IBM Security Verify

 View Only
Expand all | Collapse all

IBM Security Verify Bridge for Directory Sync not working as expected

  • 1.  IBM Security Verify Bridge for Directory Sync not working as expected

    Posted Thu August 11, 2022 02:32 PM
    I am finding the IBM Security Verify Bridge for Directory Sync is not working as expected. I am trying to use it to sync users from AD into Verify SaaS so that we can keep them, their groups, and account status in sync with changes made in AD.

    Based on my experience, users created by Bridge for Directory Sync are essentially useless. They exist in Verify, but there appears to be no way to associate them with an identity provider. And because of that, there is no way for an end-user to sign in as one of those synced users.

    As part of my troubleshooting, I tried purging all users and using Bridge for Directory Sync to re-sync those users this time under a realm linked to an identity provider. When I do that, the newly-created users are still unusable and don't appear to be linked to the identity provider, despite being uploaded to the same realm.

    Overall the Bridge for Directory Sync is not working as expected. I am able to get Bridge for Directory Sync to sync the users to Verify. But once that's done there doesn't appear to be a way to *use* those users. We can't authenticate. We can't associate them with an identity provider.

    Has anyone else experienced the same issue? Am I missing what  Bridge for Directory Sync is meant to do?

    ------------------------------
    Timothy
    ------------------------------


  • 2.  RE: IBM Security Verify Bridge for Directory Sync not working as expected

    Posted Fri August 12, 2022 09:09 AM

    Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

    I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

    This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

    If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

    Hopefully this helps



    ------------------------------
    Robert Graham
    Cloud Security Consultant
    IAM Modernization
    IBM Expert Labs
    US
    ------------------------------

    Original Message


  • 3.  RE: IBM Security Verify Bridge for Directory Sync not working as expected