IBM Security Verify

 View Only
Expand all | Collapse all

IBM Security Verify Bridge for Directory Sync not working as expected

  • 1.  IBM Security Verify Bridge for Directory Sync not working as expected

    Posted Thu August 11, 2022 02:32 PM
    I am finding the IBM Security Verify Bridge for Directory Sync is not working as expected. I am trying to use it to sync users from AD into Verify SaaS so that we can keep them, their groups, and account status in sync with changes made in AD.

    Based on my experience, users created by Bridge for Directory Sync are essentially useless. They exist in Verify, but there appears to be no way to associate them with an identity provider. And because of that, there is no way for an end-user to sign in as one of those synced users.

    As part of my troubleshooting, I tried purging all users and using Bridge for Directory Sync to re-sync those users this time under a realm linked to an identity provider. When I do that, the newly-created users are still unusable and don't appear to be linked to the identity provider, despite being uploaded to the same realm.

    Overall the Bridge for Directory Sync is not working as expected. I am able to get Bridge for Directory Sync to sync the users to Verify. But once that's done there doesn't appear to be a way to *use* those users. We can't authenticate. We can't associate them with an identity provider.

    Has anyone else experienced the same issue? Am I missing what  Bridge for Directory Sync is meant to do?

    ------------------------------
    Timothy
    ------------------------------


  • 2.  RE: IBM Security Verify Bridge for Directory Sync not working as expected

    Posted Fri August 12, 2022 09:09 AM

    Hi Timothy, The Bridge for Directory Sync for Active Directory does NOT sync passwords. The best method of implementation for the bridge would be to also deploy the Active Directory Identity Agent. This will enable learning of the AD password upon authentication if you enable this feature. If you do not enable password learning then using the agent for authentication will continue to rely on AD for the password. Which is also fine and its one less place to audit for passwords.

    I did a presentation on this during the Virtual Master Skills University this year. Link is here: https://www.securitylearningacademy.com/course/view.php?id=6789  (just need IBMid to view)

    This might help clear up why and when to use this bridge. To quickly answer your question, its really meant to sync the users/groups/attributes from AD to ISV SaaS and keep these in sync for many scenarios, like using Windows Login Agent for MFA into Windows and linux agent for linux servers (I cover this also).

    If you would like to discuss this in person, we will be in Hollywood Florida at the Master Skills University. More info here: https://www.ibm.com/training/events/msu2022

    Hopefully this helps



    ------------------------------
    Robert Graham
    Cloud Security Consultant
    IAM Modernization
    IBM Expert Labs
    US
    ------------------------------



  • 3.  RE: IBM Security Verify Bridge for Directory Sync not working as expected

    Posted Mon August 15, 2022 11:34 AM
    Hi @Robert Graham,

    I think I could have done a better job of describing my problem... ​I am not trying to sync passwords, just identities.

    To explain what I am trying to set up, I am using Bridge for Directory Sync to copy identities into Verify SaaS. Authentication is being handled by Bridge [for Authentication].

    My problem was that the identities synced to Verify SaaS by the Bridge for Directory Sync were useless because the default configuration puts them in a realm not linked to any identity providers. I then tried purging the users from Verify SaaS and edited the default sync configuration, setting Bridge for Directory Sync to instead provision users into the realm associated with Bridge for Authentication identity source. But even then I was still having problems: a) If JITP was disabled, users were still not able to authenticate because Verify SaaS acted as though the users did not exist in Verify SaaS. Or, b) if JITP was enabled, users could authenticate, but a duplicate user was being created in Verify SaaS.

    The problem turned out to be Identity Linking.  What was happening is the Cloud Directory was my default identity provider, and the other identity providers had Identity Linking enabled. If I disable Identity Linking and JITP on the Bridge for Authentication identity provider, users are able to authenticate, and no duplicate users are being created. As far as the users (and their properties) are concerned, those were correctly being kept in sync by Bridge for Directory Sync.

    Problem solved! Well, almost...

    I am now running into a different problem - I have two identity providers. They are i) Bridge for Authentication and ii) ADFS. If users are working on-premise they are likely authenticating with ADFS. If they're working remotely, they are likely authenticating with Bridge for Authentication. As such, the same users exist in both identity providers. I am trying to figure out a way to utilise Identity Linking so that each synced user is represented once in Verify SaaS. That user's group membership and identity should be managed/synced by Bridge for Directory Sync.

    Any advice would be greatly appreciated.

    ------------------------------
    Timothy
    ------------------------------



  • 4.  RE: IBM Security Verify Bridge for Directory Sync not working as expected

    Posted Mon August 15, 2022 12:51 PM

    Hi Timothy, thanks for the clarity. So this is completely possible, the key to the Identity linking, is the identity attribute that is set for the linking to occur.

    I have this very similar setup working in my own ISV tenant currently. For the AD agent I have set the "userPrincipalName" for the "Username attribute" setting in the ISV agent

    For my Azure AD Federation (where I enabled federation services just like on-prem) I am also using UPN.

    For the account linking to work on the ISV AD Identity source,  I am using "userID"

    The ISV Azure Federation Identity source I am using "preferred_username"

    This did take a bit of trial and error to make sure in my scenario I have matched what is needed for the account linking to occur. A big help is to take a test user in each directory and login to ISV using both directories, in private browsers and use this url to view the credentials. https://yourtenant/ivcreds. Compare what attribute you want to use for the linking.

    Below you can see the linked identities. For validation of the linking, my "external ID" is the same as my on-prem immutable id which is shown in the Azure AD screenshot above. (I have AD sync to Azure and AD sync to ISV)


    So in my scenario I have provided a single username login method for both AD and Azure ADFS (rgraham@fqdn). Since you are not using Azure AD Federation You will most likely not use UPN but rather userID or whatever you have mapped to sAMAccountName


    Hopefully this helps!



    ------------------------------
    Robert Graham
    Cloud Security Consultant
    IAM Modernization
    IBM Expert Labs
    US
    ------------------------------



  • 5.  RE: IBM Security Verify Bridge for Directory Sync not working as expected

    Posted Mon August 15, 2022 01:03 PM
    Thanks, Robert. What do you have set as your Primary Identity provider?

    ------------------------------
    Timothy
    ------------------------------



  • 6.  RE: IBM Security Verify Bridge for Directory Sync not working as expected

    Posted Mon August 15, 2022 01:37 PM

    Cloud Directory is my primary identity provider and my login page with provider options looks like this..



    ------------------------------
    Robert Graham
    Cloud Security Consultant
    IAM Modernization
    IBM Expert Labs
    US
    ------------------------------



  • 7.  RE: IBM Security Verify Bridge for Directory Sync not working as expected
    Best Answer

    Posted Tue August 16, 2022 12:04 PM
    So I ended up doing something slightly different. I am making preparations to come to the IBM Security Master Class in September. Hopefully, you and I will have a chance to talk if you want further details.

    In summary, when I tried to make the Bridge for Directory Sync create/manage users in the Cloud Directory realm, I got the following message:

    CSIAI0252E The user name john.doe@mydomain.local@cloudIdentityRealm is invalid. The realm portion of a federated user name (userName@realm) cannot be "cloudIdentityRealm".

    So I ended up changing the Primary Identity provider to ADFS. Then I configured Identity Linking on the Bridge [for Authentication] identity source, disabling JITP on both ADFS and the Bridge [for Authentication] identity source.

    The net effect is that via the Bridge for Directory Sync users were being configured/managed in the ADFS realm, and if the same user attempted to sign in using the Bridge [for Authentication] identity source, their identity within that realm was automatically provisioned as well and at the same time linked to the ADFS realm (which meant they inherited the privileges associated with the ADFS-related identity).

    The setup is only a few hours old, but so far, it seems to be working as needed for my use case.

    ------------------------------
    Timothy
    ------------------------------