LDAP User Moves Between Multiple AuthPoint Groups

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

A user synced from an LDAP database cannot belong to more than one local AuthPoint group. If an LDAP user belongs to multiple group syncs, each time AuthPoint syncs with your LDAP database, the local AuthPoint group that the user belongs to might change.

For example, you configure two group syncs in AuthPoint:

Group Sync 1
- LDAP Groups to Sync: Sales
- AuthPoint Group to Add Users To: Group A
Group Sync 2
- LDAP Groups to Sync: Marketing
- AuthPoint Group to Add Users To: Group B

With this configuration, users that belong to both the Sales and Marketing LDAP groups will move between Group A and Group B each time AuthPoint syncs with your external identity provider. The AuthPoint group that the user belongs to depends on which group sync runs last.

Symptoms

When an LDAP user belongs to multiple group syncs, you might notice these symptoms:

One or more users change which group they belong to in AuthPoint
Users cannot authenticate to resources that their AuthPoint group has access to

Diagnostic Steps

Review all of the group syncs configured for your LDAP external identity.
Make sure each LDAP group does not belong to more than one group sync.

Possible Causes and Solutions

Possible Cause	Solution
The LDAP user belongs to multiple group syncs.	Make sure the user does not belong to more than one group sync. If you need to add LDAP users to multiple groups, we recommend that you enable the Create new synchronized groups toggle and use your Active Directory group structure to manage your users. To set up a new group sync and utilize synced groups from Active Directory: In WatchGuard Cloud, go to Configure > AuthPoint > Settings and disable Quarantine Clean Up, if it is enabled. This is a temporary change. Go to Configure > Directories and Domain Services > WatchGuard Cloud Directory and add a group that all synced users can belong to. You do not have to use this group for Zero Trust policies, this group is just meant to be a catch-all group for user synchronization. In our example, we name this group MFA Users. Make a note of your existing group sync configurations and Zero Trust policy configurations. Delete the group syncs that are in conflict. Add a new group sync that includes all of the necessary LDAP groups in a single group sync, and add them to the new group you created in Step 2. Make sure to enable the Create new synchronized groups toggle. Based on the example in the introduction, the new group sync settings would be: LDAP Groups to Sync: Sales and Marketing AuthPoint Group to Add Users To: MFA Users Create new synchronized groups: Enabled Manually start a synchronization for your external identity. After the synchronization, in our example the LDAP users should belong to three groups: Sales (LDAP group) Marketing (LDAP group) MFA Users (AuthPoint Group) Go to Configure > Zero Trust and add the new LDAP synced groups to your policies. This is not done automatically. If you have set up AuthPoint MFA for a Firebox, make sure you add the LDAP groups to the Firebox as the group names might have changed. In our example, we would update the Mobile VPN with SSL settings to change Group A to Sales and Group B to Marketing. Make sure authentication to all protected resources works as expected. If the setting to automatically remove quarantined users was previously enabled, go to Configure > AuthPoint > Settings and enable Quarantined User Cleanup.

Possible Cause

Solution

The LDAP user belongs to multiple group syncs.

Make sure the user does not belong to more than one group sync. If you need to add LDAP users to multiple groups, we recommend that you enable the Create new synchronized groups toggle and use your Active Directory group structure to manage your users.

To set up a new group sync and utilize synced groups from Active Directory:

In WatchGuard Cloud, go to Configure > AuthPoint > Settings and disable Quarantine Clean Up, if it is enabled. This is a temporary change.
Go to Configure > Directories and Domain Services > WatchGuard Cloud Directory and add a group that all synced users can belong to. You do not have to use this group for Zero Trust policies, this group is just meant to be a catch-all group for user synchronization. In our example, we name this group MFA Users.
Make a note of your existing group sync configurations and Zero Trust policy configurations.
Delete the group syncs that are in conflict.
Add a new group sync that includes all of the necessary LDAP groups in a single group sync, and add them to the new group you created in Step 2. Make sure to enable the Create new synchronized groups toggle.
Based on the example in the introduction, the new group sync settings would be:
- LDAP Groups to Sync: Sales and Marketing
- AuthPoint Group to Add Users To: MFA Users
- Create new synchronized groups: Enabled
Manually start a synchronization for your external identity. After the synchronization, in our example the LDAP users should belong to three groups:
- Sales (LDAP group)
- Marketing (LDAP group)
- MFA Users (AuthPoint Group)
Go to Configure > Zero Trust and add the new LDAP synced groups to your policies. This is not done automatically.
If you have set up AuthPoint MFA for a Firebox, make sure you add the LDAP groups to the Firebox as the group names might have changed. In our example, we would update the Mobile VPN with SSL settings to change Group A to Sales and Group B to Marketing.
Make sure authentication to all protected resources works as expected.
If the setting to automatically remove quarantined users was previously enabled, go to Configure > AuthPoint > Settings and enable Quarantined User Cleanup.

LDAP User Moves Between Multiple AuthPoint Groups

Symptoms

Diagnostic Steps

Possible Causes and Solutions

Related Topics