RSA Product Set: SecurID Access
RSA Product/Service Type: Cloud Authentication Service
Duplicates on the Identity Source synchronization page lists user accounts in the identity source that could not be synchronized to the Cloud, because there were already users synchronized to the Cloud that have the same email address.
Synchronization failures due to Duplicate Email Address happen when there is an attempt to synchronize a user account to the Cloud. The error indicates the user has the same email address as another user (with a different object identifier) that is already in the Cloud.
Some examples of how this can happen are described in section "User Records" in the Online Help page Troubleshooting Cloud Authentication Service Identity Source Synchronization
. The issue can also occur when a user is moved from one OU to another, such as when a person moves to a new department in the organization. If the entry under the old OU is still present in the Cloud, the location under the new OU will be considered by the Cloud to be a duplicate.
Bear in mind, that If your deployment contains user records that have been deleted from the directory server, or are no longer in scope for synchronization, you must manually delete these users from the Cloud Authentication Service. For more information see Identity Sources for the Cloud Authentication Service.
Identify the duplicates
Search your directory servers within the scope defined by the RSA Identity Source Root and User Search Filter,
for the users listed in the Duplicate Email Address
report on the RSA Cloud Administration Console Synchronization
page. For each of those users:
- Look up the email address of the user in the identity source
- Search the identity source to find the other user objects(s) within the scope with the same email address.
- If there is now only one user object within the scope with the email address, check for reasons why another instance of the user may have been removed. For example, if the user was deleted from another OU and then added to the current OU with the same email address as before.
Remove the duplicates from the identity source
Some examples of ways to remove duplicates from the identity source are:
- Delete unwanted user objects from the directory server(s), leaving only one instance of the user.
- If all user objects that currently have the same email address must be synchronized to the Cloud, you will need to change the email address(es) on the user objects in the directory servers, such that each user object has a unique email address.
- From the RSA Cloud Administration Console, change the Root and/or User Search Filter of the RSA Identity Source configuration to ensure that only one of the user objects are synchronized. You must be careful to ensure all other required user objects will still be synchronized with the Cloud.
Remove the duplicates from the RSA Cloud Authentication Service
Delete the unwanted user(s) from the RSA Cloud Administration Console, then synchronize the RSA Identity Source. If the identity source cleanup above was done completely and correctly, only unique user entries will be synchronized and no Duplicate Email Addresses will be displayed.
Options for deleting users from the RSA Cloud Authentication Service are described in the online help on page Manage Users for the Cloud Authentication Service