8.4 KeyShield Attribute Alias Support

Filr lets administrators provision users from different LDAP sources, such as eDirectory and Active Directory. It also allows for flexibility in specifying which LDAP attribute will be imported as the Filr username.

In addition to Filr, organizations have email applications, RADIUS clients, and so on, that use different LDAP attributes for their usernames.

KeyShield 6 includes support for Attribute Aliases. These let KeyShield match username validation requests from each application with the LDAP attribute that the application uses for its usernames.

8.4.1 A Filr Example

  1. Jane Smith logs in through KeyShield’s SSO service using jsmith (her UID in LDAP) as her Username.

  2. Jane then launches Filr.

    Unfortunately, the Filr administrator who configured the LDAP import, specified CN as the LDAP username attribute and JaneSmith was impoted as Jane’s Filr username.

  3. When Filr tries to authenticate Jane Smith, KeyShield doesn’t find her as an authenticated user and the attempt fails.

    Jane is then prompted to log in to Filr.

  4. To fix the mismatch of LDAP attributes, Jane’s KeyShield administrator adds x-filr = cn as an Attribute Alias in Keyshield.

  5. Jane’s Filr administrator adds x-filr as the Username Attribute Alias in Filr.

  6. The next time Jane launches Filr after signing in through KeyShield’ SSO service, KeyShield verifies to Filr that JaneSmith is authenticated and no additional login is required.

8.4.2 Configuring Attribute Alias Support

  1. In Keyshield, specify the appropriate Attribute Alias for each Authentication Connector.

    For example, if your Filr deployment uses the CN attribute as the username for an eDirectory server that is defined as an Authentication Connector in KeyShield, then in the Attribute Alias field in the connector configuration, you would specify

    x-filr = cn

    This means that for this Authentication Connector, when authentication verification requests arrive with the Attribute Alias x-filr, KeyShield needs to request a match in the CN attributes in the targeted eDirectory Authentication Connector.

  2. By default, the Filr 2.0 KeyShield SSO Configuration dialog, the Username Attribute Alias is set to x-filr.

    We strongly recommend that you not change this value. However, if you do, be sure that the name is changed in each KeyShield Authentication Connector configuration as well.

  3. Continue with Configuring Two-Factor Authentication.