Version Affected: All
Description:
To Read/Write data From/To Active Directory (AD) the Profile Property in IdP must be mapped to an appropriate AD Attribute
Cause:
If a Profile Property is mapped to an unsuitable AD Attribute it will stop IdP from operating as expected
Resolution:
'Appropriate Attribute' means it must match a set of requirements specified by SecureAuth for that specific Profile Property
Each AD Attribute has specific Properties assigned to it such as LDAP Syntax and size of data it can hold (as a couple of examples) and as such a Profile Property listed on the Data Tab cannot be mapped to just any AD Attribute.
For example, you cannot use the same AD Attribute for the PIN Profile Property as you can for OATH Token Profile Property, conversely you cannot use the same AD Attribute for OATH Token stored in Plain Binary format as you can for OATH Token stored in JSON or Encrypted JSON formats
So this leads to the question of 'Which AD Attributes can be used for each of the Profile Properties specified within the Data Tab?'
See the following link for the default recommended AD Attributes - https://docs.secureauth.com/2212/en/active-directory-attributes-mapping-to-profile-properties-reference.html
Using the above information we can see which LDAP Syntax is required for each Profile Property
For example the PIN Profile Property is required to be mapped to an AD Attribute which has an Attribute Syntax of 'Directory String', a Size of 1024 (to allow for the option of having larger/longer PINs) and has only a single value held within the AD Attribute
You could use another AD Attribute which has a Syntax of Directory String but does not match the Size (RangeUpper) Property but you will be limited to how large/long the PIN value can be.
For example, the 'c' AD Attribute could be used but PIN values would be limited to 3 characters long which is not ideal or recommended
The OATH Tokens Profile Property, if stored in Plain Binary format, is required to be mapped to an AD Attribute which has an Attribute Syntax of 'Octet'
Yet if you wanted to store OATH Tokens in a JSON format (JSON or JSON Encrypted) it requires an AD Attribute with an Attribute Syntax of 'Directory String'
A list of AD Attributes with a Syntax of Directory String can be seen here (direct link to content held in the previously mentioned link) -
https://docs.secureauth.com/2212/en/active-directory-attributes-mapping-to-profile-properties-reference.html#directorystring-list-43
What if an Extended AD Schema is in use and the Attribute Syntax is unknown, or if other AD Attributes with the Syntax of Octet is required?
Using the below Powershell Commands you can find out which type of Syntax a specific AD Attribute uses, as well as a list of all the AD Attributes using a specific Syntax. Using these Powershell commands can help you identify potential AD Attributes to map
Find out which Syntax, Length and/or Single/Multi Value properties a specific AD Attribute has. The below example checks the otherLoginWorkstations AD Attribute, this can be changed to suit your needs
$att="otherLoginWorkstations";
([DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()).FindClass("user").optionalProperties | Where {$_.Name -like "*$att*"} | Select Name, Syntax, IsSingleValued, RangeLower, RangeUpper;
Find All AD Attributes using the Octet String Syntax (as an example), this can be changed to suit your needs
$syn="Octet";
([DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()).FindClass("user").optionalProperties | Where {$_.Syntax -like "$syn*"} | FT Name, Syntax, IsSingleValued, RangeLower, RangeUpper;
Find All AD Attributes using the Directory String Syntax, this can be changed to suit your needs
$syn="Directory";
([DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()).FindClass("user").optionalProperties | Where {$_.Syntax -like "$syn*"} | FT Name, Syntax, IsSingleValued, RangeLower, RangeUpper;
Special Considerations (optional as needed):
- Ensure any AD Attributes selected are not being used elsewhere within the organization before assigning them to an IdP Profile Property
- If a DirectoryString Syntax Attribute is not available, a UnicodeString Syntax Attribute can be used, as long as it meets the other requirements for the Profile Property
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.