Documentation

 

 

Introduction

Use this guide as a reference to configuring an LDAP directory (Active Directory and others) to successfully and securely pass information through SecureAuth IdP.

SecureAuth IdP does not have a directory and therefore does not store any user information; instead, through property - attribute mapping, SecureAuth IdP safely abstracts user data from the integrated directory and asserts it to the target resource.

Included are the Service Account requirements for an LDAP directory integration, the Profile Property information, and example Active Directory Permission configurations.

SecureAuth IdP Service Account Requirements

Prior to installing the SecureAuth IdP appliance, set up a unique SecureAuth IdP Service Account with (at minimum) Read permissions to the directory attributes used to house information required for SecureAuth IdP functionalities:

  • A Service Account is required to enable an LDAP - SecureAuth IdP integration
  • SecureAuth recommends creating a new, unique account specifically for SecureAuth IdP processes
  • SecureAuth recommends that the account be delegated only the minimum level of permissions required to function
    • The Service Account requires Read permissions on user accounts in the directory, or to specific LDAP attributes within the directory (at minimum) to read the basic account information and the data required for out-of-band registration (e-mail address, SMS / telephone numbers, KBQ / KBA, PIN, etc. for Multi-Factor Authentication)
    • The Service Account requires Modify / Write permissions on the accounts / attributes for Identity Management (IdM), data on-boarding, help desk administration, Device Recognition, certificate restrictions, password reset, and other functions
  • The properties of the account should follow the company's established security policies
  • As a best practice, set the account and password to Never Expire to avoid any unexpected authentication outages
Privileged Users and Groups

For Active Directory instances: if accounts with membership to Privileged Groups (Domain Admins, Account Operators, etc.) in Active Directory are used with SecureAuth IdP, then permission denied errors may occur when updating attribute data (such as in Self-service Account Update, Device Recognition, Password Reset, etc.)

This is due to the SecureAuth IdP Service Account being unable to write data to those account types' attributes because of the automatic application of security protection for members of several privileged groups (refer to Microsoft's Documentation for more information)

Workarounds

Option 1. Make the SecureAuth IdP Service Account a member of Domain Admins

This is not recommended for security reasons; however, this typically resolves the permissions issues and removes the need to apply specific security permissions for the Service Account the remainder of the objects in the Domain

Option 2. Ensure that the end-user accounts that require access to SecureAuth IdP services are separate from the privileged groups' accounts (i.e. use a separate, Domain Admins account for directory administration that is not used to access any external services via SecureAuth IdP)

Option 3. Apply permissions to the AdminSDHolder object by following method 2 or method 3 in Microsoft's Documentation

SecureAuth accepts no liability for the results of following the guidance presented in Microsoft's Documentation

AdminSDHolder is a container inside Active Directory that maintains a master list of permissions for objects that are members of privileged groups, including:

  • Administrators
  • Domain Admins
  • Enterprise Admins
  • Schema Admins
  • Domain Controllers
  • Server Operators

SecureAuth does not recommend making modifications to the AdminSDHolder object and accepts no liability for such actions

LDAP Directory Attribute / SecureAuth IdP Profile Property Mapping

SecureAuth IdP integrates with an LDAP directory and then maps its Profile Properties to LDAP Attributes to create a relationship without requiring data storage on the appliance. Some Properties are auto-populated out-of-the-box with commonly used Active Directory attributes, but they can be changed to any directory field as long as the requirements are met.

Select the relevant SecureAuth IdP version (latest version: 9.0.2) to view a list of the Profile Properties, their purpose, the LDAP directory attribute requirements, when they need to be Writable (modifiable), and AD-specific attribute examples.
 

SecureAuth IdP Version 9.0.x

The AD Field listed in the table is an example of a valid directory field to use in the configuration, but any field that fulfills the requirements can be utilized

SecureAuth IdP Profile PropertyDefinitionLDAP Attribute RequirementsWritableAD-specific Field Example
LDAP SyntaxSize (RangeUpper)Multi-valuedFormat Support
GroupsGroups to which user belongs2.5.5.12 (Directory String)N / AFalsePlain TextFalsememberOf
First NameUser's first name2.5.5.12 (Directory String)N / AFalsePlain Text

True for Account Management Page realm if Show Enabled is selected from the First Name dropdown on the Help Desk Configuration Page

givenName
True for Self-service Account Update realm if Show Enabled is selected from the First Name dropdown on the Self-service Configuration Page
Last NameUser's last name2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Last Name dropdown on the Help Desk Configuration Pagesn
True for Self-service Account Update realm if Show Enabled is selected from the Last Name dropdown on the Self-service Configuration Page
Phone 1User's primary phone number, typically corporate number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 1 dropdown on the Help Desk Configuration PagetelephoneNumber
True for Self-service Account Update realm if Show Enabled is selected from the Phone 1 dropdown on the Self-service Configuration Page
Phone 2User's secondary phone number, typically mobile number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 2 dropdown on the Help Desk Configuration Pagemobile
True for Self-service Account Update realm if Show Enabled is selected from the Phone 2 dropdown on the Self-service Configuration Page
Phone 3User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 3 dropdown on the Self-service Configuration Page
Phone 4User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 4 dropdown on the Self-service Configuration Page
Email 1User's primary email address, typically corporate email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 1 dropdown on the Help Desk Configuration Pagemail
True for Self-service Account Update realm if Show Enabled is selected from the Email 1 dropdown on the Self-service Configuration Page
Email 2User's secondary email address, typically personal email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 2 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 2 dropdown on the Self-service Configuration Page
Email 3User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options

True for Self-service Account Update realm if Show Enabled is selected from the Email 3 dropdown on the Self-service Configuration Page

Email 4User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 4 dropdown on the Self-service Configuration Page
PINUser's static Personal Identification Number2.5.5.12 (Directory String)1024FalsePlain Text (based on selection in Registration Methods tab)True for Account Management Page realm if Show Enabled is selected from the PIN dropdown on the Help Desk Configuration PageotherLoginWorkstations
Standard Hash (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the PIN dropdown on the Self-service Configuration Page
KB QuestionsUser's knowledge-based questions, e.g. In what city did you grow up?2.5.5.12 (Directory String)32768 Recommended (dependent on number and length of KBQs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehouseIdentifier
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
KB AnswersUser's answers to knowledge-based questions, e.g. Irvine2.5.5.12 (Directory String)4096 Recommended (dependent on number and length of KBAs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehomePostalAddress
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
Aux ID 1 - 10Placeholder Properties that can be mapped to any LDAP attribute and extracted for authentication or asserted to resourceDependent on LDAP AttributeTrue for Account Management Page realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Help Desk Configuration PageAppropriate LDAP Attribute
True for Self-service Account Update realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Self-service Configuration Page
Cert Serial NumberCertificate that is generated by SecureAuth IdP and stored in user profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options
Cert Reset DateCertificate revocation date – certificates delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management realm if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration PageSee DirectoryString List below for options
Certificate CountNumber of certificates in user's profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options

True for Account Management Page realm if Show Enabled is selected from the Cert Count Field dropdown and / or if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration Page
Certificate ExpirationDate on which user's certificate expires2.5.5.12 (Directory String)1024 RecommendedFalsePlain TextTrue for all Certificate Enrollment realms in which Email Notification is Enabled in the Certificate / Token Properties section (Workflow tab)See DirectoryString List below for options
Mobile Reset DateMobile cookie revocation date – cookies delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
Mobile CountNumber of mobile cookies in user's profile

2.5.5.12 (Directory String)N / AFalsePlain Text

True for all realms in which Mobile Enrollment and Validation is selected from the Integration Mode dropdown on the Workflow tabSee DirectoryString List below for options
True for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration Page
iOS DevicesUnique ID of iOS devices stored for use in Fingerprinting2.5.5.12 (Directory String)N / AFalsePlain TextTrueSee DirectoryString List below for options
Ext. Sync Pwd DateDate on which Google Apps and LDAP directory passwords synchronize2.5.5.12 (Directory String)N / AFalsePlain TextTrue for realms in which Google Apps Functions are enabled for the Sync Password feature, and in which the password synchronizes on a specific date rather than on every loginSee DirectoryString List below for options
Hardware TokenYubikey information used for 2-Factor Authentication2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Yubikey Provisioning realmSee DirectoryString List below for options
OATH SeedSeed used to generate OATH One-time Passwords (OTPs)2.5.5.12 (Directory String)4096 (or higher) RequiredFalseAdvanced EncryptionTrue for OATH Provisioning realmpostalAddress
One Time OATH ListList of valid OATH OTPs to increase security during offset duration2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all realms in which OATH OTPs are Enabled for second factor (Registration Methods tab) and in which the One Time OATH List feature is enabledSee DirectoryString List below for options

**The Fingerprints, Push Notification Tokens, OATH Tokens, and Access Histories Properties have distinct LDAP attribute requirements based on the selected Format Support (Plain Binary vs. JSON)**

**FingerprintsValues created from unique characteristics of user's desktop, browser, or mobile device2.5.5.10 (Octet)

8 kB (or higher) per Fingerprint Record Required

If the Total FP Max Count is set to -1 (no limit), then the upperRange must be unlimited

NOTE: The FP's access records max count data is also stored in the Fingerprints Property and increases the size

TruePlain BinaryTrueaudio
2.5.5.12 (Directory String)No Limit / UndefinedJSONaccountNameHistory
**Push Notification TokensRegistered devices to receive PUSH Notifications2.5.5.10 (Octet)4096 (or higher) RequiredTruePlain BinaryTruejpegPhoto
2.5.5.12 (Directory String)JSONaltSecurityIdentities
**OATH TokensProvisioned devices to utilize OATH Tokens for 2-Factor Authentication (contains OATH Seed)2.5.5.10 (Octet)4096 (or higher) RequiredTruePlain BinaryTrueregisteredAddress
2.5.5.12 (Directory String)JSONotherIpPhone
JSON Encrypted
**Access HistoriesIP Address, geo-location, and last access time of user for Adaptive Authentication comparison2.5.5.10 (Octet)

1024 (or higher) per Access History Record Required

The Access History setting can be configured in the web.config file:
<add key="AccessHistoryMaxCount" value="5" />

TruePlain BinaryTruephoto
2.5.5.12 (Directory String)JSONotherMailbox
Behavior BiometricsBehavior Profile used in Behavioral Biometrics authentication (Authentication API)2.5.5.12 (Directory String)No Limit / UndefinedFalsePlain TextTruecomment
SecureAuth IdP Version 8.2.x

The AD Field listed in the table is an example of a valid directory field to use in the configuration, but any field that fulfills the requirements can be utilized

SecureAuth IdP Profile PropertyDefinitionLDAP Attribute RequirementsWritableAD-specific Field Example
LDAP SyntaxSize (RangeUpper)Multi-valuedFormat Support
GroupsGroups to which user belongs2.5.5.12 (Directory String)N / AFalsePlain TextFalsememberOf
First NameUser's first name2.5.5.12 (Directory String)N / AFalsePlain Text

True for Account Management Page realm if Show Enabled is selected from the First Name dropdown on the Help Desk Configuration Page

givenName
True for Self-service Account Update realm if Show Enabled is selected from the First Name dropdown on the Self-service Configuration Page
Last NameUser's last name2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Last Name dropdown on the Help Desk Configuration Pagesn
True for Self-service Account Update realm if Show Enabled is selected from the Last Name dropdown on the Self-service Configuration Page
Phone 1User's primary phone number, typically corporate number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 1 dropdown on the Help Desk Configuration PagetelephoneNumber
True for Self-service Account Update realm if Show Enabled is selected from the Phone 1 dropdown on the Self-service Configuration Page
Phone 2User's secondary phone number, typically mobile number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 2 dropdown on the Help Desk Configuration Pagemobile
True for Self-service Account Update realm if Show Enabled is selected from the Phone 2 dropdown on the Self-service Configuration Page
Phone 3User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 3 dropdown on the Self-service Configuration Page
Phone 4User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 4 dropdown on the Self-service Configuration Page
Email 1User's primary email address, typically corporate email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 1 dropdown on the Help Desk Configuration Pagemail
True for Self-service Account Update realm if Show Enabled is selected from the Email 1 dropdown on the Self-service Configuration Page
Email 2User's secondary email address, typically personal email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 2 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 2 dropdown on the Self-service Configuration Page
Email 3User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options

True for Self-service Account Update realm if Show Enabled is selected from the Email 3 dropdown on the Self-service Configuration Page

Email 4User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 4 dropdown on the Self-service Configuration Page
PINUser's static Personal Identification Number2.5.5.12 (Directory String)1024FalsePlain Text (based on selection in Registration Methods tab)True for Account Management Page realm if Show Enabled is selected from the PIN dropdown on the Help Desk Configuration PageotherLoginWorkstations
Standard Hash (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the PIN dropdown on the Self-service Configuration Page
KB QuestionsUser's knowledge-based questions, e.g. In what city did you grow up?2.5.5.12 (Directory String)32768 Recommended (dependent on number and length of KBQs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehouseIdentifier
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
KB AnswersUser's answers to knowledge-based questions, e.g. Irvine2.5.5.12 (Directory String)4096 Recommended (dependent on number and length of KBAs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehomePostalAddress
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
Aux ID 1 - 10Placeholder Properties that can be mapped to any LDAP attribute and extracted for authentication or asserted to resourceDependent on LDAP AttributeTrue for Account Management Page realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Help Desk Configuration PageAppropriate LDAP Attribute
True for Self-service Account Update realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Self-service Configuration Page
Cert Serial NumberCertificate that is generated by SecureAuth IdP and stored in user profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options
Cert Reset DateCertificate revocation date – certificates delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management realm if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration PageSee DirectoryString List below for options
Certificate CountNumber of certificates in user's profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options

True for Account Management Page realm if Show Enabled is selected from the Cert Count Field dropdown and / or if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration Page
Certificate ExpirationDate on which user's certificate expires2.5.5.12 (Directory String)1024 RecommendedFalsePlain TextTrue for all Certificate Enrollment realms in which Email Notification is Enabled in the Certificate / Token Properties section (Workflow tab)See DirectoryString List below for options
Mobile Reset DateMobile cookie revocation date – cookies delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
Mobile CountNumber of mobile cookies in user's profile

2.5.5.12 (Directory String)N / AFalsePlain Text

True for all realms in which Mobile Enrollment and Validation is selected from the Integration Mode dropdown on the Workflow tabSee DirectoryString List below for options
True for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration Page
iOS DevicesUnique ID of iOS devices stored for use in Fingerprinting2.5.5.12 (Directory String)N / AFalsePlain TextTrueSee DirectoryString List below for options
Ext. Sync Pwd DateDate on which Google Apps and LDAP directory passwords synchronize2.5.5.12 (Directory String)N / AFalsePlain TextTrue for realms in which Google Apps Functions are enabled for the Sync Password feature, and in which the password synchronizes on a specific date rather than on every loginSee DirectoryString List below for options
Hardware TokenYubikey information used for 2-Factor Authentication2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Yubikey Provisioning realmSee DirectoryString List below for options
OATH SeedSeed used to generate OATH One-time Passwords (OTPs)2.5.5.12 (Directory String)4096 (or higher) RequiredFalseAdvanced EncryptionTrue for OATH Provisioning realmpostalAddress
One Time OATH ListList of valid OATH OTPs to increase security during offset duration2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all realms in which OATH OTPs are Enabled for second factor (Registration Methods tab) and in which the One Time OATH List feature is enabledSee DirectoryString List below for options

**The Fingerprints, Push Notification Tokens, OATH Tokens, and Access Histories Properties have distinct LDAP attribute requirements based on the select Format Support (Plain Binary vs. JSON)**

**FingerprintsValues created from unique characteristics of user's desktop, browser, or mobile device2.5.5.10 (Octet)

8 kB (or higher) per Fingerprint Record Required

If the Total FP Max Count is set to -1 (no limit), then the size must be unlimited

NOTE: The FP's access records max count data is also stored in the Fingerprints Property and increases the size

TruePlain BinaryTrueaudio
2.5.5.12 (Directory String)No Limit / UndefinedJSONaccountNameHistory
**Push Notification TokensRegistered devices to receive PUSH Notifications2.5.5.10 (Octet)4096 (or higher) RequiredTruePlain BinaryTruejpegPhoto
2.5.5.12 (Directory String)JSONaltSecurityIdentities
**OATH TokensProvisioned devices to utilize OATH Tokens for 2-Factor Authentication (contains OATH Seed)2.5.5.10 (Octet)4096 (or higher) RequiredTruePlain BinaryTrueregisteredAddress
2.5.5.12 (Directory String)JSONotherIpPhone
JSON Encrypted
**Access HistoriesIP Address, geo-location, and last access time of user for Adaptive Authentication comparison2.5.5.10 (Octet)

1024 (or higher) per Access History Record Required

The Access History setting can be configured in the web.config file:
<add key="AccessHistoryMaxCount" value="5" />

TruePlain BinaryTruephoto
2.5.5.12 (Directory String)JSONotherMailbox

SecureAuth IdP Version 8.1.x

The AD Field listed in the table is an example of a valid directory field to use in the configuration, but any field that fulfills the requirements can be utilized

SecureAuth IdP Profile PropertyDefinitionLDAP Attribute RequirementsWritableAD-specific Field Example
LDAP SyntaxSize (RangeUpper)Multi-valuedFormat Support
GroupsGroups to which user belongs2.5.5.12 (Directory String)N / AFalsePlain TextFalsememberOf
First NameUser's first name2.5.5.12 (Directory String)N / AFalsePlain Text

True for Account Management Page realm if Show Enabled is selected from the First Name dropdown on the Help Desk Configuration Page

givenName
True for Self-service Account Update realm if Show Enabled is selected from the First Name dropdown on the Self-service Configuration Page
Last NameUser's last name2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Last Name dropdown on the Help Desk Configuration Pagesn
True for Self-service Account Update realm if Show Enabled is selected from the Last Name dropdown on the Self-service Configuration Page
Phone 1User's primary phone number, typically corporate number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 1 dropdown on the Help Desk Configuration PagetelephoneNumber
True for Self-service Account Update realm if Show Enabled is selected from the Phone 1 dropdown on the Self-service Configuration Page
Phone 2User's secondary phone number, typically mobile number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 2 dropdown on the Help Desk Configuration Pagemobile
True for Self-service Account Update realm if Show Enabled is selected from the Phone 2 dropdown on the Self-service Configuration Page
Phone 3User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 3 dropdown on the Self-service Configuration Page
Phone 4User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 4 dropdown on the Self-service Configuration Page
Email 1User's primary email address, typically corporate email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 1 dropdown on the Help Desk Configuration Pagemail
True for Self-service Account Update realm if Show Enabled is selected from the Email 1 dropdown on the Self-service Configuration Page
Email 2User's secondary email address, typically personal email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 2 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 2 dropdown on the Self-service Configuration Page
Email 3User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options

True for Self-service Account Update realm if Show Enabled is selected from the Email 3 dropdown on the Self-service Configuration Page

Email 4User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 4 dropdown on the Self-service Configuration Page
PINUser's static Personal Identification Number2.5.5.12 (Directory String)1024FalsePlain Text (based on selection in Registration Methods tab)True for Account Management Page realm if Show Enabled is selected from the PIN dropdown on the Help Desk Configuration PageotherLoginWorkstations
Standard Hash (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the PIN dropdown on the Self-service Configuration Page
KB QuestionsUser's knowledge-based questions, e.g. In what city did you grow up?2.5.5.12 (Directory String)32768 Recommended (dependent on number and length of KBQs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehouseIdentifier
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
KB AnswersUser's answers to knowledge-based questions, e.g. Irvine2.5.5.12 (Directory String)4096 Recommended (dependent on number and length of KBAs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehomePostalAddress
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
Aux ID 1 - 10Placeholder Properties that can be mapped to any LDAP attribute and extracted for authentication or asserted to resourceDependent on LDAP AttributeTrue for Account Management Page realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Help Desk Configuration PageAppropriate LDAP Attribute
True for Self-service Account Update realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Self-service Configuration Page
Cert Serial NumberCertificate that is generated by SecureAuth IdP and stored in user profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options
Cert Reset DateCertificate revocation date – certificates delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management realm if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration PageSee DirectoryString List below for options
Certificate CountNumber of certificates in user's profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options

True for Account Management Page realm if Show Enabled is selected from the Cert Count Field dropdown and / or if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration Page
Certificate ExpirationDate on which user's certificate expires2.5.5.12 (Directory String)1024 RecommendedFalsePlain TextTrue for all Certificate Enrollment realms in which Email Notification is Enabled in the Certificate / Token Properties section (Workflow tab)See DirectoryString List below for options
Mobile Reset DateMobile cookie revocation date – cookies delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
Mobile CountNumber of mobile cookies in user's profile

2.5.5.12 (Directory String)N / AFalsePlain Text

True for all realms in which Mobile Enrollment and Validation is selected from the Integration Mode dropdown on the Workflow tabSee DirectoryString List below for options
True for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration Page
iOS DevicesUnique ID of iOS devices stored for use in Fingerprinting2.5.5.12 (Directory String)N / AFalsePlain TextTrueSee DirectoryString List below for options
Ext. Sync Pwd DateDate on which Google Apps and LDAP directory passwords synchronize2.5.5.12 (Directory String)N / AFalsePlain TextTrue for realms in which Google Apps Functions are enabled for the Sync Password feature, and in which the password synchronizes on a specific date rather than on every loginSee DirectoryString List below for options
Hardware TokenYubikey information used for 2-Factor Authentication2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Yubikey Provisioning realmSee DirectoryString List below for options
OATH SeedSeed used to generate OATH One-time Passwords (OTPs)2.5.5.12 (Directory String)4096 (or higher) RequiredFalseAdvanced EncryptionTrue for OATH Provisioning realmpostalAddress
One Time OATH ListList of valid OATH OTPs to increase security during offset duration2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all realms in which OATH OTPs are Enabled for second factor (Registration Methods tab) and in which the One Time OATH List feature is enabledSee DirectoryString List below for options

**The Fingerprints, Push Notification Tokens, OATH Tokens, and Access Histories Properties have distinct LDAP attribute requirements based on the selected Format Support (Plain Binary vs. JSON)**

**FingerprintsValues created from unique characteristics of user's desktop, browser, or mobile device2.5.5.10 (Octet)

8 kB (or higher) per Fingerprint Record Required

If the Total FP Max Count is set to -1 (no limit), then the size must be unlimited

NOTE: The FP's access records max count data is also stored in the Fingerprints Property and increases the size

TruePlain BinaryTrueaudio
2.5.5.12 (Directory String)No Limit / UndefinedJSONaccountNameHistory
**Push Notification TokensRegistered devices to receive PUSH Notifications2.5.5.10 (Octet)4096 (or higher) RequiredTruePlain BinaryTruejpegPhoto
2.5.5.12 (Directory String)JSONaltSecurityIdentities
**OATH TokensProvisioned devices to utilize OATH Tokens for 2-Factor Authentication (contains OATH Seed)2.5.5.10 (Octet)4096 (or higher) RequiredTruePlain BinaryTrueregisteredAddress
2.5.5.12 (Directory String)JSONotherIpPhone
JSON Encrypted
**Access HistoriesIP Address, geo-location, and last access time of user for Adaptive Authentication comparison2.5.5.10 (Octet)

1024 (or higher) per Access History Record Required

The Access History setting can be configured in the web.config file:
<add key="AccessHistoryMaxCount" value="5" />

TruePlain BinaryTruephoto
2.5.5.12 (Directory String)JSONotherMailbox

SecureAuth IdP Version 8.0.x

The AD Field listed in the table is an example of a valid directory field to use in the configuration, but any field that fulfills the requirements can be utilized

SecureAuth IdP Profile PropertyDefinitionLDAP Attribute RequirementsWritableAD-specific Field Example
LDAP SyntaxSize (RangeUpper)Multi-valuedFormat Support
GroupsGroups to which user belongs2.5.5.12 (Directory String)N / AFalsePlain TextFalsememberOf
First NameUser's first name2.5.5.12 (Directory String)N / AFalsePlain Text

True for Account Management Page realm if Show Enabled is selected from the First Name dropdown on the Help Desk Configuration Page

givenName
True for Self-service Account Update realm if Show Enabled is selected from the First Name dropdown on the Self-service Configuration Page
Last NameUser's last name2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Last Name dropdown on the Help Desk Configuration Pagesn
True for Self-service Account Update realm if Show Enabled is selected from the Last Name dropdown on the Self-service Configuration Page
Phone 1User's primary phone number, typically corporate number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 1 dropdown on the Help Desk Configuration PagetelephoneNumber
True for Self-service Account Update realm if Show Enabled is selected from the Phone 1 dropdown on the Self-service Configuration Page
Phone 2User's secondary phone number, typically mobile phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 2 dropdown on the Help Desk Configuration Pagemobile
True for Self-service Account Update realm if Show Enabled is selected from the Phone 2 dropdown on the Self-service Configuration Page
Phone 3User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 3 dropdown on the Self-service Configuration Page
Phone 4User's additional phone number2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Phone 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Phone 4 dropdown on the Self-service Configuration Page
Email 1User's primary email address, typically corporate email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 1 dropdown on the Help Desk Configuration Pagemail
True for Self-service Account Update realm if Show Enabled is selected from the Email 1 dropdown on the Self-service Configuration Page
Email 2User's secondary email address, typically personal email2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 2 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 2 dropdown on the Self-service Configuration Page
Email 3User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 3 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options

True for Self-service Account Update realm if Show Enabled is selected from the Email 3 dropdown on the Self-service Configuration Page

Email 4User's additional email address2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show Enabled is selected from the Email 4 dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
True for Self-service Account Update realm if Show Enabled is selected from the Email 4 dropdown on the Self-service Configuration Page
PINUser's static Personal Identification Number2.5.5.12 (Directory String)1024FalsePlain Text (based on selection in Registration Methods tab)True for Account Management Page realm if Show Enabled is selected from the PIN dropdown on the Help Desk Configuration PageotherLoginWorkstations
Standard Hash (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the PIN dropdown on the Self-service Configuration Page
KB QuestionsUser's knowledge-based questions, e.g. In what city did you grow up?2.5.5.12 (Directory String)32768 Recommended (dependent on number and length of KBQs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehouseIdentifier
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
KB AnswersUser's answers to knowledge-based questions, e.g. Irvine2.5.5.12 (Directory String)4096 Recommended (dependent on number and length of KBAs)FalseBase64 Encoding (based on selection in Registration Methods tab)True for Account Management Page realm if Show is selected from the Clear KBQ-KBA CheckBox dropdown on the Help Desk Configuration PagehomePostalAddress
Encryption (based on selection in Registration Methods tab)True for Self-service Account Update realm if Show Enabled is selected from the KBQ-KBA dropdown on the Self-service Configuration Page
Aux ID 1 - 10Placeholder Properties that can be mapped to any LDAP attribute and extracted for authentication or asserted to resourceDependent on LDAP AttributeTrue for Account Management Page realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Help Desk Configuration PageAppropriate LDAP Attribute
True for Self-service Account Update realm if Show Enabled is selected from the Aux 1 - 10 dropdown(s) on the Self-service Configuration Page
Cert Serial NumberCertificate that is generated by SecureAuth IdP and stored in user profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options
Cert Reset DateCertificate revocation date – certificates delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management realm if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration PageSee DirectoryString List below for options
Certificate CountNumber of certificates in user's profile2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all Certificate Enrollment realmsSee DirectoryString List below for options

True for Account Management Page realm if Show Enabled is selected from the Cert Count Field dropdown and / or if Show Enabled is selected from the Cert Rev Field on the Help Desk Configuration Page
Certificate ExpirationDate on which user's certificate expires2.5.5.12 (Directory String)1024 RecommendedFalsePlain TextTrue for all Certificate Enrollment realms in which Email Notification is Enabled in the Certificate / Token Properties section (Workflow tab)See DirectoryString List below for options
Mobile Reset DateMobile cookie revocation date – cookies delivered before this date are invalidated2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration PageSee DirectoryString List below for options
Mobile CountNumber of mobile cookies in user's profile

2.5.5.12 (Directory String)N / AFalsePlain Text

True for all realms in which Mobile Enrollment and Validation is selected from the Integration Mode dropdown on the Workflow tabSee DirectoryString List below for options
True for Account Management Page realm if Show is selected from the Mobile Rev dropdown on the Help Desk Configuration Page
iOS DevicesUnique ID of iOS devices stored for use in Fingerprinting2.5.5.12 (Directory String)N / AFalsePlain TextTrueSee DirectoryString List below for options
Ext. Sync Pwd DateDate on which Google Apps and LDAP directory passwords synchronize2.5.5.12 (Directory String)N / AFalsePlain TextTrue for realms in which Google Apps Functions are enabled for the Sync Password feature, and in which the password synchronizes on a specific date rather than on every loginSee DirectoryString List below for options
Hardware TokenYubikey information used for 2-Factor Authentication2.5.5.12 (Directory String)N / AFalsePlain TextTrue for Yubikey Provisioning realmSee DirectoryString List below for options
OATH SeedSeed used to generate OATH One-time Passwords (OTPs)2.5.5.12 (Directory String)4096 (or higher) RequiredFalseAdvanced EncryptionTrue for OATH Provisioning realmpostalAddress
One Time OATH ListList of valid OATH OTPs to increase security during offset duration2.5.5.12 (Directory String)N / AFalsePlain TextTrue for all realms in which OATH OTPs are Enabled for second factor (Registration Methods tab) and in which the One Time OATH List feature is enabledSee DirectoryString List below for options

**The Fingerprints, Push Notification Tokens, and Access Histories Properties have distinct LDAP attribute requirements based on the select Format Support (Plain Binary vs. JSON)** 

**FingerprintsValues created from unique characteristics of a user's desktop, browser, or mobile device2.5.5.10 (Octet)

8 kB (or higher) per Fingerprint Record Required

If the Total FP Max Count is set to -1 (no limit), then the size must be unlimited

NOTE: The FP's access records max count data is also stored in the Fingerprints Property and increases the size

TruePlain BinaryTrueaudio
2.5.5.12 (Directory String)No Limit / UndefinedJSONaccountNameHistory
**Push Notification TokensRegistered devices to receive PUSH Notifications2.5.5.10 (Octet)4096 (or higher) RequiredTruePlain BinaryTruejpegPhoto
2.5.5.12 (Directory String)JSONaltSecurityIdentities
**Access HistoriesIP Address, geo-location, and last access time of user for Adaptive Authentication comparison2.5.5.10 (Octet)

1024 (or higher) per Access History Record Required

The Access History setting can be configured in the web.config file:
<add key="AccessHistoryMaxCount" value="5" />

TruePlain BinaryTruephoto
2.5.5.12 (Directory String)JSONotherMailbox

DirectoryString List

These are Active Directory DirectoryString (2.5.5.12) options that can be used for the Profile Properties noted above; but any DirectoryString attribute that fulfills the other requirements can be utilized as well

  • extensionName
  • facsimileTelephoneNumber
  • info
  • ipPhone
  • otherFacsimileTelephoneNumber
  • otherHomePhone
  • otherLoginWorkstations
  • otherMobile
  • otherPager
  • otherTelephone
  • pager
  • postOfficeBox
  • street
  • streetAddress
Example Service Account Permissions Configuration

The following are example Active Directory configurations of Service Account Permissions. SecureAuth is not responsible for Active Directory configurations and provides these for assistance, but cannot guarantee that they accurately reflect every customer's Active Directory environment. Refer to Microsoft's Documentation for more detailed information about AD Service Accounts.

SecureAuth provides two (2) methods for configuring Service Account Permissions:

  • Method 1: Configure permissions via the Delegation of Control Wizard
  • Method 2: Configure permissions manually on individual User Objects, the Organizational Unit, or Container

Configure Permissions via Delegation of Control Wizard

 

1. In the Active Directory Users and Computer Management console, right-click on the OU or Container that holds user accounts, and select Delegate Control

2. In the Delegation of Control Wizard window, click Next

3. Click Add

4. Enter the Service Account name, and click Check Names

5. Click OK if the Service Account is found (check spelling if account is not found)

6. Click Next

7. Select Create a custom task to delegate

8. Click Next

9. Select Only the following objects in the folder

10. Scroll down and select User objects

11. Click Next

12. Select Property-specific

13. Select the options associated to the attributes to use, playing close attention to Read vs. Write permissions

14. Click Next, and then Finish to complete the process

 


View Attributes Defined under InetOrgPerson Objects

Some objects may not be listed under User objects (e.g. Exchange Email Address / mail)

Follow steps 15 - 20 to view attributes defined user the InetOrgPerson Objects

In some cases, permissions applied to the Exchange Email Address attribute, mail, may appear to be applied; however, mail is an AD attribute, not an Exchange attribute, and the Exchange Server automatically populates the value if used in the domain

15. Repeat steps 1 - 8 and then continue with the following steps

16. Scroll down and select InetOrgPerson objects

17. Click Next

18. Select Property-specific

19. Select the options associated to the attributes to use, playing close attention to Read vs. Write permissions

20. Click Next, and then Finish to complete the process

To Change, Reset, and Unlock Accounts

The Delegation Wizard Template option can be used to enable additional features, such as Change Password, Reset Password, Unlock Account, and others

To unlock account rights, configure Allow for Read LockoutTime and Write LockoutTime, Read Password Last Set, and Write Password Last Set

If Change / Reset Password rights are delegated to the SecureAuth Service Account, then note the Network Communications required between SecureAuth IdP and the Domain Controllers for the Enterprise Site
 

Configure Permissions Manually

 

1. In the Active Directory Users and Computers console, right-click on the Individual User Object, Organizational Unit, or Container that holds the accounts to which permissions are being delegated

Set the permissions manually at the Container or Organizational Unit level to propagate user accounts

2. Select Properties

3. In the Security tab, click Advanced

4. In the Permissions tab, click Add

 

5. Enter the Service Account name and click Check Names

The Permissions Entry for Delegation dialogue displays

 

6. In the Object tab, select Descendant User Objects from the Apply onto dropdown

For Windows Server 2003, select User Objects

7. In the Properties tab, select Descendant User Object

For Windows Server 2003, select User Object

8. Click OK

9. Set the appropriate individual permissions

10. Click OK on the Advanced Security Settings window

11. Click OK on the Container Properties window