Unified Directory Identity Sources
RSA Unified Directory is a user identity store for the RSA Cloud Access Service (CAS) that enables full Cloud-only deployments. Users and their passwords can be created and stored as "Local" in the Cloud without an external identity source. Additionally, the open-standard System for Cross-Domain Identity Management (SCIM) API can be used to provision users into CAS without requiring an on-premise or Cloud-based installation of any RSA software.
It is designed to be highly flexible and extensible, supporting various customer personas and their specific data sets. To support group-based application access, Unified Directory users can also be associated with local groups. RSA Unified Directory also allows you to manage identities directly within the system, providing a streamlined approach to workforce identity management.
RSA Unified Directory includes the following types of identity sources:
Local: User data is stored within CAS and can be added through various methods, including the Cloud Administration Console, importing a CSV file, or a one-time per user SCIM push.
SCIM Managed: User data is stored within CAS, while user management is conducted via an external identity source. This type can connect to any identity source that supports SCIM.
Azure Active Directory (SCIM): A special case of the SCIM Managed type that is limited to be used only with Azure Active Directory (AD).
RSA Authentication Manager (AM) Internal Database: Enables CAS to leverage one AM server's internal database of users as an identity source. When user synchronization is configured in the AM Security Console, an identity source is automatically created in CAS and appears in the Cloud Administration Console.
The following table summarizes the distinction between these types:
| Identity Source Type | Password Storage & Authentication | Password Change/Reset Password | User Management |
|---|---|---|---|
| Local |
|
|
|
| SCIM Managed |
|
|
|
| Azure Active Directory (SCIM) with a password in Azure |
|
|
|
| Azure Active Directory (SCIM) with a password in RSA Directory |
|
|
|
| RSA Authentication Manager (AM) Internal Database |
|
| RSA AM Security Console |
This topic includes the following:
Add a Local Identity Source
This section explains how to add a Local identity source. You can create users locally by directly entering them via the Cloud Administration Console, importing CSV files, or provisioning them from an external source through the SCIM API, if available with your ID Plus License. For more information, see User Provisioning Using SCIM API.
Note: Local identity sources are available for all ID Plus subscriptions. Utilizing SCIM provisioning in Local identity sources and adding SCIM Managed identity sources are available only for ID Plus E2 and E3 subscriptions.
Procedure
In the Cloud Administration Console, click Users > Identity Sources.
Click Add an Identity Source.
Click Select next to Local identity source type.
In the Identity Source Name field, enter a name for the identity source.
(Optional) In the Description field, enter a description for the identity source.
The Enable User Provisioning from a SCIM Identity Source field is set to Yes by default.
- (Optional) In the External SCIM ID Source Admin URL field, enter the URL from which the administrator can manage the SCIM identity source.
- In the SCIM Service Provider Base URI field, click Copy URI to copy the URI to which the SCIM API client sends details. Paste this URI into the configuration settings of the SCIM identity source to connect it to a specific CAS tenant.
- For the SCIM Service API key field, click Generate Key to generate the Service API key used for SCIM API authentication. Then, copy this key and paste it into the configuration settings of the SCIM identity source to connect to a specific CAS tenant.
In the Network Zone field, select a network zone from the drop-down menu to manage trusted or restricted IP addresses for the SCIM connection. Network zones enable you to allow or restrict specific IPs for SCIM connectivity with CAS. For more information, see Manage Networks .
In the Password Type section, select one of the following options:
RSA Unified Directory to store a password in CAS that enables users to authenticate with their password directly against CAS via an authentication interface (for example, RSA or third-party applications, RADIUS, or web authentication).
By default, this option is selected. In the RSA Password field, select one of the following:
Required if the password attribute is mandatory when provisioning a user. If the password is not provided in a user provisioning request, user provisioning will fail.
Allowed if the password attribute is not mandatory when provisioning a user.
Then, in the Initial Password Creation Options section, enable at least one of the following options for creating passwords:
Entered by Admin to enable administrators to manually set initial user passwords.
Generated by CAS if you want CAS to generate a random initial password for users. Then, in the Send Initial Password Options section, select how passwords will be provided to users:
Email to send an initial password to the user's email address. This option can be used for users added through the "Add a User" option (Users > Management), CSV import, or SCIM API.
Display on Screen to Admin CAS will generate a random password. Then, the administrator can copy the automatically generated password and send it to users. This option only applies to users added to "Local" identity sources via the "Add a User" option (Users > Management) in the Cloud Administration Console. For more information, see the "Add a User in the Unified Directory" section on the Manage Users for the Cloud Access Service page.
Note: The Initial Password Creation Options apply only to Local identity sources.
No Password Available to CAS for authentication users will not be able to store passwords associated with their Cloud-based identity source account. In this case, CAS does not store or validate users' passwords. This option should be selected when authentication does not require a password, or if password validation will be performed by an external Identity Provider (IdP), rather than CAS. For information about configuring an identity provider, see Adding Identity Providers.
Click Save.
Click Publish Changes to activate the identity source.
Import Users to a Local Identity Source
The Cloud Administration Console allows you to import users in the form of a comma-separated values (CSV) file to a Local identity source. When importing users, you need to download and use the sample CSV file for the specific identity source as a template.
Procedure
In the Cloud Administration Console, navigate to Users > Identity Sources or Users > Management.
If accessing through Users > Identity Sources:
- On the Identity Sources page, locate the desired local identity source.
- Select Import Users from the drop-down menu.
If accessing through Users > Management:
On the User Management page, click the Import Users button.
Choose the identity source where the users should be imported.
Click the Download CSV template button.
Add the users into the downloaded template and save it with a unique name.
In the User CSV File field, click Choose File, navigate to the CSV file, and then click Open.
Click Import.
CAS validates that a CSV file is formatted correctly and that all the attribute requirements are met during the import. If there are errors with any row, those rows will be skipped and valid rows will be imported. CAS will generate an error file that can be downloaded immediately after the import attempt is complete. This file contains all rows with errors and a column listing the specific error(s) for each row for the administrator to fix them.
Note: If the file is not immediately downloaded, it will not be available again. In this case, the administrator should either leave the page or reload it without downloading the error file.
After correcting any errors, the administrator should delete the error column and attempt to upload the corrected file. This process can be repeated multiple times until either all errors are corrected or all users are successfully imported.
Add a SCIM Managed Identity Source
This section explains how to add a SCIM Managed identity source. You can provision users from an external source using SCIM APIs, and users can only be managed from that external source and not via the Cloud Administration Console.
Procedure
In the Cloud Administration Console, click Users > Identity Sources.
Click Add an Identity Source.
Click Select next to the SCIM Managed identity source type.
In the Identity Source Name field, enter a name for the identity source.
(Optional) In the Description field, enter a description for the identity source.
The Enable User Provisioning from a SCIM Identity Source field is set to Yes by default.
- (Optional) In the External SCIM ID Source Admin URL field, enter the URL from which the administrator can manage the SCIM identity source.
- In the SCIM Service Provider Base URI field, click Copy URI to copy the URI to which the SCIM API client sends details. Paste this URI into the configuration settings of the SCIM identity source to connect it to a specific CAS tenant.
- For the SCIM Service API key field, click Generate Key to generate the Service API key used for SCIM API authentication. Then, copy this key and paste it into the configuration settings of the SCIM identity source to connect to a specific CAS tenant.
In the Network Zone field, select a network zone from the drop-down menu to manage trusted or restricted IP addresses for the SCIM connection. Network zones enable you to allow or restrict specific IPs for SCIM connectivity with CAS. For more information, see Manage Networks .
In the Password Type section, select one of the following options:
RSA Unified Directory to store a password in CAS that enables users to authenticate with their password directly against CASvia an authentication interface (for example, RSA or third-party applications, RADIUS, or web authentication). Selecting this option means that users will have a separate password from the one in the external identity source. This option can be selected under the following conditions:
The SCIM identity source supports provisioning passwords, and one will be sent to CAS.
The SCIM identity source supports provisioning passwords, but will not send one to CAS, yet creating a password in CAS is desired.
The SCIM identity source does not support provisioning passwords, but creating a password in CAS is desired.
In the RSA Password field, select one of the following:
Required if the password attribute is mandatory when provisioning a user. If the password is not provided in a user provisioning request, user provisioning will fail.
Allowed if the password attribute is not mandatory when provisioning a user.
Note: The Initial Password Creation Options apply only to Local identity sources.
No Password Available to CAS for authentication this option is selected by default. Users will not be able to store passwords associated with their Cloud-based identity source account. In this case, CAS does not store or validate users' passwords. This option should be selected when authentication does not require a password, or if password validation will be performed by an external Identity Provider (IdP), rather than CAS. For information about configuring an identity provider, see Adding Identity Providers.
Click Save.
Click Publish Changes to activate the identity source.
Add an Azure Active Directory (SCIM) Identity Source
This section explains how to add a new Azure Active Directory identity source. You can provision users in a Microsoft Azure Active Directory (now known as Microsoft Entra ID) through the SCIM APIs based on the created identity source type and your subscription. For more information, see User Provisioning Using SCIM API.
Note: The ability to add Azure Active Directory (SCIM) is available for all ID Plus subscriptions. If a password exists for the user in Azure Active Directory, CAS users cannot authenticate using that password. Optionally, you can configure a separate password specifically for CAS authentication. Refer to step 7 below for instructions.
In the Cloud Administration Console, click Users > Identity Sources.
Click Add an Identity Source.
Click Select next to the Azure Active Directory (SCIM) identity source type.
In the Identity Source Name field, enter a name for the identity source.
(Optional) In the Description field, enter a description for the identity source.
The Enable User Provisioning from a SCIM Identity Source field is set to Yes by default.
- (Optional) In the External SCIM ID Source Admin URL field, enter the URL from which the SCIM API client (Azure Active Directory SCIM) sends details.
- In the SCIM Service Provider Base URI field, click Copy URI to copy the URI to which the SCIM API client (Azure Active Directory SCIM) sends details.
- For the SCIM Service API key field, click Generate Key to generate the Service API key used for SCIM API authentication.
In the Network Zone field, select a network zone from the drop-down menu to manage trusted or restricted IP addresses for the SCIM connection. Network zones enable you to allow or restrict specific IPs for SCIM connectivity with CAS. For more information, see Manage Networks .
In the Password Type section, select one of the following options:
RSA Unified Directory to store a password in CAS that enables users to authenticate with their password directly against CAS via an authentication interface (for example, RSA or third-party applications, RADIUS, or web authentication). Selecting this option means that users will have a separate password from the one in Azure AD. This option is selected by default.
In the RSA Password field, select one of the following:
Required if the password attribute is mandatory when provisioning a user. If the password is not provided in a user provisioning request, user provisioning will fail.
Allowed if the password attribute is not mandatory when provisioning a user.
Then, in the Initial Password Creation Options section, enable one of the following options to create passwords:
Entered by Admin if you want to enter passwords for users.
Generated by CAS if you want CAS to generate a random initial password for users. Then, in the Send Initial Password Options section, select how passwords will be provided to users:
Email if you want to send an initial password to the user's email address. This option can be used for users added through the "Add a User" option (Users > Management), CSV import, or SCIM API.
Display on Screen to Admin if you want the CAS to generate a random password. Then, you can copy the automatically generated password and send it to users. This option only applies to users added to local identity sources via the "Add a User" option (Users > Management) in the Cloud Administration Console. For more information, see the "Add a User in the Unified Directory" section on the Manage Users for the Cloud Access Service page.
Note: The initial password creation options apply only to local type identity sources.
No Password Available to CAS for authentication if you select this option, users will not be able to store passwords associated with their Cloud-based identity source account. In this case, the CAS does not store or validate users' passwords. For information about configuring an identity provider, see Adding Identity Providers.
Click Save.
Click Publish Changes to activate the identity source.
Edit an "RSA Authentication Manager Internal Database" Identity Source
CAS has the capability to utilize users stored in a single AM server's internal database as an identity source. While users can only be managed within the AM database, passwords can be bi-directionally synced and managed either in AM or CAS.
In the AM Security Console, when users are fully synchronized from internal database to CAS, a new "RSA Authentication Manager Internal Database" identity source will be created automatically in CAS. For more information, see the "User Synchronization" section in "Chapter 6: Deploying Cloud Authentication in the Authentication Manager 8.7 SP2 Administrator's Guide. Only one identity source of this type can be configured per CAS tenant.
CAS allows users to change or reset their passwords, and their passwords are synchronized back to AM.
Before you begin
This feature requires a configured connection from AM to the RSA CAS and is not available if there is only a connection from the RSA CAS to AM or a legacy connection from AM to the identity routers. For more information, see the following:
Connect Authentication Manager to Cloud Access Service
Procedure
In the Cloud Administration Console, click Users > Identity Sources.
Click Edit next to the "RSA Authentication Manager Internal Database" identity source.
The Identity Source Name is set by AM during the initial configuration to CAS for user synchronization. Once set, it cannot be changed from either location without deleting all users and their credentials from CAS.
(Optional) In the Description field, enter a description for the identity source.
In the Password Type section, select one of the following options:
RSA Authentication Manager Server (synced to CAS) to store a password in CAS that enables users to authenticate with their password directly against CAS via an authentication interface (for example, RSA or third-party applications, RADIUS, or web authentication). By default, this option is selected. In the RSA Password field, select one of the following:
Required if the password attribute is mandatory when provisioning a user. Users without a password in the AM Database will not be synced to CAS.
Allowed if the password attribute is not mandatory when provisioning a user. Users will be synced regardless of whether they have a password.
No Password if you want an identity provider to authenticate users. In this case, CAS does not validate users' passwords. For information about configuring an identity provider, see Adding Identity Providers.
Password Management Policy for Unified Directory Users
RSA Unified Directory complies with the latest NIST 800-63B guidelines, which recommend not rotating passwords unless a breach is suspected. Password rotation reduces security as users engage in poor security behaviors when passwords must be changed periodically.
A user's password is stored in the Unified Directory using a salted one-way hash.
Password length must be between 10 and 64 characters.
User Attributes
User Attributes within the identity source can be reviewed and applied in policies and application configurations based on the following criteria.
The attributes selected in the Policies column will be available for the following purposes:
Access Policy Rules: User Attributes
IDR SSO Agent Trusted Headers and HTTP Federation: Custom Headers
My Page > My Applications (SAML): User Identity and Statement Attributes
Relying Party (SAML): User Identity and Statement Attributes
RADIUS > RADIUS Profile: Return List Attributes
My Page > Enrollment and Recovery Validation Code Settings: Source for Email Address
The attributes selected in the Apps column will be available for the following purposes:
IDR SSO Agent (SAML): User Identity and Statement Attributes
Disable a Unified Directory Identity Source
When you disable a Unified Directory identity source, you cannot edit its existing users or add new ones, and existing users will not be able to authenticate or access My Page.
Procedure
In the Cloud Administration Console, click Users > Identity Sources.
- Find the name of the Unified Directory identity source you want to disable and select Disable from the drop-down menu.
Click Disable in the dialog box that appears.
Click Publish Changes to activate the settings immediately.
To enable a Unified Directory identity source, find the name of the required identity source with status Disabled, and select Enable from the drop-down menu.
To delete an identity source, see the "Delete an Identity Source" section on the Add, Delete, and Test the Connection for an Identity Source in Cloud Access Service page.
Related Articles
Identity Sources Number of Views Troubleshooting Cloud Access Service Identity Source Synchronization Number of Views Delete the Connection Between the Cloud Authentication Service and RSA Authentication Manager Number of Views Manually (Bulk) Synchronize an Identity Source for Cloud Access Service Number of Views Identity Sources for Cloud Access Service Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU
