How do I know which Active Directory Attribute can be used for each IdP Datastore Profile Property?

Follow
    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Cloud
  • Hybrid
  • On Premises
  • Version Affected:  All

     

    Description:
    To Read/Write data From/To Active Directory (AD) the Profile Property in IdP must be mapped to an appropriate AD Attribute

     

    Cause:  
    If a Profile Property is mapped to an unsuitable AD Attribute it will stop IdP from operating as expected

     

    Resolution:  
    'Appropriate Attribute' means it must match a set of requirements specified by SecureAuth for that specific Profile Property
    Each AD Attribute has specific Properties assigned to it such as LDAP Syntax and size of data it can hold (as a couple of examples) and as such a Profile Property listed on the Data Tab cannot be mapped to just any AD Attribute.

    For example, you cannot use the same AD Attribute for the PIN Profile Property as you can for OATH Token Profile Property, conversely you cannot use the same AD Attribute for OATH Token stored in Plain Binary format as you can for OATH Token stored in JSON or Encrypted JSON formats
    So this leads to the question of 'Which AD Attributes can be used for each of the Profile Properties specified within the Data Tab?'

    See the following link for the default recommended AD Attributes - https://docs.secureauth.com/2212/en/active-directory-attributes-mapping-to-profile-properties-reference.html


    Using the above information we can see which LDAP Syntax is required for each Profile Property
    For example the PIN Profile Property is required to be mapped to an AD Attribute which has an Attribute Syntax of 'Directory String', a Size of 1024 (to allow for the option of having larger/longer PINs) and has only a single value held within the AD Attribute



    You could use another AD Attribute which has a Syntax of Directory String but does not match the Size (RangeUpper) Property but you will be limited to how large/long the PIN value can be.
    For example, the 'c' AD Attribute could be used but PIN values would be limited to 3 characters long which is not ideal or recommended

     

    The OATH Tokens Profile Property, if stored in Plain Binary format, is required to be mapped to an AD Attribute which has an Attribute Syntax of 'Octet'




    Yet if you wanted to store OATH Tokens in a JSON format (JSON or JSON Encrypted) it requires an AD Attribute with an Attribute Syntax of 'Directory String'


    A list of AD Attributes with a Syntax of Directory String can be seen here (direct link to content held in the previously mentioned link) -
    https://docs.secureauth.com/2212/en/active-directory-attributes-mapping-to-profile-properties-reference.html#directorystring-list-43


    What if an Extended AD Schema is in use and the Attribute Syntax is unknown, or if other AD Attributes with the Syntax of Octet is required?
    Using the below Powershell Commands you can find out which type of Syntax a specific AD Attribute uses, as well as a list of all the AD Attributes using a specific Syntax. Using these Powershell commands can help you identify potential AD Attributes to map


    Find out which Syntax, Length and/or Single/Multi Value properties a specific AD Attribute has. The below example checks the otherLoginWorkstations AD Attribute, this can be changed to suit your needs

    $att="otherLoginWorkstations";
    ([DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()).FindClass("user").optionalProperties | Where {$_.Name -like "*$att*"} | Select Name, Syntax, IsSingleValued, RangeLower, RangeUpper;

     

    Find All AD Attributes using the Octet String Syntax (as an example), this can be changed to suit your needs

    $syn="Octet";
    ([DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()).FindClass("user").optionalProperties | Where {$_.Syntax -like "$syn*"} | FT Name, Syntax, IsSingleValued, RangeLower, RangeUpper;

     

    Find All AD Attributes using the Directory String Syntax, this can be changed to suit your needs

    $syn="Directory";
    ([DirectoryServices.ActiveDirectory.ActiveDirectorySchema]::GetCurrentSchema()).FindClass("user").optionalProperties | Where {$_.Syntax -like "$syn*"} | FT Name, Syntax, IsSingleValued, RangeLower, RangeUpper;

     

    Special Considerations (optional as needed):

    • Ensure any AD Attributes selected are not being used elsewhere within the organization before assigning them to an IdP Profile Property
    • If a DirectoryString Syntax Attribute is not available, a UnicodeString Syntax Attribute can be used, as long as it meets the other requirements for the Profile Property

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.