SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

samAccountName,userPrincipalName and RADIUS


I am trying to figure out an issue I’m having.

I have VPN authentication happening via RADIUS running on AM8 latest version. Users authenticate with AD username.

I deployed an IDR and configured the o365 SAML SSO integration.

Both VPN and RADIUS were working. Users could connect to the VPN with both HW tokens and the Authenticate app OTP.

The only issue was that users were required to sign into the portal using the AD account. This was confusing since they were going to the Office 365 portal first and then being redirected to the IDR and it required the AD username not the UPN.

I changed the “User Tag (SSO Agent Only)” attribute in the IDR Identity source from “samAccountName” to “userPrincipalName”.  This fixed the portal issue (it is now accepting UPN) but broke the VPN.

The error I get in the logs is “Unable to resolve user by login ID and/or alias, or authenticator not assigned to user”


What else do I need to change? I can’t find any documentation on this.



Labels (1)
1 Reply

Since there was no RSA response to this I'll provide the answer I found in case it helps someone with the same issue.


The way to make this work is to add the same LDAP identity source a second time with a different name, so that one uses the samAccountName as the "User Tag" and the other uses userPrincipalName.

You can then update the o365 SAML integrations "User Identity" section under "Advanced Configuration" to send the right attributes, in this case "mail".