Troubleshooting Cloud Authentication Service Identity Source Synchronization

When an identity source synchronization does not work properly, investigate the following areas to identify and resolve the problem.

Identity Router

Check the status of the identity router. At least one identity router must be connected to the Cloud Authentication Service.

LDAP Directory Server

Confirm the following:
  • The LDAP directory server is running.
  • The connection between the identity router and the LDAP directory server is functioning.
  • The credentials used to access the LDAP directory server are valid.
  • The port specified for the LDAP directory server is valid.

LDAP servers that are not patched against the Logjam attack may be unable to synchronize with the identity routers over an SSL/TLS connection. When the identity router unsuccessfully attempts to synchronize with an unpatched LDAP server, the following message appears in the identity router logs: Ephemeral DH public key size is less than the required minimum

To work around this problem, update the LDAP servers in your environment to use a 2048-bit Diffie-Hellman group and to disable support for export cipher suites.

Identity Source

Identity sources are configured in the Cloud Administration Console. Investigate the following areas:
  • If the identity source uses a Secure Sockets Layer (SSL/TLS) port, make sure the checkbox Use SSL/TLS to connect to the identity source is selected and the SSL/TLS certificate is valid. If necessary, re-import the certificate. If the port is non-SSL/TLS, the checkbox should not be selected.
  • Make sure the identity source uses a valid User Base DN and user search filter to select users from the correct subtrees.
  • If your identity source is configured with multiple directory servers, check that each server is properly configured and reachable.

Resolving Duplicate Users in Identity Sources

During identity source synchronization, a message might indicate that some users have duplicate Primary or Alternate Usernames. The duplicates may occur in one identity source or across multiple identity sources. These users can be synchronized, but they might not be able to complete authentication.

Note: Consider your particular environment to determine if the message requires further action. For example, if your users are always required to sign in with their Alternate Username rather than with Primary Username, duplication of the Primary Username might be irrelevant.

To resolve this issue, perform these steps:

  1. Generate a user report. In the Cloud Administration Console, click Users > Reports.

  2. Click Generate.

  3. Sort the report by the Username or Alternate Username column.

  4. Examine the report to determine which identity sources have conflicts.

  5. Update the identity source configuration accordingly. Possible actions might include:
    • Deleting an unnecessary identity source.

    • Narrowing the scope of an identity source to eliminate the duplication.

    • Changing the attribute mapping for Primary Username or Alternate Username, to ensure that the value is unique for each user.

User Records

User records might not synchronize with SecurID for the following reasons:
  • The user record coming from LDAP does not have an email address.
  • The user's email address in LDAP does not use valid syntax.
  • A user record coming from LDAP has the same email address as a user record already in SecurID, but SecurID cannot confirm that the records belong to the same user because they have different object identifiers (objectGUID). A mismatch condition can occur if the user record was deleted from LDAP and then recreated.
  • An administrator user record was manually created in SecurID and the user already has a record with the same email address in LDAP.
  • A user has a record in two different identity sources representing two different instances of the LDAP directory server. Both user records contain the same email address.
  • Multiple users in a single LDAP directory server instance have the same email address.
  • Two different LDAP directory servers containing the same users are configured as two different identity sources in SecurID, resulting in multiple user records with duplicate email addresses.
  • The record belongs to an object that is not a user object. If you want to prevent SecurID from attempting to synchronize records that do not belong to users, adjust the Object Class to exclude these records.