Identity Governance - CA Identity Governance AD Authentication


Article ID: 128478


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal


This document describe how to configure Identity Governance to authenticate with Active Directory


Identity Governance 12.x, 14.x


This document describes the steps to enable Active Directory Authentication

These steps are done using Client Tool and Identity Governance Portal


1)    We must import the Active Directory accounts to Eurekify.cfg file.

Currently we have only Default users 

2)    First, let’s connect and import Active Directory users

From Identity Governance Client Tool, menu > Import > Import from Active Directory 


1 – Type the Active Directory IP or hostname

2 – Type the DOMAIN\Account to connect t Active Directory

3 – Type the account’s password

4 – Click Set button

5 – Click Browse button and type the Configuration file name

6 – Click Browse button and type Users DB file name

7 – Click Browse button and type Resources DB file name

Click Next button


3)    In the next window, select the OUs where the accounts are located or the root to search in all containers 


Click Next


4)    In this window we will create a new Field which will be used to configure the DOMAIN\Account configuration in your Universe 

1 – Click + button to add a new field

2 – Select the new field

3 – Type LoginID in “Configuration’s Entity Field Name” field and click Set Field button

Click Next button


5)    In the next window, you can setup the Roles

Click Next


6)    In the next window setup the Resources

Click Next button


7)    In the new window you need to type the name of the XML file which has the configuration you just inform. Click Finish button.


8)    The next window will display the number of Users, Roles, and Resources imported 

9)    In the IG Client Tool, open the CFG file you saved at step #2

Check if all accounts were imported and make sure the column LoginID was created


10)    Let’s save the Master and Model to the Database for this configuration

1 – Menu > File > Save to Database

2 – Select New Configuration and type the Master name, click Next

3 – Repeat step #1 and #2 but now, type your configuration name _Model


11)    Now let’s create a new Universe using the Master / Model created above.

Home > Administration > Universes > Add New button


At this point make sure the Users Login Field was set to LoginID, the attribute created in the step #4

Click Save button


In the next window, click YES button

12)    Let’s run the Permissions and RACI

Home > Administration > Permissions and RACI

Select Update Permissions Configuration with Universe Users

In the list box, select your Universe, created in the step #11 and click Select button


13)    Now let’s configure your Domain, which will be added in front of all users, the Prefix

In the Users To Fix section, select PersonId and type your Domain + \ as displayed below


DO NOT FORGET to add the back slash

If you want you can view all user which will be fixed by click on View button.

After reviewing, click “Fix Selected Users” or “Fix All Users”

In the “New users” section, click View button and check all users in Person ID column has the Domain\UserName, after that, click “Add All Users” button


Run the Create RACI for your Universe


Run the Synchronize RACI

14)    Open Identity Governance Client Tool and open the Eurekify.cfg file, now all users were imported and the PersonID were updated with Prefix (Domain)


15)    With this configuration done we can enable AD Authentication, below the Properties you need to change to enable AD Authentication.


Set the following properties through the Identity Governance Portal under Administration=> Settings => Properties Settings:


• = false                                                                                                  

• = false

•    security.ldap.server = <domain name> (example: your_domain)

•    security.manager.dn = <AD bind account> (example: Administrator). DN is only needed if you have SSL enabled

•    security.manager.password = <AD bind account's password>

You MUST have a Login ID filed in the UDB with the domain name (example: domain\chrislee)

When logging in, the user MUST provide the Login ID (example: domain\chrislee)

• = rcm_domain

• = 60

• = (leave empty)

• = 360

• = false

• = sm_user

• = (leave blank)

• = 60

• = false

• = false

• = true


Note: For all properties above, change the Property Value and after that change the Type to Database Property as displayed below, and click Save button.


Now, Log out and Log in with your Active Directory user using Domain\User



1558689421831000128478_sktwi1f5rjvs16fxh.png get_app
1558689419857000128478_sktwi1f5rjvs16fxg.png get_app
1558689418039000128478_sktwi1f5rjvs16fxf.png get_app
1558689416287000128478_sktwi1f5rjvs16fxe.png get_app
1558689414443000128478_sktwi1f5rjvs16fxd.png get_app
1558689412378000128478_sktwi1f5rjvs16fxc.png get_app
1558689410588000128478_sktwi1f5rjvs16fxb.png get_app
1558689408718000128478_sktwi1f5rjvs16fxa.png get_app
1558689406978000128478_sktwi1f5rjvs16fx9.png get_app
1558689405240000128478_sktwi1f5rjvs16fx8.png get_app
1558689403456000128478_sktwi1f5rjvs16fx7.png get_app
1558689401506000128478_sktwi1f5rjvs16fx6.png get_app
1558689399626000128478_sktwi1f5rjvs16fx5.png get_app
1558689397977000128478_sktwi1f5rjvs16fx4.png get_app
1558689396223000128478_sktwi1f5rjvs16fx3.png get_app
1558689394397000128478_sktwi1f5rjvs16fx2.png get_app
1558689390437000128478_sktwi1f5rjvs16fx1.png get_app