Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps

Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps

Hi Timothy, thanks for the clarity. So this is completely possible, the key to the Identity linking, is the identity attribute that is set for the linking to occur.

I have this very similar setup working in my own ISV tenant currently. For the AD agent I have set the "userPrincipalName" for the "Username attribute" setting in the ISV agent

For my Azure AD Federation (where I enabled federation services just like on-prem) I am also using UPN.

For the account linking to work on the ISV AD Identity source,  I am using "userID"

The ISV Azure Federation Identity source I am using "preferred_username"

This did take a bit of trial and error to make sure in my scenario I have matched what is needed for the account linking to occur. A big help is to take a test user in each directory and login to ISV using both directories, in private browsers and use this url to view the credentials. https://yourtenant/ivcreds. Compare what attribute you want to use for the linking.

Below you can see the linked identities. For validation of the linking, my "external ID" is the same as my on-prem immutable id which is shown in the Azure AD screenshot above. (I have AD sync to Azure and AD sync to ISV)

So in my scenario I have provided a single username login method for both AD and Azure ADFS (rgraham@fqdn). Since you are not using Azure AD Federation You will most likely not use UPN but rather userID or whatever you have mapped to sAMAccountName

Hopefully this helps!

Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps

Hi Timothy, thanks for the clarity. So this is completely possible, the key to the Identity linking, is the identity attribute that is set for the linking to occur.

I have this very similar setup working in my own ISV tenant currently. For the AD agent I have set the "userPrincipalName" for the "Username attribute" setting in the ISV agent

For my Azure AD Federation (where I enabled federation services just like on-prem) I am also using UPN.

For the account linking to work on the ISV AD Identity source,  I am using "userID"

The ISV Azure Federation Identity source I am using "preferred_username"

This did take a bit of trial and error to make sure in my scenario I have matched what is needed for the account linking to occur. A big help is to take a test user in each directory and login to ISV using both directories, in private browsers and use this url to view the credentials. https://yourtenant/ivcreds. Compare what attribute you want to use for the linking.

Below you can see the linked identities. For validation of the linking, my "external ID" is the same as my on-prem immutable id which is shown in the Azure AD screenshot above. (I have AD sync to Azure and AD sync to ISV)

So in my scenario I have provided a single username login method for both AD and Azure ADFS (rgraham@fqdn). Since you are not using Azure AD Federation You will most likely not use UPN but rather userID or whatever you have mapped to sAMAccountName

Hopefully this helps!

Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps

Cloud Directory is my primary identity provider and my login page with provider options looks like this..

Hi Timothy, thanks for the clarity. So this is completely possible, the key to the Identity linking, is the identity attribute that is set for the linking to occur.

I have this very similar setup working in my own ISV tenant currently. For the AD agent I have set the "userPrincipalName" for the "Username attribute" setting in the ISV agent

For my Azure AD Federation (where I enabled federation services just like on-prem) I am also using UPN.

For the account linking to work on the ISV AD Identity source,  I am using "userID"

The ISV Azure Federation Identity source I am using "preferred_username"

This did take a bit of trial and error to make sure in my scenario I have matched what is needed for the account linking to occur. A big help is to take a test user in each directory and login to ISV using both directories, in private browsers and use this url to view the credentials. https://yourtenant/ivcreds. Compare what attribute you want to use for the linking.

Below you can see the linked identities. For validation of the linking, my "external ID" is the same as my on-prem immutable id which is shown in the Azure AD screenshot above. (I have AD sync to Azure and AD sync to ISV)

So in my scenario I have provided a single username login method for both AD and Azure ADFS (rgraham@fqdn). Since you are not using Azure AD Federation You will most likely not use UPN but rather userID or whatever you have mapped to sAMAccountName

Hopefully this helps!

Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps

Cloud Directory is my primary identity provider and my login page with provider options looks like this..

Hi Timothy, thanks for the clarity. So this is completely possible, the key to the Identity linking, is the identity attribute that is set for the linking to occur.

I have this very similar setup working in my own ISV tenant currently. For the AD agent I have set the "userPrincipalName" for the "Username attribute" setting in the ISV agent

For my Azure AD Federation (where I enabled federation services just like on-prem) I am also using UPN.

For the account linking to work on the ISV AD Identity source,  I am using "userID"

The ISV Azure Federation Identity source I am using "preferred_username"

This did take a bit of trial and error to make sure in my scenario I have matched what is needed for the account linking to occur. A big help is to take a test user in each directory and login to ISV using both directories, in private browsers and use this url to view the credentials. https://yourtenant/ivcreds. Compare what attribute you want to use for the linking.

Below you can see the linked identities. For validation of the linking, my "external ID" is the same as my on-prem immutable id which is shown in the Azure AD screenshot above. (I have AD sync to Azure and AD sync to ISV)

So in my scenario I have provided a single username login method for both AD and Azure ADFS (rgraham@fqdn). Since you are not using Azure AD Federation You will most likely not use UPN but rather userID or whatever you have mapped to sAMAccountName

Hopefully this helps!

Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps

Cloud Directory is my primary identity provider and my login page with provider options looks like this..

Hi Timothy, thanks for the clarity. So this is completely possible, the key to the Identity linking, is the identity attribute that is set for the linking to occur.

I have this very similar setup working in my own ISV tenant currently. For the AD agent I have set the "userPrincipalName" for the "Username attribute" setting in the ISV agent

For my Azure AD Federation (where I enabled federation services just like on-prem) I am also using UPN.

For the account linking to work on the ISV AD Identity source,  I am using "userID"

The ISV Azure Federation Identity source I am using "preferred_username"

This did take a bit of trial and error to make sure in my scenario I have matched what is needed for the account linking to occur. A big help is to take a test user in each directory and login to ISV using both directories, in private browsers and use this url to view the credentials. https://yourtenant/ivcreds. Compare what attribute you want to use for the linking.

Below you can see the linked identities. For validation of the linking, my "external ID" is the same as my on-prem immutable id which is shown in the Azure AD screenshot above. (I have AD sync to Azure and AD sync to ISV)

So in my scenario I have provided a single username login method for both AD and Azure ADFS (rgraham@fqdn). Since you are not using Azure AD Federation You will most likely not use UPN but rather userID or whatever you have mapped to sAMAccountName

Hopefully this helps!

Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps

Cloud Directory is my primary identity provider and my login page with provider options looks like this..

Hi Timothy, thanks for the clarity. So this is completely possible, the key to the Identity linking, is the identity attribute that is set for the linking to occur.

I have this very similar setup working in my own ISV tenant currently. For the AD agent I have set the "userPrincipalName" for the "Username attribute" setting in the ISV agent

For my Azure AD Federation (where I enabled federation services just like on-prem) I am also using UPN.

For the account linking to work on the ISV AD Identity source,  I am using "userID"

The ISV Azure Federation Identity source I am using "preferred_username"

This did take a bit of trial and error to make sure in my scenario I have matched what is needed for the account linking to occur. A big help is to take a test user in each directory and login to ISV using both directories, in private browsers and use this url to view the credentials. https://yourtenant/ivcreds. Compare what attribute you want to use for the linking.

Below you can see the linked identities. For validation of the linking, my "external ID" is the same as my on-prem immutable id which is shown in the Azure AD screenshot above. (I have AD sync to Azure and AD sync to ISV)

So in my scenario I have provided a single username login method for both AD and Azure ADFS (rgraham@fqdn). Since you are not using Azure AD Federation You will most likely not use UPN but rather userID or whatever you have mapped to sAMAccountName

Hopefully this helps!

Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps

Thank you for your feedback! I am in direct contact with ISVA/ISV SaaS product management. I will provide the feedback.

Also if you want to submit feedback directly....you can get to the link directly from the ISV tenant. For anyone else that reads this, you can submit as a private idea..just need an IBMid. What does this mean? Private idea, no one can see the idea except IBM, so you can add specific customer info. Public everyone can see and vote. Which is also good..more voting, more demand, higher chances your idea will be accepted and implemented.

Cloud Directory is my primary identity provider and my login page with provider options looks like this..

Hi Timothy, thanks for the clarity. So this is completely possible, the key to the Identity linking, is the identity attribute that is set for the linking to occur.

I have this very similar setup working in my own ISV tenant currently. For the AD agent I have set the "userPrincipalName" for the "Username attribute" setting in the ISV agent

For my Azure AD Federation (where I enabled federation services just like on-prem) I am also using UPN.

For the account linking to work on the ISV AD Identity source,  I am using "userID"

The ISV Azure Federation Identity source I am using "preferred_username"

This did take a bit of trial and error to make sure in my scenario I have matched what is needed for the account linking to occur. A big help is to take a test user in each directory and login to ISV using both directories, in private browsers and use this url to view the credentials. https://yourtenant/ivcreds. Compare what attribute you want to use for the linking.

Below you can see the linked identities. For validation of the linking, my "external ID" is the same as my on-prem immutable id which is shown in the Azure AD screenshot above. (I have AD sync to Azure and AD sync to ISV)

So in my scenario I have provided a single username login method for both AD and Azure ADFS (rgraham@fqdn). Since you are not using Azure AD Federation You will most likely not use UPN but rather userID or whatever you have mapped to sAMAccountName

Hopefully this helps!

Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps

Thank you for your feedback! I am in direct contact with ISVA/ISV SaaS product management. I will provide the feedback.

Also if you want to submit feedback directly....you can get to the link directly from the ISV tenant. For anyone else that reads this, you can submit as a private idea..just need an IBMid. What does this mean? Private idea, no one can see the idea except IBM, so you can add specific customer info. Public everyone can see and vote. Which is also good..more voting, more demand, higher chances your idea will be accepted and implemented.

Cloud Directory is my primary identity provider and my login page with provider options looks like this..

Hi Timothy, thanks for the clarity. So this is completely possible, the key to the Identity linking, is the identity attribute that is set for the linking to occur.

I have this very similar setup working in my own ISV tenant currently. For the AD agent I have set the "userPrincipalName" for the "Username attribute" setting in the ISV agent

For my Azure AD Federation (where I enabled federation services just like on-prem) I am also using UPN.

For the account linking to work on the ISV AD Identity source,  I am using "userID"

The ISV Azure Federation Identity source I am using "preferred_username"

This did take a bit of trial and error to make sure in my scenario I have matched what is needed for the account linking to occur. A big help is to take a test user in each directory and login to ISV using both directories, in private browsers and use this url to view the credentials. https://yourtenant/ivcreds. Compare what attribute you want to use for the linking.

Below you can see the linked identities. For validation of the linking, my "external ID" is the same as my on-prem immutable id which is shown in the Azure AD screenshot above. (I have AD sync to Azure and AD sync to ISV)

So in my scenario I have provided a single username login method for both AD and Azure ADFS (rgraham@fqdn). Since you are not using Azure AD Federation You will most likely not use UPN but rather userID or whatever you have mapped to sAMAccountName

Hopefully this helps!

Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

Hopefully this helps