Active Directory attributes mapping to profile properties reference

Use this guide as a reference to map the Active Directory (AD) attributes to the SecureAuth® Identity Platform (formerly SecureAuth IdP) profile properties.

You can integrate an Active Directory with the Identity Platform to assert or manage user identity information for access to your resources. Mapping attributes allow you to determine how a user is uniquely identified in the source (for example, 'givenName' in Active Directory) and map to the profile property (for example, 'First Name') in the Identity Platform.

The mapping table details the Active Directory attribute requirements for each profile property. The table includes examples of specific Active Directory fields which can be used in configurations.

Note

The attribute mappings described here are specific to Active Directory integrations. Some attribute mapping adjustments might be required for other data store types, like LDAP.

Prerequisites

Access to an Active Directory data store
Service account with read access, and optional write access to enable various features. In the table below, the True Writable options are not be available if the service account only has read access.
Grant permissions to the directory fields that are required to be writable (if providing write access to the service account)
Active Directory integration with Identity Platform

Identity Platform profile properties

The following table lists all available profile properties; however it does not require that every property be mapped.

Any property that is specifically used in the realm for authentication and post-authentication must be mapped to an Active Directory field, using its attributes.

The AD field attribute column in the table provides an example of a valid directory field to use in the configuration; however, you can use any field that fulfills the requirements.

Profile property	Definition	Active Directory attribute requirements	AD field attribute
First Name	First name of user	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when First Name is set to Show Enabled True – in Self-service Account Update realm configuration, when First Name is set to Show Enabled	givenName
Last Name	Last name of user	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Last Name is set to Show Enabled True – in Self-service Account Update realm configuration, when Last Name is set to Show Enabled	sn
Groups	Groups to which a user belongs	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable False	memberOf
Phone 1 (Work)	Primary phone number associated with user; typically a work number	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Phone 1 is set to Show Enabled True – in Self-service Account Update realm configuration, when Phone 1 is set to Show Enabled	telephoneNumber
Phone 2 (Mobile)	Secondary phone number associated with user; typically a mobile number	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Phone 2 is set to Show Enabled True – in Self-service Account Update realm configuration, when Phone 2 is set to Show Enabled	mobile
Phone 3 (Alternate)	Alternate phone number associated with user	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Phone 3 is set to Show Enabled True – in Self-service Account Update realm configuration, when Phone 3 is set to Show Enabled	See DirectoryString list below for options
Phone 4 (Alternate)	Alternate phone number associated with user	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Phone 3 is set to Show Enabled True – in Self-service Account Update realm configuration, when Phone 3 is set to Show Enabled	See DirectoryString list below for options
Email 1 (Work)	Primary email address associated with user; typically a work email	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Email 1 is set to Show Enabled True – in Self-service Account Update realm configuration, when Email 1 is set to Show Enabled	mail
Email 2 (Personal)	Secondary email address associated with user; typically a personal email	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Email 2 is set to Show Enabled True – in Self-service Account Update realm configuration, when Email 2 is set to Show Enabled	See DirectoryString list below for options
Email 3 (Alternate)	Alternate email address associated with user	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Email 3 is set to Show Enabled True – in Self-service Account Update realm configuration, when Email 3 is set to Show Enabled	See DirectoryString list below for options
Email 4 (Alternate)	Alternate email address associated with user	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Email 4 is set to Show Enabled True – in Self-service Account Update realm configuration, when Email 4 is set to Show Enabled	See DirectoryString list below for options
Aux ID 1 to Aux ID 10	Placeholder properties that can be mapped to any LDAP attribute and extracted for authentication or asserted to resource	LDAP Syntax Depends on LDAP attribute Format Support Depends on LDAP attribute Writable True – in Account Management (Help Desk) realm configuration, when Aux ID # is set to Show Enabled True – in Self-service Account Update realm configuration, when Aux ID # is set to Show Enabled	Appropriate LDAP Attribute
PIN	Static personal identification number (PIN) associated with the user account	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) 1024 Multi-valued False Format Support – Plain text (based on selection in Multi-Factors Methods tab) Writable is True – in Account Management (Help Desk) realm configuration, when PIN is set to Show Enabled Format Support – standard hash (based on selection in Multi-Factors Methods tab) Writable is True – in Self-service Account Update realm configuration, when PIN is set to Show Enabled	otherLoginWorkstations
Knowledge-based questions (KBQ)	Knowledge-based questions for the user; for example, what city did you grow up?	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) 32768 recommended; dependent on number and length of KBQs Multi-valued False Format Support – Base64 encoding (based on selection in Multi-Factors Methods tab) Writable is True – in Account Management (Help Desk) realm configuration, when Clear KBQ-KBA CheckBox is set to Show Format Support – Encryption (based on selection in Multi-Factors Methods tab) Writable is True – in Self-service Account Update realm configuration, when KBQ-KBA is set to Show Enabled	houseIdentifier
Knowledge-based answers (KBA)	Knowledge-based answers from the user; for example, Irvine	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) 4096 recommended; dependent on number and length of KBAs Multi-valued False Format Support – Base64 encoding (based on selection in Multi-Factors Methods tab) Writable is True – in Account Management (Help Desk) realm configuration, when Clear KBQ-KBA CheckBox is set to Show Format Support – Encryption (based on selection in Multi-Factors Methods tab) Writable is True – in Self-service Account Update realm configuration, when KBQ-KBA is set to Show Enabled	homePostalAddress
Cert Serial Number	Certificate generated by SecureAuth IdP and stored in user profile	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – for all Certificate Enrollment realms	See DirectoryString list below for options
Cert Reset Date	Certificate revocation date – certificates delivered before this date are invalidated	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Cert Rev Field is set to Show Enabled	See DirectoryString list below for options
Certificate Count	Number of certificates in user profile	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – for all Certificate Enrollment realms True – in Account Management (Help Desk) realm configuration, when Cert Count Field is set to Show Enabled True – in Account Management (Help Desk) realm configuration, when Cert Rev Field is set to Show Enabled	See DirectoryString list below for options
Certificate Expiration	Date on which certificate expires for the user	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) 1024 recommended Multi-valued False Format Support Plain text Writable True – for all Certificate Enrollment realms (Workflow tab > Certificate / Token Properties section), in which Email Notification is set to Enabled	See DirectoryString list below for options
Cookie Revocation Keys	Indicate whether to revoke cookies	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True	See DirectoryString list below for options
Mobile Reset Date	Mobile cookie revocation date – cookies delivered before this date are invalidated	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – in Account Management (Help Desk) realm configuration, when Mobile Rev is set to Show	See DirectoryString list below for options
Mobile Count	Number of mobile cookies in the profile associated with the user	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True – for all realms (Workflow tab > Device Recognition Method section) in which Integration Method is set to Mobile Enrollment and Validation. True – in Account Management (Help Desk) realm configuration, when Mobile Rev is set to Show	See DirectoryString list below for options
iOS Devices	Unique ID of iOS devices stored for use in Fingerprinting	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True	See DirectoryString list below for options
Ext. Sync Pwd Date	Date on which Google Apps and LDAP directory passwords synchronize	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True for realms in which the Sync Password feature has Google Apps Functions enabled, and in which the password synchronizes on a specific date rather then on every login.	See DirectoryString list below for options
Hardware Token	YubiKey information used for multi-factor authentication (MFA)	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True for YubiKey provisioning realm	See DirectoryString list below for options
OATH Seed	Seed used to generate OATH One-time Passwords (OTPs)	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) 4096 (or higher) required Multi-valued False Format Support Advanced encryption Writable True for OATH provisioning realm	postalAddress
One Time OATH List	List of valid OATH OTPs to increase security during offset duration	LDAP Syntax 2.5.5.12 (Directory String) Multi-valued False Format Support Plain text Writable True for all realms (Multi-Factor Methods tab) in which OATH OTPs are set to Enabled for second factor, and realms in which the One Time OATH List feature is enabled	See DirectoryString list below for options
Behavior Biometrics	Behavior profile used in behavioral biometrics authentication (Authentication API)	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) No limit / undefined Multi-valued False Format Support Plain text Writable True	comment

Note

** The following table contains distinct Active Directory attribute requirements based on the selected Format Support (plain binary vs JSON)

Profile property	Definition	Active Directory attribute requirement	AD field attribute
Fingerprints ** (Plain binary)	Values created from unique characteristics of desktop, browser, or mobile device associated with the user	LDAP Syntax 2.5.5.10 (Octet) Size (RangeUpper) 8 kB (or higher) per Fingerprint record requiredIf the Total FP Max Count is set to -1 (no limit), then the upperRange must be unlimited NOTE: Fingerprint access records max count data is also stored in the Fingerprints Property and increases the size Multi-valued True Format Support Plain binary Writable True	audio
Fingerprints ** (JSON)	Values created from unique characteristics of desktop, browser, or mobile device associated with the user	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) No limit / undefined Multi-valued True Format Support JSON Writable True	accountNameHistory
Push Notification Tokens ** (Plain binary)	Devices registered to receive push notifications	LDAP Syntax 2.5.5.10 (Octet) Size (RangeUpper) 4096 (or higher) required Multi-valued True Format Support Plain binary Writable True	jpegPhoto
Push Notification Tokens ** (JSON)	Devices registered to receive push notifications	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) 4096 (or higher) required Multi-valued True Format Support JSON Writable True	altSecurityIdentities
OATH Tokens ** (Plain binary)	Devices provisioned to use OATH Tokens for second factor authentication (contains OATH Seed)	LDAP Syntax 2.5.5.10 (Octet) Size (RangeUpper) 4096 (or higher) required Multi-valued True Format Support Plain binary Writable True	registeredAddress
OATH Tokens ** (JSON and JSON Encrypted)	Devices provisioned to use OATH Tokens for second factor authentication (contains OATH Seed)	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) 4096 (or higher) required Multi-valued True Format Support JSON, JSON encrypted Writable True	otherIpPhone
Access Histories ** (Plain binary)	IP Address, geo-location, and last access time of user for adaptive authentication comparison	LDAP Syntax 2.5.5.10 (Octet) Size (RangeUpper) 4096 (or higher) required Multi-valued True Format Support Plain binary Writable True	photo
Access Histories ** (JSON)	IP Address, geo-location, and last access time of user for adaptive authentication comparison	LDAP Syntax 2.5.5.12 (Directory String) Size (RangeUpper) 4096 (or higher) required Multi-valued True Format Support JSON, JSON encrypted Writable True	otherMailbox

Note

When running SecureAuth IdP v9.2 with non-Microsoft AD servers, be sure to verify the attribute syntax for registeredAddress (Octet) since a different syntax is often specified in Open LDAP and other LDAP implementations.

DirectoryString list

The following list contains AD DirectoryString (2.5.5.12) options that can be used for the profile properties noted in the above tables. However, any DirectoryString attribute that fulfills other requirements can be used as well.

extensionName
facsimileTelephoneNumber
info
ipPhone
otherFacsimileTelephoneNumber
otherHomePhone
otherLoginWorkstations
otherMobile
otherPager
otherTelephone
pager
postOfficeBox
street
streetAddress

Common Active Directory attribute mappings to profile properties

The following tables contain common mappings to which you can copy and paste.

Profile property	Definition	Multi-valued	Format Support	Writeable	AD attribute field	Active Directory attribute options
Access Histories	IP Address, geo-location, and last access time of user for adaptive authentication comparison	True	Plain binary or JSON	True	photo	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
OATH Tokens	Devices provisioned to use OATH Tokens for second factor authentication (contains OATH Seed)	True	Plain binary or JSON	True	registeredAddress	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
Push Notification Tokens	Devices registered to receive push notifications	True	Plain binary or JSON	True	jpegPhoto	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
Fingerprints	Values created from unique characteristics of desktop, browser, or mobile device associated with the user	True	Plain binary or JSON	True	audio	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
OATH Seed	Seed used to generate OATH One-time Passwords (OTPs)	False	Advanced encryption	True for OATH provisioning realm	postalAddress (JSON)	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
Aux ID 2	User's ported phone numbers	Depends on LDAP attribute	Plain text	True – in Account Management (Help Desk) realm configuration, when Aux ID # is set to Show Enabled True – in Self-service Account Update realm configuration, when Aux ID # is set to Show Enabled	carlicense (JSON)	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
Email 1 (Work)	Primary email address associated with user; typically a work email	False	Plain text	True – in Account Management (Help Desk) realm configuration, when Email 1 is set to Show Enabled True – in Self-service Account Update realm configuration, when Email 1 is set to Show Enabled	mail (JSON)	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
Email 2 (Personal)	Secondary email address associated with user; typically a personal email	False	Plain text	True – in Account Management (Help Desk) realm configuration, when Email 2 is set to Show Enabled True – in Self-service Account Update realm configuration, when Email 2 is set to Show Enabled	otherMailbox (JSON)	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
Phone 1 (Work)	Primary phone number associated with user; typically a work number	False	Plain text	True – in Account Management (Help Desk) realm configuration, when Phone 1 is set to Show Enabled True – in Self-service Account Update realm configuration, when Phone 1 is set to Show Enabled	telephoneNumber (JSON)	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
Phone 2 (Mobile)	Secondary phone number associated with user; typically a mobile number	False	Plain text	True – in Account Management (Help Desk) realm configuration, when Phone 2 is set to Show Enabled True – in Self-service Account Update realm configuration, when Phone 2 is set to Show Enabled	mobile	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager
Phone 3 (Alternate)	Alternate phone number associated with user	False	Plain text	True – in Account Management (Help Desk) realm configuration, when Phone 3 is set to Show Enabled True – in Self-service Account Update realm configuration, when Phone 3 is set to Show Enabled	houseidentifier (JSON)	extensionName facsimileTelephoneNumber info ipPhone otherFacsimileTelephoneNumber otherHomePhone otherLoginWorkstations otherMobile otherPager

In this section:

Active Directory attributes mapping to profile properties reference

Note

Prerequisites

Identity Platform profile properties

Note

Note

DirectoryString list

Common Active Directory attribute mappings to profile properties

Search results