Symantec VIP MFA with Microsoft Entra ID condition access creates duplicate users in VIP Manager
search cancel

Symantec VIP MFA with Microsoft Entra ID condition access creates duplicate users in VIP Manager

book

Article ID: 272480

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

A new user is created in VIP Manager using the userPrincipalName attribute from Microsoft Entra ID during an MFA login using the Entra ID conditional access flow.

Cause

(Source: VIP Entra ID integration guide)

The Entra ID UserPrincipalName (UPN) attribute value is required by Entra ID/O365 as the username.

When Symantec VIP MFA is integrated:

  • A user accesses Microsoft Office 365, or any other Microsoft Entra ID client application.
  • Entra (formerly known as Microsoft Azure) validates the 1st-factor (user name and password) and If successful, passes control to VIP through Conditional Access.
  • VIP Conditional Access policy sends the UPN to the VIP Cloud for MFA.
  • If the UPN does not exist in VIP Manager as the VIP User ID, a new VIP User ID is created as the UPN (dynamic provisioning), then the user is redirected to VIP to add a VIP credential ID for MFA login use. 
  • If the UPN does exist in VIP Manager as the VIP User ID, MFA is performed for the user.
  • If the same user exists in VIP Manager as the SamAccountName or another attribute as the VIP User ID, VIP has no way of distinguishing if they are the same user, so a condition now exists where a single user has multiple usernames\credentials in VIP Manager.



Resolution

In VIP Manager > Policies > Entra ID, the User ID Attribute can be adjusted to match the existing User ID in VIP Manager. When VIP receives the UPN as the username in an MFA request, the User ID Attribute for that user is fetched from Entra ID and uses this value as the VIP User ID.  

For example, if the VIP Enterprise Gateway is sending samAccountName as the VIP User Name Attribute, adjust the VIP Entra ID settings in VIP Manager to send the Entra ID attribute that matches. In many cases, this is either mailNickName or onPremiseSamAccountName.

VIP Enterprise Gateway User Store Configuration:



VIP Manager Entra ID Configuration:

Alternatively, change the VIP User Name Attribute on your VIP Enterprise Gateway(s) to send the UserPrincipalName

Important: This change won't affect the end-user login experience or their login ID. Only the VIP User ID mapping between your VIP EG↔VIP tenant or the VIP Conditional Access for Entra ID↔VIP tenant is changing to ensure that each user has a single VIP User ID regardless of the application they are logging into.

Powered by Wolken Software