Symantec VIP MFA with Azure condition access creates duplicate users in VIP Manager
search cancel

Symantec VIP MFA with Azure condition access creates duplicate users in VIP Manager

book

Article ID: 272480

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

A new user is created in VIP Manager using the userPrincipalName attribute from Azure during an MFA login using the Azure conditional access flow.

Cause

(Source: VIP Azure integration guide)

The Azure UserPrincipalName (UPN) attribute value is the Azure AD username for the user accounts and is used by Azure AD to allow users to sign in.

When Symantec VIP MFA is integrated:

  • A user accesses Microsoft Office 365, or any other Microsoft Azure AD client application.
  • Azure validates the 1st-factor (user name and password) and If successful, passes control to VIP through Conditional Access.
  • VIP Conditional Access policy sends the MFA request to the VIP Cloud using the Azure UPN as the VIP User ID.
  • A VIP User ID is created if that UPN doesn't exist (dynamic provisioning), then the user is redirected to VIP to add a VIP credential ID for MFA login use. 
  • If VIP successfully authenticates the user, VIP relays the successful authentication to Microsoft Azure AD.
  • Microsoft Azure AD grants the user access to the application, based on your access control policies.
  • The user successfully logs on.

If a user already exists in VIP Manager where their User ID is (for example) their samAccountName, a condition now exists where a single user has multiple usernames\credentials in VIP Manager. 

 

Resolution

Adjust the VIP settings to send the same VIP User ID for each VIP-protected application they are logging into.  

For example, if the VIP Enterprise Gateway is sending the AD LDAP attribute 'samAccountName' as the VIP User Name Attribute...

...adjust the VIP Azure settings to send the Azure AD attribute as the VIP User ID that matches. In many cases, this is either mailNickName or onPremiseSamAccountName

Alternatively, change the VIP User Name Attribute on your VIP Enterprise Gateway(s) to send the UserPrincipalName

Important: This change won't affect the end-user login experience or their login ID. Only the VIP User ID mapping between your VIP EG↔VIP tenant or the VIP Conditional Access for Azure↔VIP tenant is changing to ensure that each user has a single VIP User ID regardless of the application they are logging into. 

Powered by Wolken Software