optional) Configure user attributes to synchronize with the Cloud Authentication Service. These attributes are used to validate user authentication requests and register devices.
    1. Select Synchronize user attributes. This checkbox is selected by default if you selected Synchronize the selected policy attributes with the Cloud Authentication Service on the User Attributes page.
    2. Enter a User Search Filter, which is an LDAP filter that specifies which users within the identity source to synchronize. For example, the User Search Filter (&(objectClass=user)(memberOf=cn=qe,ou=engineering,dc=mycom,dc=local)) specifies that only users that are members of a specific group within the identity source will be synchronized and able to use configured authentication methods.
    3. For LDAPv3, specify a directory server attribute to map to each SecurID user attribute for synchronization. These fields are automatically mapped for Active Directory identity sources, but you can edit them.
      • In the First Name field, enter the LDAP attribute used to identify a user's first name, for example, givenName.

      • In the Last Name field, enter the LDAP attribute used to identify a user's last name, for example, sn.

      • In the Email Address field, enter the LDAP attribute used to identify a user's email address, for example, "mail." If you use an attribute other than "mail," confirm that the user's LDAP or Active Directory attribute is not empty, and that it uses valid email format. This ensures that the attribute can be synchronized to the Cloud Authentication Service.

      • In the Primary Username field, enter a primary user identifier for multifactor authentication through the Cloud Authentication Service, including SecurID, RADIUS, and third-party MFA clients. Typically, this is a short username, such as jdoe.

      • In the Primary Unique Identifier field, enter a unique identifying value (DN) for the user, for example, entryDN.

      • In the Secondary Unique Identifier field, enter unique and stable identifier for the user. For example, entryUUID.

      • The User Account Status and User Account Expiration attributes are automatically mapped for Active Directory identity sources and therefore always synchronized to the Cloud Authentication Service. If you want to synchronize these attributes for LDAPv3 identity sources, you must manually map these attributes. For detailed information on mapping, see Directory Server Attributes Synchronized for Authentication.

        The User Account Status attribute indicates whether a user is enabled or disabled in the directory server. Disabled users cannot authenticate using the Cloud Authentication Service or register devices.

        The User Account Expiration attribute indicates when the user’s directory server account expires, if applicable.

        Note: In the next two optional fields, SMS Tokencode Phone Number and Voice Tokencode Phone Number, to ensure that SMS and Voice tokencodes are correctly routed during transmission, the country code is required. SecurID recommends using the E.123 international format, +<country_code> <national_number>. For example, +1 555 555 5555 is a U.S. phone number that includes the country code +1.

      • In the SMS Tokencode Phone Number (Optional) field, enter the LDAP attribute used to identify a user's mobile phone number that can receive text messages for SMS Tokencode. If the attribute has multiple values, the first value is used for authentication. You can override the attribute value by manually entering a different number for a user using the Cloud Administration Console (Users > Management). If left blank and users are required to use SMS Tokencode, you must manually enter a phone number for each user.

      • In the Voice Tokencode Phone Number (Optional) field, enter the LDAP attribute used to identify a user's phone number for Voice Tokencode. If the attribute has multiple values, the first value is used for authentication. You can override the attribute value by manually entering a different number for a user using the Cloud Administration Console (Users > Management). If left blank and users are required to use Voice Tokencode, you must manually enter a phone number for each user.

      • In the Alternate Username (Optional) field, enter an attribute that can be used as an additional user identifier. For example, you can use this attribute for the Active Directory userPrincipalName. This attribute cannot be used with SSO Agents.

    Note: If an attribute you specify does not exist in the LDAP directory server, synchronization fails.

  22. Click Next Step.
  23. On the Password Settings page:
  1. Select Allow Users to Change Passwords to enable users to change their directory passwords using the application portal or My Page. This option can be enabled only if the Use SSL/TLS encryption to connect to the directory servers option is selected. By enabling this option, users will be able to do the following on both the identity router (IDR) application portal and My Page:
  • Users who log in with an expired password will be able to reset their password.

  • Users who want to change their password after logging in will also be able to change their password.
  1. If you selected the Allow Users to Change Passwords option, enter the password policy requirements which are configured in their LDAP server in the Password Strength Criteria field. The configured password requirements will be displayed on the Change Password page for the users. Please be precise and short and enter the criteria in new lines. You can refer to the following sample:

    Password must be at least 10 characters long.

    Password must contain at least one uppercase letter.

    Password must contain at least one lowercase letter.

    Password must contain at least one special character.

    Make sure not to repeat any of the last 3 passwords.

24. Click Save and Finish.
25. (Optional) Click Publish Changes to activate the settings immediately.

Add a Local Identity Source

Use the Cloud Administration Console to add a local identity source. For local identity sources, you can enable or disable user provisioning through the SCIM API. User provisioning using the SCIM API is only available for ID Plus E2 and E3 subscriptions.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Sources.

  2. Click Add an Identity Source.

  3. Click Select next to Local type.

  4. In the Identity Source Name field, enter a name for the identity source.

  5. (Optional) In the Description field, enter a description for the identity source.

  6. If you want to Enable User Provisioning from a SCIM Identity Source, select Yes.

    1. (Optional) In the External SCIM ID Source Admin URL field, enter the URL from which the SCIM API client sends details.
    2. In the SCIM Service Provider Base URI field, click Copy URI to copy the URI to which the SCIM API client sends details.
    3. For the SCIM Service API key field, click Generate Key to generate the Service API key used for SCIM API authentication.
  7. Click Save

  8. Click Publish Changes to activate the identity source.

Import Users to a Local Identity Source

The Cloud Administration Console allows you to import users in the form of a CSV file to local identity sources. When importing users, you can download and view a sample CSV file to use as a template.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. Find the name of the local identity source you want and select Import Users from the drop-down menu.
  3. In the User CSV File field, click Choose File, navigate to the CSV file, and then click Open.
  4. Click Import.

Note: Click the Download CSV Template button if you want to download a sample users import file.

The Cloud Authentication Service validates that the CSV file is formatted correctly and that all the attribute requirements are met.

Test the Connection Between an Identity Router and a Directory Server

Use the Cloud Administration Console to test the connection between the identity router and a directory server within an identity source. This option is applicable only for Active Directory and LDAP identity sources.

Procedure

  1. In the Cloud Administration Console, click Users > Identity Sources.
  2. In the Directory Servers section, click the securid_ngx_g_directoryservertesticon.png icon for the directory server that you want to test.
    The Connection Test dialog box appears. If the connection is successful, the dialog box displays the attributes read from the directory server.

Delete an Identity Source

You can use the Cloud Administration Console to delete an identity source that is no longer needed. Expect the following behavior when you delete an identity source:

  • After you confirm the deletion but do not publish, you can no longer edit the identity source or synchronize users. You can still use the Cloud Administration Console to find users in that identity source and the users can continue to authenticate.
  • After you publish the changes, all users from the identity source are deleted from the Cloud Authentication Service and can no longer authenticate. The identity source configuration settings are deleted from the Cloud Authentication Service.

Procedure

  1. Sign into the Cloud Administration Console.
  2. Remove the identity source you will be deleting from all custom and system access policies.

    Note: Skip the preconfigured policies. The identity source will be automatically removed from these policies when you delete the identity source.

    1. Click Access > Policies.

    2. For each custom policy, click Edit and go to the Identity Sources tab. If the identity source to be deleted is included in the policy, deselect the box next to it, then click Next Step and Save and Finish. Otherwise, click Cancel.

    3. If any configurations in your deployment for relying party, RADIUS profiles, or SAML IDR SSO Agent use attributes from the identity source being deleted, delete the attributes from those configurations.

    4. If the Device Registration Using Password Policy is enabled, click Edit to see if the identity source to be deleted is included in the policy. If it is included, deselect the box next to it, then click Next Step and Save and Finish. If the policy is disabled, the identity source will be automatically removed from the policy.

  3. (Optional) Perform these steps only if you are preserving an identity source that is either a duplicate or a subset of the identity source you are deleting. You can ensure that users are synchronized into the preserved identity source, and that no users are associated with the identity source being deleted.
    1. Synchronize the identity source you are keeping. Click Users > Identity Sources. Next to the name of the identity source, select Synchronization from the drop-down menu. On the Synchronization page, in the Identity Source Details section, click Synchronize Now.
    2. Run a user report to confirm that the identity source being preserved contains the expected user population, and the identity source being deleted contains no users. Click Users > Reports > Generate > Download CSV. You can sort by identity source in the CSV file.
  4. Click Users > Identity Sources.
  5. Find the name of the identity source you want to delete and select Delete from the drop-down menu.
  6. Click Delete to confirm the change.

    Note: After confirming, you cannot reverse this action, even if you do not immediately publish.

  7. Click Publish Changes if you want to activate the settings immediately.