Troubleshooting Federated Group Mapping

Issue: Platform group sync overwrites Secret Server groups every four hours

  • The Secret Server users are stripped of their group memberships.

  • The administrator might receive the error message, No internal user found for mapping the external user.

Customers affected: Secret Server customers who opted in to the Delinea Platform, with federated directory users on the platform and the following set up and working properly: 

  • Active Directory Synchronization

  • The Delinea Connector

  • Group Mapping

Resolution: 

  1. From the Platform interface, remove all federated users from the platform.

    1. Click Access from the left navigation menu, then click Users.

    2. Select the box next to a user from a federated directory.

    3. Click Delete at the top right of the page.

    4. Repeat steps b and c until all federated users are deleted.

  2. Ensure that your federation providers have their user mapping option set to "Required" with the option to 'Create local user if unable to map' enabled.

    1. Click Settings from the left navigation menu, then click Federation providers.

    2. Click the name of a federation provider.

    3. On the Settings tab, scroll down to User Mappings.

    4. Next to Map federated user to existing directory user, select Required from the drop-down menu.

    5. Select Create local user if unable to map.

    6. Click Save.

  3. From the Secret Server interface, reset user mappings

    1. Click Settings from the left navigation menu, then click Platform groups sync.

    2. On the Groups tab, click Reset user mappings.

The next time those federated users log on to the platform, they should experience no more group issues.