Active Directory - New and Classic Web Admin
Connection String
Create the LDAP Connection String to let SecureAuth IdP communicate with the data store.
Either enter the Source Domain and auto-generate the string, or click advanced mode and customize the content of the string.
Credentials
Select the option SecureAuth IdP will use to log on the connected data store.
Either enter the Service Account email address and Password for SecureAuth IdP to use, or provide account information from an integrated CyberArk Password Vault that stores this service account information.
Search Filter
Specify the type of search SecureAuth IdP will perform to find the end-user's account information in the data store.
Either select the Search Attribute and then auto-generate the Search Filter, or click advanced mode and customize the content of the search filter syntax.
 |
CONNECTION STRING
Domain – Enter the Source Domain directory and click Generate LDAP Connection String to auto-populate the Connection String field below.
Connection String – If the Connection String is not auto-generated, it must be manually entered in this field.
CREDENTIALS
Use CyberArk Vault for credentials – Select this option if a CyberArk Password Vault is connected to SecureAuth IdP.
Service Account / Password – If a CyberArk Password Vault is not used, then provide the Service Account Login and Password SecureAuth IdP will use to log on the data store.
SEARCH FILTER
Search Attribute – This field is auto-populated based on the Datastore Type selection. If you enter a different Search Attribute, then click Generate Search Filter to auto-populate the searchFilter field below.
NOTE: In the Classic Experience, the Search Attribute is used to encrypt user profile data. In the New Experience, Search Attribute is only used to build the Search Filter string.
searchFilter – The auto-populated Search Filter syntax can be customized.
 |
NOTE: The equivalent settings for Anonymous LookUp, Connection Mode, and Search Attribute appear under ADVANCED SETTINGS.
Advanced Settings
Specify the Encryption Attribute – a unique value from the data store – that SecureAuth IdP will use to encrypt user profile data. For example: sAMAccountName.
Specify the Validate User Type option SecureAuth IdP will use to get the username and password: Bind to let SecureAuth IdP make a direct call to the directory, or Search to let SecureAuth IdP search the data store.
Select the Connection Mode SecureAuth IdP will use to access the data store: Secure, SSL, or Standard.
If using a generic LDAP directory, you can Allow Anonymous Queries to let non-authenticated users access protected resources.
For cases when a user's account is locked, having Allow Advanced User Checks enabled lets SecureAuth IdP check the data store for more than just the username.
 |
ADVANCED SETTINGS
Search Attribute – This field, called the Encryption Attribute field in the New Experience, is used to encrypt user profile data.
|
ADVANCED SETTINGS
Advanced AD User Check – Set to True to let SecureAuth IdP Allow Advanced User Checks for usernames not found in the data store.
Validate User Type – Select either Bind or Search.
 |
ADVANCED SETTINGS
Anonymous LookUp – Allow Anonymous Queries if using a generic LDAP directory.
Connection Mode – Select: Secure, SSL, or Standard for the type of connection SecureAuth IdP will make to the data store.
 |
Map Data Store Properties
In the New Experience, there are some required and some recommended entries for mapping fields in Active Directory to data store properties:
Required: First Name, Last Name, Groups, Email 1 (Work).
Recommended: Phone 1 (Work), Phone 2 (Mobile).
 |
In the Classic Experience, there are no required fields specified for mapping to data store properties.
Not all Property Names in the Classic Experience appear in the New Experience:
Classic Experience
New Experience
Groups
Groups
First Name
First Name
Last Name
Last Name
Phone 1
Phone 1 (Work)
Phone 2
Phone 2 (Mobile)
Phone 3 / 4
Phone 3 / 4 (Alternate)
Email 1
Email 1 (Work)
Email 2
Email 2 (Personal)
Email 3 - 4
Email 3 - 4 (Alternate)
PIN
PIN
KB Questions
Knowledge Base Questions
KB Answers
Knowledge Base Answers
Aux ID 1 - 10
Aux ID 1 - 10
Cert Serial Number
Cert Reset Date
Certificate Count
Certificate Expiration
Mobile Reset Date
Mobile Count
iOS Devices
Ext. Sync Pwd Date
Google Sync Password Date
Hardware Token
Hardware Token
OATH Seed
*
One Time OATH List
One Time OATH List
Fingerprints
Device Profiles
Push Notifications
Push Notification Tokens
OATH Tokens
OATH Token
Access Histories
Access Histories
Behavior Biometrics
* While a field cannot be mapped to an OATH Seed property in version 9.3, an OATH Seed can still be used for enrolling a device, though the OATH Seed will be converted and saved as an OATH Token. See How to convert an OATH Seed to an OATH Token for information about the deprecation of OATH seeds in SecureAuth IdP.
 |
Save the configuration
Click Save.
The added data store appears on the User Data Stores list.
 |