Unified Directory

RSA Unified Directory is a new user identity store for the Cloud Authentication Service that will enable full Cloud-only deployments in the future. RSA Unified Directory has the ability to create and store local users and their passwords using the open standard System for Cross-domain Identity Management (SCIM) API. Administrators can manage local users from the Cloud Administration Console or My Page self-service portal. Users can manage themselves using the My Page self-service portal. Local user passwords are validated completely within the Cloud Authentication Service.

Add a Unified Directory Identity Source

Disable Unified Directory Identity Sources

Add a Unified Directory Identity Source

In the Unified Directory, you can add the following types of identity sources:

  • Local identity source

  • Azure Active Directory (SCIM) identity source

  • SCIM Managed identity source

You can create users locally or provision them from an external source or an Azure Active Directory through the SCIM APIs based on the created identity source type and your subscription. For more information, see User Provisioning Using SCIM API.

The ability to add Local and Azure Active Directory (SCIM) identity sources is available for all ID Plus subscriptions (from E1 to E3). However, using SCIM provisioning in Local identity sources and adding SCIM Managed identity sources are available for ID Plus E2 and E3 subscriptions.


  1. In the Cloud Administration Console, click Users > Identity Sources.

  2. Click Add an Identity Source.

  3. Click Select next to the required identity source type.

  4. In the Identity Source Name field, enter a name for the identity source.

  5. (Optional) In the Description field, enter a description for the identity source.

  6. If you want to Enable User Provisioning from a SCIM Identity Source, select Yes.

    1. (Optional) In the External SCIM ID Source Admin URL field, enter the URL from which the SCIM API client sends details.
    2. In the SCIM Service Provider Base URI field, click Copy URI to copy the URI to which the SCIM API client sends details.
    3. For the SCIM Service API key field, click Generate Key to generate the Service API key used for SCIM API authentication.
  7. In the Password Type section, select one of the following options:

    1. RSA Unified Directory option if you want users to use their passwords for authentication in any sign-in page, and the Cloud Authentication Service stores and validates their passwords. By default, this option is selected. Select if the RSA Password is Required or Allowed. Then, in the Initial Password Creation Options section, enable one of the following options to create passwords:

      • Entered by Admin if you want to enter passwords for users.

      • Generated by CAS if you want the Cloud Authentication Service to generate a random initial password for users. Then, in the Send Initial Password Options section, select how passwords will be provided to users:

        • Email if you want to send an initial password to the user's email address. This option can be used for users added through the "Add a User" option (Users > Management), CSV import, or SCIM API.

        • Display on Screen to Admin if you want the Cloud Authentication Service to generate a random password. Then, you can copy the automatically generated password and send it to users. This option only applies to users added to local identity sources via the "Add a User" option (Users > Management) in the Cloud Administration Console. For more information, see Add a User in the Unified Directory.

      Note: The initial password creation options apply only to local type identity sources.

    2. No Password Available to CAS for authentication if you want an identity provider to authenticate users. In this case, the Cloud Authentication Service does not store or validate users' passwords. For information about configuring an identity provider, see Adding Identity Provider.

  8. Click Save

  9. Click Publish Changes to activate the identity source.

Password Management Policy for Unified Directory Users

RSA Unified Directory complies with the latest NIST 800-63B guidelines, which recommend not rotating passwords unless a breach is suspected. Password rotation reduces security as users engage in poor security behaviors when passwords must be changed periodically.

A user's password is stored in the Unified Directory using a salted one-way hash.

Disable Unified Directory Identity Sources

When you disable an identity source in the Unified Directory, you cannot edit its existing users or add new ones, and existing users will not be able to authenticate or access My Page.


  1. In the Cloud Administration Console, click Users > Identity Sources.

  2. Find the name of the Unified Directory identity source you want and select Disable from the drop-down menu.
  3. Click Disable in the dialog box that appears.

  4. Click Publish Changes to activate the settings immediately.

To enable a Unified Directory identity source, find the name of the required identity source with status Disabled, and select Enable from the drop-down menu.
To delete an identity source, see Delete an Identity Source.