Documentation
Introduction

Use this guide as a reference to appropriately map SecureAuth IdP Profile Properties to LDAP Attributes in the directory.

SecureAuth IdP integrates with on-premises directories for user profile mapping to validate and extract information without storing any data on the appliance to effectively authenticate and assert end-users.

The table below exemplifies the LDAP Attribute requirements for each Profile Property, and provides Active Directory-specific examples that can be utilized in configurations.

Prerequisites

1. Have an LDAP directory store

2. Create a service account for SecureAuth IdP with read access, and optional write access to enable various features

In the table below, the True Writable options will not be available if the service account has only read access

3. Grant permissions to the directory fields that are required to be writable (if providing write access to the service account)

4. Integrate an on-premises LDAP directory with SecureAuth IdP (see Data Tab Configuration for specific configuration steps)

SecureAuth IdP Profile Properties

This list includes all available Profile Properties; however, not every Property is required to be mapped

Only the Properties that are specifically utilized in the realm (for authentication and/or post-authentication) need to be mapped to an LDAP directory field

The AD Field listed in the table is an example of a valid directory field to use in the configuration, but any field that fulfills the requirements can be utilized

SecureAuth IdP Profile PropertyDefinitionLDAP Attribute RequirementsWritableAD-specific Field Example
LDAP SyntaxSize (RangeUpper)Multi-valuedFormat Support
GroupsGroups to which user belongs2.5.5.12 (Directory String)N / AFalsePlain TextFalsememberOf
First NameUser's first name2.5.5.12 (Directory String)N / AFalsePlain Text

True for Account Management Page realm if Show Enabled is selected from the First Name dropdown on the Help Desk Configuration Page

givenName
True for Self-service Account Update realm if Show Enabled is selected from the First Name dropdown on the Self-service Configuration Page
Last NameUser's last name2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Last Name dropdown on the Help Desk Configuration Pagesn
True for Self-service Account Update realm if Show Enabled is selected from the Last Name dropdown on the Self-service Configuration Page
Phone 1User's primary phone number, typically corporate number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 1 dropdown on the Help Desk Configuration PagetelephoneNumber
True for Self-service Account Update realm if Show Enabled is selected from the Phone 1 dropdown on the Self-service Configuration Page
Phone 2User's secondary phone number, typically mobile phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 2 dropdown on the Help Desk Configuration Pagemobile
True for Self-service Account Update realm if Show Enabled is selected from the Phone 2 dropdown on the Self-service Configuration Page
Phone 3User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 3 dropdown on the Self-service Configuration Page
Phone 4User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 4 dropdown on the Self-service Configuration Page
Email 1User's primary email address, typically corporate email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 1 dropdown on the Help Desk Configuration Pagemail
True for Self-service Account Update realm if Show Enabled is selected from the Email 1 dropdown on the Self-service Configuration Page
Email 2User's secondary email address, typically personal email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 2 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 2 dropdown on the Self-service Configuration Page
Email 3User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options

True for Self-service Account Update realm if Show Enabled is selected from the Email 3 dropdown on the Self-service Configuration Page

Email 4User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 4 dropdown on the Self-service Configuration Page
PINUser's static Personal Identification Number2.5.5.12 (Directory String)1024FalsePlain Text (based on selection in Registration Methods tab)True for Account Management Page realm if Show Enabled is selected from the PIN dropdown on the Help Desk Configuration PageotherLoginWorkstations
Standard Hash (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the PIN dropdown on the Self-service Configuration Page
KB QuestionsUser's knowledge-based questions, e.g. In what city did you grow up?2.5.5.12 (Directory String)32768 Recommended (dependent on number and length of KBQs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehouseIdentifier
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
KB AnswersUser's answers to knowledge-based questions, e.g. Irvine2.5.5.12 (Directory String)4096 Recommended (dependent on number and length of KBAs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehomePostalAddress
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
Aux ID 1 - 10Placeholder Properties that can be mapped to any LDAP attribute and extracted for authentication or asserted to resourceDependent on LDAP AttributeTrue for Account Management Page realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Help Desk Configuration PageAppropriate LDAP Attribute
True for Self-service Account Update realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Self-service Configuration Page
Cert Serial NumberCertificate that is generated by SecureAuth IdP and stored in user profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options
Cert Reset DateCertificate revocation date – certificates delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management realm if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration PageSee DirectoryString List below for options
Certificate CountNumber of certificates in user's profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options

True for Account Management Page realm if Show Enabled is selected from the Cert Count Field dropdown and / or if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration Page
Certificate ExpirationDate on which user's certificate expires2.5.5.12 (Directory String)1024 RecommendedFalsePlain TextTrue for all Certificate Enrollment realms in which Email Notification is Enabled in the Certificate / Token Properties section (Workflow tab)See DirectoryString List below for options
Mobile Reset DateMobile cookie revocation date – cookies delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
Mobile CountNumber of mobile cookies in user's profile

2.5.5.12 (Directory String)N / AFalsePlain Text

True for all realms in which Mobile Enrollment and Validation is selected from the Integration Mode dropdown on the Workflow tabSee DirectoryString List below for options
True for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration Page
iOS DevicesUnique ID of iOS devices stored for use in Fingerprinting2.5.5.12 (Directory String)N / AFalsePlain TextTrueSee DirectoryString List below for options
Ext. Sync Pwd DateDate on which Google Apps and LDAP directory passwords synchronize2.5.5.12 (Directory String)N / AFalsePlain TextTrue for realms in which Google Apps Functions are enabled for the Sync Password feature, and in which the password synchronizes on a specific date rather than on every loginSee DirectoryString List below for options
Hardware TokenYubikey information used for 2-Factor Authentication2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Yubikey Provisioning realmSee DirectoryString List below for options
OATH SeedSeed used to generate OATH One-time Passwords (OTPs)2.5.5.12 (Directory String)4096 (or higher) RequiredFalseAdvanced EncryptionTrue for OATH Provisioning realmpostalAddress
One Time OATH ListList of valid OATH OTPs to increase security during offset duration2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all realms in which OATH OTPs are Enabled for second factor (Registration Methods tab) and in which the One Time OATH List feature is enabledSee DirectoryString List below for options

**The Fingerprints, Push Notification Tokens, and Access Histories Properties have distinct LDAP attribute requirements based on the select Format Support (Plain Binary vs. JSON)** 

**FingerprintsValues created from unique characteristics of a user's desktop, browser, or mobile device2.5.5.10 (Octet)

8 kB (or higher) per Fingerprint Record Required

If the Total FP Max Count is set to -1 (no limit), then the size must be unlimited

NOTE: The FP's access records max count data is also stored in the Fingerprints Property and increases the size

TruePlain BinaryTrueaudio
2.5.5.12 (Directory String)No Limit / UndefinedJSONaccountNameHistory
**Push Notification TokensRegistered devices to receive PUSH Notifications2.5.5.10 (Octet)4096 (or higher) RequiredTruePlain BinaryTruejpegPhoto
2.5.5.12 (Directory String)JSONaltSecurityIdentities
**Access HistoriesIP Address, geo-location, and last access time of user for Adaptive Authentication comparison2.5.5.10 (Octet)

1024 (or higher) per Access History Record Required

The Access History setting can be configured in the web.config file:
<add key="AccessHistoryMaxCount" value="5" />

TruePlain BinaryTruephoto
2.5.5.12 (Directory String)JSONotherMailbox

DirectoryString List

These are Active Directory DirectoryString (2.5.5.12) options that can be used for the Profile Properties noted above; but any DirectoryString attribute that fulfills the other requirements can be utilized as well

  • extensionName
  • facsimileTelephoneNumber
  • info
  • ipPhone
  • otherFacsimileTelephoneNumber
  • otherHomePhone
  • otherIpPhone
  • otherLoginWorkstations
  • otherMobile
  • otherPager
  • otherTelephone
  • pager
  • postOfficeBox
  • street
  • streetAddress