Configuring search expressions for delegated authentication (AD/LDAP only)
If you configure a synchronous Active Directory or LDAP connector to use SAML or OIDC delegated authentication, Trust Protection Foundation must still query the external directory to locate the user matching the incoming authentication token.
By default, Trust Protection Foundation searches Active Directory using Ambiguous Name Resolution (ANR). If your identity provider passes a unique identifier (such as a User Principal Name or email address) that is not included in your directory's default ANR attributes, the login will fail and return an "ambiguous identity lookup" error.
To ensure the identity connector can successfully locate the user, you must customize the user search expression to explicitly include the attribute passed by your identity provider.
To customize the user lookup expression:
- Use Remote Desktop to connect to the Trust Protection Foundation server and open the CyberArk Configuration Console.
- Navigate to the Connectors node and select your Active Directory or LDAP identity connector.
- In the Actions panel, click Properties.
- Select the User Search (AD) or Search Resolution (LDAP) tab.
- Select Use Custom Expression.
- Modify the default expression to explicitly include the attribute used by your SAML/OIDC provider.
Active Directory Example: If your IdP passes the UPN, change the default value of(&(ANR=$search$*)(objectCategory=$userclass$))to explicitly search the userPrincipalName:(&(|(ANR=$search$)(userPrincipalName=$search$))(objectCategory=$userclass$)) - Click OK, and then open an elevated command prompt to reset IIS using the
iisresetcommand.