Identity Sources for the Cloud Authentication Service

An identity source is a repository in the Cloud Authentication Service (CAS) that represents one primary LDAP directory server and its replicas. This topic describes:

To add an identity source, see Add, Delete, and Test the Connection for an Identity Source in the Cloud Authentication Service.

Supported Directory Servers

The Cloud Authentication Service supports Microsoft Active Directory and LDAPv3 directories. The LDAPv3 servers must support Simple Paged Search. Your LDAP server must support control type 1.2.840.113556.1.4.319. See your LDAP server documentation to verify this support before adding an LDAPv3 identity source.

Note: The identity router uses simple bind authentication for connections to LDAP directory servers.

Synchronizing Identity Sources with the LDAP Directory Server

Synchronization is the process by which the Cloud Authentication Service copies the latest user information from the LDAP directory server to the Cloud Authentication Service identity source. The Cloud Authentication Service has read-only access to the LDAP directory server. The Cloud Authentication Service needs the latest information from the directory server about each user so the user can register authenticators and use them to access protected resources. Synchronization ensures that the latest user attributes are available to the Cloud Authentication Service for access policies and SMS Tokencode and Voice Tokencode authentication. User passwords are not synchronized.

During synchronization, SecurID searches for an available identity source server. At least one server must be reachable. If a server cannot be reached, the synchronization process terminates.

Synchronization Methods

The following synchronization methods are available:

Just-in-Time Synchronization

Each time the Cloud Authentication Service processes a user authentication, the identity source in the Cloud Authentication Service updates the user's identity source record with the latest information from the directory server. One user record is updated per authentication attempt. This is called just-in-time synchronization. Just-in-time synchronization produces the following results:

  • If the user is new, a record is added to the Cloud Authentication Service.

  • If the user already has a record in the Cloud Authentication Service, the record is overwritten. All attribute values that were modified in the LDAP directory server since the previous synchronization are updated in the cloud. Attribute values that did not originate in LDAP and exist only in the cloud are not overwritten. For example, these include user devices and authentication methods.

  • The Cloud Authentication Service automatically disables or re-enables the user depending on whether the user is expired, disabled, or out-of-scope (as described in Synchronization Scope ) in the directory server. See also Identity Sources for the Cloud Authentication Service

Just-in-time synchronization does not occur when a user authenticates using only a password through the identity router application portal because the Cloud Authentication Service is not performing the authentication.

Manual Bulk Synchronization

Manual bulk synchronization is available when you need to update an entire identity source. For example, suppose you have users who have been disabled in the directory server or moved out of scope from the identity source, and their presence in the Cloud Authentication Service exceeds the license limit. You can use manual bulk synchronization to disable those users in the Cloud Authentication Service before they attempt to authenticate. Those users will eventually be deleted from the Cloud Authentication Service if they are marked for automatic bulk deletion as described in Mark a User for Automatic Bulk Deletion from the Cloud Authentication Service. In contrast, just-in-time synchronization updates users only when they attempt to authenticate.

Note: The Cloud Authentication Service synchronizes only a limited number of users during manual synchronization. Any users who exceed this limit are not synchronized.

For instructions on using bulk synchronization, see Manually (Bulk) Synchronize an Identity Source for the Cloud Authentication Service

Single User Synchronization

A Super Admin or Help Desk Admin can synchronize a single user by clicking Synchronize on the User Management page for the user.

When you search for an unsynchronized user in the Cloud Administration Console, that user is automatically added to the Cloud Authentication Service when you click Include users not yet synchronized to the Cloud Authentication Service in your search. Exact matches only. For more information, see View User Information.

Periodic User Refresh

To keep Cloud Authentication Service user accounts current, a daily automatic User Accounts Refresh process will auto-select from the on-prem directory server (LDAP) up to 1000 of those users whose Cloud Authentication Service accounts haven't been used during the preceding 30 days, for further inspection.

Based on the directory server response, account details are updated for all refreshed user accounts. The system will disable those accounts that are either expired on the directory server, or in which user information is determined to be out of scope, or have been deleted. Once disabled, these accounts will lose access to the Cloud Authentication Service.

Synchronization and User Status in the Cloud Authentication Service

Synchronization may update the user status in the Cloud Authentication Service based on the status in the directory server. The relevant attributes are automatically mapped for Active Directory identity sources, but you can customize these mappings. Manual mapping is required for LDAPv3 identity sources. If you map only one attribute for an LDAPv3 identity source, that attribute provides the user status from the directory server. If you do not map any attributes for LDAPv3, the Cloud Authentication Service views the user as enabled in the directory server and the status in the Cloud Authentication Service is never overridden during synchronization. If you map both attributes for an LDAPv3 identity source, expect the following synchronization results for both LDAPv3 and Active Directory identity sources:

User Status in Directory Server User Status in Cloud Authentication Service User Status Result After Next Synchronization
Disabled or expired No existing records

These users are not added to the Cloud Authentication Service.

Disabled or expired Enabled (from previous synchronization) These users become disabled in the Cloud Authentication Service. You cannot manually re-enable them in the Cloud Authentication Service.
Enabled, disabled, or expired Manually disabled These users remain disabled after synchronization even if they are enabled in the directory server.
Re-enabled or no longer expired Disabled through synchronization These users automatically become re-enabled in the Cloud Authentication Service.
Re-enabled or no longer expired Disabled through synchronization, then Pending Deletion These users automatically become re-enabled in the Cloud Authentication Service (no longer pending deletion).
Missing (users who were deleted or are not in scope defined for the identity source) Enabled, disabled, pending deletion Users who were previously enabled are disabled in the Cloud Authentication Service. Users who were previously disabled or pending deletion (and disabled) remain in that state.

Synchronization Scope

The User Search Filter field determines which users get synchronized. If you synchronize immediately after adding the identity source, as recommended, then all users within the User Search Filter scope are added to the Cloud Authentication Service.

Note: You can modify the User Search Filter to narrow the scope after the initial synchronization. Users who are no longer within scope are automatically disabled and cannot authenticate. They are deleted from the Cloud Authentication Service after the configured number of days, as described in Manage Users for the Cloud Authentication Service - Configure or Disable Automatic User Deletion - Bulk Maintenance.

User Attributes Synchronized

SecurID synchronizes a limited subset of user attributes from your directory server to identity sources and uses these attributes for different purposes, depending on which product components are included in your deployment.

Deployment Components Synchronized Attributes and Usage
IDR SSO Agent Identity source attributes are required to validate users for authentication and authenticator registration. For a list of synchronized attributes, see Directory Server Attributes Synchronized for Authentication. User passwords are not synchronized.

Relying parties, RADIUS clients, and MyPage

SecurID synchronizes the same attributes as it does in an IDR SSO Agent deployment to obtain attributes for authentication and authenticator registration.

In addition, you must configure a separate list of attributes to identify the target user population in access policies (not required if you use the policy All Authenticated Users). You select these attributes when you add an identity source, in the Policies column on the User Attributes page. Synchronization makes the selected user attributes available to access policies during authentication. If synchronization is disabled and access policies require LDAP attributes to select the target population, users cannot successfully authenticate. Without synchronization, only policies that allow all authenticated users allow successful authentication.

For more information on making identity source attributes available to access policies, see Access Policies.

Phone Number Synchronization for SMS and Voice Tokencodes

Users can use SMS Tokencode or Voice Tokencode if each method meets the following criteria:

  • SecurID has enabled the method for your company.
  • Users' required identity source information is synchronized with the Cloud Authentication Service (similar to other authentication methods).
  • Phone numbers for these methods are stored for the user in the Cloud Authentication Service. Phone numbers can be synchronized from the LDAP directory server or entered manually by the administrator.

You configure SMS Tokencode and Voice Tokencode separately. You are not required to make both methods available to users.

Phone Number Attributes

If you want phone numbers to be synchronized from the identity source, you must enter an LDAP attribute for the SMS and Voice phone numbers in the identity source configuration. If the phone number format for that attribute changes in the LDAP directory server, the format is also changed in the Cloud Authentication Service, but the actual phone number remains the same.

If you do not configure an attribute and SMS Tokencode or Voice Tokencode is required for authentication, you must manually enter phone numbers for users on the Users > Management page.

If the Cloud Authentication Service has multiple phone numbers for a user for either SMS Tokencode or Voice Tokencode, the first number in the list for each method is used as the default number for that method. You can use the Cloud Administration Console to select a different phone number to use for authentication.

Overwriting Phone Numbers During Synchronization

During synchronization, all user information is updated in the cloud identity source. The following information applies only to the users' assigned SMS Tokencode and Voice Tokencode phone numbers that are maintained on the Users > Management page.

If you configure a phone number attribute for SMS or Voice, users' assigned phone numbers are overwritten in the cloud identity source during synchronization when both of the following are true:

  • The phone number was not manually modified for the user on the Users > Management page in the Cloud Administration Console.

  • The phone number value has been changed on the LDAP directory server.

Users' assigned SMS and Voice phone numbers are not overwritten in the cloud identity source during synchronization if you manually entered or changed those phone numbers on the Users > Management page. For example:

  • You manually modify a synchronized phone number, including by changing the country code.

  • You manually enter the phone number when no LDAP phone number attribute is configured in SecurID. The phone number is not overwritten even if you add the LDAP attribute at a later date.

  • You manually delete an existing phone number (that was either manually-entered or synchronized) and did not manually enter a new number, leaving the field value blank.

Note: The LDAP directory server determines the phone number format. If you modify the phone number format on the Users > Management page after synchronization, the next synchronization overwrites your changes. For example, if the LDAP directory server synchronizes the phone number +1 555-5555 and you change the format on the Users > Management page to +1 555.5555, the next synchronization will replace your change with +1 555-5555.

Automatic Removal of Users Who Have Never Used Cloud Authentication Service

Cloud Authentication Service runs an automatic clean-up process, which removes the data for users who have never used the Cloud Authentication Service. This includes identifying the users who have not used Cloud Authentication Service for at least 30 days after their user records were initially created in the Cloud Authentication Service, disabling and marking them for deletion, and deleting their data. The Cloud Authentication Service automatically deletes all users who have been Pending Deletion (disabled and marked for deletion) for seven days. The deleted user records can be added back if the users need to use the Cloud Authentication Service.

Preventing Deleted, Disabled, and Expired Users from Authenticating

Just-in-time synchronization prevents deleted, disabled, and expired users from authenticating by automatically disabling those users during the authentication attempt. Disabled users cannot authenticate.

You can require users to provide directory server credentials prior to additional (step-up) authentication to further ensure that deleted, disabled, and expired users are blocked from accessing protected resources.

Rarely, a network issue or slow response from the directory server may prevent the synchronization from completing within the allowed time frame. In these cases, the Cloud Authentication Service refers to the most recent cached information it has about the user in order to continue the authentication process. The cached data will be updated with the next just-in-time synchronization and the user will be disabled and denied access during a subsequent authentication attempt.

Changing LDAP Passwords in an IDR SSO Agent Deployment

When you add an identity source to a deployment that uses the IDR SSO Agent, you can enable users to change their LDAP passwords using the application portal. To use this feature, the service account used to connect to the directory server must be delegated the "reset user password" task, and the identity source must be configured to use SSL/TLS connections.