Symantec VIP MFA with Azure condition access creates duplicate users in VIP Manager
search cancel

Symantec VIP MFA with Azure condition access creates duplicate users in VIP Manager

book

Article ID: 272480

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

A new user is created in VIP Manager using the userPrincipalName attribute from Azure during an MFA login using the Azure conditional access flow.

Cause

(Source: VIP Azure integration guide)

The Azure UserPrincipalName (UPN) attribute value is required by Azure\O365 as the username.

When Symantec VIP MFA is integrated:

  • A user accesses Microsoft Office 365, or any other Microsoft Azure AD client application.
  • Azure validates the 1st-factor (user name and password) and If successful, passes control to VIP through Conditional Access.
  • VIP Conditional Access policy sends the UPN to the VIP Cloud for MFA.
  • If the UPN does not exist in VIP Manager as the VIP User ID, a new VIP User ID is created as the UPN (dynamic provisioning), then the user is redirected to VIP to add a VIP credential ID for MFA login use. 
  • If the UPN does exist in VIP Manager as the VIP User ID, MFA is performed for the user.
  • If the same user exists in VIP Manager as the SamAccountName or another attribute as the VIP User ID, VIP has no way of distinguishing if they are the same user, so a condition now exists where a single user has multiple usernames\credentials in VIP Manager.



Resolution

In VIP Manager > Policies > Azure, the User ID Attribute can be adjusted to match the existing User ID in VIP Manager. When VIP receives the UPN as the username in an MFA request, the User ID Attribute for that user is fetched from Azure AD and uses this value as the VIP User ID.  

For example, if the VIP Enterprise Gateway is sending 'samAccountName' as the VIP User Name Attribute...

...adjust the VIP Azure settings to send the Azure AD attribute that matches. In many cases, this is either mailNickName or onPremiseSamAccountName

Alternatively, change the VIP User Name Attribute on your VIP Enterprise Gateway(s) to send the UserPrincipalName

Important: This change won't affect the end-user login experience or their login ID. Only the VIP User ID mapping between your VIP EG↔VIP tenant or the VIP Conditional Access for Azure↔VIP tenant is changing to ensure that each user has a single VIP User ID regardless of the application they are logging into. 

Powered by Wolken Software