TrainingSupportCommunity

Manage user attributes

In order for Enterprise Application Access (EAA) applications to allow authentication by EAA as the SAML identity provider, the applications need information about the user. This information is known as user attribute declarations. User attributes are name-value pairs that include a title for the attribute and the user attribute code. The user attribute code identifies information that is used by both the EAA application or service provider (SP), and the native application's code to authenticate a user. The required user attributes vary and depend on the native application's requirements for authentication. While the EAA identity provider (IdP) fills in common attributes by default, you can specify custom attribute declarations. For example, you may want an application to use and attribute such as Employee Type validate and authorize a user.

To create user attributes, in the EAA Management Portal navigation menu, select System > Settings > User Attributes.

These user attributes appear in the Configure Directory menu of an EAA directory. User attributes are available for the Active Directory (AD) and Open LDAP directory type.

Map user attributes to Enterprise Application Access and your Active Directory (AD) or Open LDAP in EAA Management Portal from Identity > Directories. Click Configure Directory, and select Show additional Attributes > User attributes.

Next, Create user attributes in EAA, Map user attributes of the directory or Map custom LDAP user and group attributes to the EAA directory.

Create user attributes in EAA

Configure required user attribute declarations that will be passed as SAML attributes. User attribute declarations are needed if the application requires specific attributes in addition to the default Active Directory (AD) attributes. You need to declare the attributes first before mapping them to AD attributes.

  1. Log in to EAA Management Portal.

  2. In the EAA Management Portal navigation menu, select System > Settings.

  3. Select User Attributes > Add.

  4. Type a user attribute trait and code.

  5. Click Save & exit.
    User attributes appear as new fields in the User Attributes section of the Active Directory (AD).

Next, map the user attributes of the Active Directory (AD).

Map user attributes of the directory

Map the system level attributes to the EAA directory attributes. In your native directory, identify the custom groups and object classes, then configure them in EAA Management Portal.

Attribute mapping is configured under Identity > Directories > Settings. Enterprise Application Access provides default values but you can configure custom mappings.

  1. Log in to EAA Management Portal.

  2. In the EAA Management Portal navigation menu, select Identity > Directories.

  3. On the directory card where you want to map user attributes click *Configure Directory, and select Show additional Attributes > User Attributes**.

  4. Enter user attributes code / value corresponding to the selected user attribute name. The fields contain some user attributes for selection. You can also enter custom attribute codes.

  5. Click Save Directory.

  6. Go back to the Directory card you just modified, and click Sync Directory.
    This pushes your changes to production and may take up to five minutes.

👍

Enterprise Application Access attempts to sync with a specified LDAP server every six hours. That cannot be modified but you can still perform a manual sync of the directory in the interim.

Next, configure EAA as the SAML identity provider.

Perform a manual directory sync in EAA

Enterprise Application Access (EAA) has an automatic directory synchronization time of six hours. Currently, this sync time is not adjustable, but you can perform a manual sync if necessary.

  1. Log in to EAA Management Portal.

  2. In the EAA Management Portal navigation menu, select Identity > Directories.

  3. On the directory card you want to modify, click Sync Directory.
    Directory sync initiated appears and manual synchronization starts. The time it takes to complete the sync process depends on the size and complexity of the directory.

Map custom LDAP user and group attributes to the EAA directory

In your native directory, identify the custom groups and object classes, then configure them in the EAA Management Portal.

When you use the EAA IdP between your LDAP environment and service provider for SAML and SaaS applications, you can map both the Enterprise Application Access default and custom attributes to the LDAP directory for both groups and users. This is also known as OpenLDAP custom schema support.

  1. Identify the custom group and custom object class for the user and group in your native LDAP directory server.

  2. Log in to EAA Management Portal.

  3. In the EAA Management Portal navigation menu, select Identity > Directories.

  4. On the directory card click Configure Directory, and select Show additional attributes > User attributes or Group attributes.

  5. For Group attributes do the following:

    1. In Group object classes, type the LDAP custom group name. For example, <YourCustomGroupName>.

    2. In Search filter, enter the group object class as objectClass=<YourCustomGroupName>).

  6. For User attributes do the following:

    1. In User object classes type the LDAP custom user name. For example, <YourCustomUserName>.

    2. In Search filter enter the group object class as (objectClass=<YourCustomUserName>).

  7. Go back to the Directory card you just modified, and click Sync Directory.

  8. To verify if the custom user or group changes are applied click Users or Groups.
    The directory's Users or Groups page appears.

Updated over 1 year ago