Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Configure Custom Attributes Using Active Directory

  1. Last updated
  2. Save as PDF
Limited Availability: To access User Unification, contact Skyhigh Support.

 

Before configuring custom attributes using Active Directory, make sure the prerequisites are met. 

Active Directory

The Active Directory data are extracted and collected using the Cloud Connector to facilitate threat investigation and analyze user activities across your organization. In the Cloud Connector, a user with attributes and identifiers is mapped to the primary key using a Global Unique Identifier (GUID). The Skyhigh CASB will ingest Active Directory (AD) data using a specific primary key, namely the GUID. This allows Skyhigh to track the user even with distinct identities.

In the Cloud Connector, configure Custom Attributes to map a user with distinct identities to a single GUID.

Configure Custom Attributes using Active Directory

To configure Custom Attributes using Active Directory, perform the following steps:

  1. Go to Settings > Integrations > Directory Service.

    Navigate_DirectoryService.png
     
  2. Turn on the Directory Service toggle button.  
  3. Click Add Source to add a data source.

    Click_Addsource.png

    The screen below appears only if you have configured a Cloud Connector. To proceed to add another Cloud Connector, click Add Source

    Add_Source_Multi CC.png
     
  4. On the Data Source page, select Active Directory (AD).
  5. From the menu, select a Cloud Connector. The menu displays Cloud Connectors only with versions 6.8.1 and above.

    Select EC from the menu.png
     
  6. If the selected connector is inactive, an Inactive Connector dialog appears. Activate your Cloud Connector, and then click OK.

    clipboard_e675d3fe00412eb96e2a9980f4c14718c.png
     
  7. Fill in the details related to AD Server, and then click Next:

    Connect_your_ADServer.png
Field Description
Name Enter the custom attribute configuration name.
IP or Host Enter the Active Directory IP address or hostname.
Port Enter the Active Directory port number. 
UserName Enter the Active Directory username. 
Password Enter the Active Directory password. 
Base DN Enter the Active Directory Base.
Filter Enter the Active Directory filter regex. 
Enable AD SSL Settings

Select Yes to enable secure LDAP for AD. Select No to disable. 

  • Trust Store Path. Enter the SSL settings path.
  • Trust Store Password. Enter the SSL settings password. 
  1. On the Evaluate Attributes page, review the default attributes list to make sure all the required attributes are available. If an attribute is missing, add it to the Default Attributes to be Synced field, and then click Update. If attribute values are not as expected, you can delete the entries from the Default Attributes to be Synced field, and click Update.

    Evaluate_Attribute_Sync.png
  2. Click the column header to setup the virtual attribute value, and then enter:
  • Regex Match key. 
  • Regex Replace key.
  • Check to extract the common name before applying the regular expression matches. If this checkbox is enabled, the code extracts the common name before the regular expression match is performed. If the input string is not a canonical name, the value is not modified.

    Regex_Dialog.png
  1. Click Save.
  2. Click Next.
  3. On the Custom Attributes page, fill in the required fields, and then click Check:
    If you have configured a Cloud Connector and added another Cloud Connector, the identifiers and custom attributes are auto-populated from the previous configuration.

    10th - AD.png
Field Description
Select Primary Key Object GUID is the default primary key and cannot be changed for Active Directory.
Define Identifiers Select the identifiers for Shadow or Sanctioned services from the menu. Click Add more to configure additional identifiers. You can configure a maximum of four identifiers.
User Default Display Name Sets the display name that appears on the Users page.
Configure User Details

Select additional attributes, and enter Custom Display Names. Click Add more to configure additional attributes. Click Select Product to select Shadow or Sanctioned services.

NOTE: For Shadow services, you can add a maximum of 5 attributes, and for Sanctioned services, you can add a maximum of 25 attributes.
Upload Frequency Select the upload frequency in hours from the menu. The default value is set to 24 hours.
  1. Review the configurations, and then click Sync.

Review_Screen.png

You will be redirected to the Directory Service page. This page consists of the following details:

  • Directory Service Status. Lists the configured sources and the details associated with each source, such as the Last Sync time stamp and the number of Ingested Users.
  • Source Details. The selected source lists User Attributes and Sync Logs.

    To know details about the Directory Service Status and Source Details tabs, see User Ingestion Details on Directory Service.
     
  • Actions.
    • Sync. Upload AD users to Skyhigh CASB.
    • Edit. Edit the selected directory service configuration.
    • Delete. Delete the selected directory service configuration.

11th - AD.png

After completing the configurations, the Cloud Connector starts ingesting the user attribute data.

NOTE: On the Custom Attributes page, when you change or remove the configured identifiers or custom attributes that are part of any User Group or Data Jurisdiction, an error message appears. Review the configuration before synchronizing the directory.

 

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
  2. Tags
    1. Topic ID 823