Manage user attributes

In order for Enterprise Application Access (EAA) applications to allow authentication by EAA as the SAML identity provider, the applications need information about the user. This information is known as user attribute declarations. User attributes are name-value pairs that include a title for the attribute and the user attribute code. The user attribute code identifies information that is used by both the EAA application or service provider (SP), and the native application's code to authenticate a user. The required user attributes vary and depend on the native application's requirements for authentication. While the EAA identity provider (IdP) fills in common attributes by default, you can specify custom attribute declarations. For example, you may want an application to use and attribute such as Employee Type validate and authorize a user.

To create user attributes, in the Enterprise Center navigation menu, select Application Access > General Settings > Settings. Click User Attributes.

These user attributes appear in the Configure Directory menu of an EAA directory. User attributes are available for the Active Directory (AD) and Open LDAP directory type.

Map user attributes to Enterprise Application Access and your Active Directory (AD) or Open LDAP in Enterprise Center from Application Access > Identity & Users > Directories > Settings > User Attributes.

Next, Create user attributes in EAA, Map user attributes of the directory or Map custom LDAP user and group attributes to the EAA directory.

Create user attributes in EAA

Configure required user attribute declarations that will be passed as SAML attributes. User attribute declarations are needed if the application requires specific attributes in addition to the default Active Directory (AD) attributes. You need to declare the attributes first before mapping them to AD attributes.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > General Settings > Settings.

  3. Select User Attributes > Add Attribute.

  4. Type a user attribute name, type, and variable name.

  5. Click Save attribute changes.

  6. Click Save.
    User attributes appear as new fields in the User Attributes section of the Active Directory (AD).

Next, map the user attributes of the Active Directory (AD).

Map user attributes of the directory

Map the system level attributes to the EAA directory attributes. In your native directory, identify the custom groups and object classes, then configure them in Enterprise Center.

Attribute mapping is configured under Application Access > Identity & Users > Directories > Settings. Enterprise Application Access provides default values but you can configure custom mappings.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

  3. Select the directory where you want to map user attributes to open it.

  4. In General > User Attributes enter the user attribute code / value corresponding to the select user attribute name. The fields contain some user attributes for selection. You can also enter custom attribute codes.

  5. Click Save.

  6. Click Sync Directory.
    This pushes your changes to production and may take up to five minutes.

πŸ‘

Enterprise Application Access attempts to sync with a specified LDAP server every six hours. That cannot be modified but you can still perform a manual sync of the directory in the interim.

Next, configure EAA as the SAML identity provider.

Perform a manual directory sync in EAA

Enterprise Application Access (EAA) has an automatic directory synchronization time of six hours. Currently, this sync time is not adjustable, but you can perform a manual sync if necessary.

  1. Log in to Enterprise Center.

  2. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

  3. Select your directory to open it.

  4. Click Sync Directory.
    Directory sync initiated appears and manual synchronization starts. The time it takes to complete the sync process depends on the size and complexity of the directory.

Map custom LDAP user and group attributes to the EAA directory

In your native directory, identify the custom groups and object classes, then configure them in the Enterprise Center.

When you use the EAA IdP between your LDAP environment and service provider for SAML and SaaS applications, you can map both the Enterprise Application Access default and custom attributes to the LDAP directory for both groups and users. This is also known as OpenLDAP custom schema support.

  1. Identify the custom group and custom object class for the user and group in your native LDAP directory server.

  2. Log in to Enterprise Center.

  3. In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.

  4. Select your directory to open it.

  5. In Settings > Group attributes do the following:

    1. In Group object classes type the LDAP custom group name. For example, <YourCustomGroupName>.

    2. In Search filter enter the group object class as objectClass=<YourCustomGroupName>).

  6. In LDAP User attributes:

    1. In User object classes type the LDAP custom user name. For example, <YourCustomUserName>.

    2. In Search filter enter the group object class as (objectClass=<YourCustomUserName>).

  7. In the Enterprise Center navigation menu, select Application Access* > Identity & Users > Directories**.

  8. Select your directory to open it.

  9. Click Sync Directory.

  10. To verify if the custom user or group changes are applied click Users or Groups.
    The directory's Users or Groups page appears.


Did this page help you?