SIEM management and auditing functions require every Web Console user to be associated with a Person record and Login field in the Client Console.
During a Single Sign-On (SSO) login, the SIEM identifies user associations by comparing the following fields:
|nameID||SAML assertion||Identity Provider (IdP)|
|Login||People tab in the Deployment Manager||Client Console|
If the SIEM cannot identify a Person record with a Login field that matches the nameID field from the Identity Provider (IdP), the SIEM creates a new Person record and associated User Login record with the following values:
|Person Record Field||Value|
|Name||First name and last name of the user provided in the IdP.|
|Login||Email address for the user provided in the IdP.|
Auto-provisioning will fail if the Name field in an existing Person record contains the same unique combination of first name and last name provided in the IdP. In this case, a SIEM administrator must modify the existing Person record by updating the Name field with a different combination of first name and last name. For subsequent SSO logins, this user will be associated with the auto-provisioned user.
SSO Auto-Provisioning and Client Console Accounts
SSO auto-provisioned users who did not previously exist in the Client Console may initially only log in to the Web Console via SSO because the SSO auto-provisioned user is assigned a random, complex, and unknowable password on first login. If these users want to use their SSO auto-provisioned account to log in without SSO, either to the Client Console or the Web Console, a SIEM administrator can execute the following procedure:
Before executing this procedure:
If you want the SSO auto-provisioned user's new password to be synched with Active Directory, you must first create this user login using either Active Directory Group-Based Authorization or manually creating a Person record tied to a Windows/AD account.
- Log in to the Client Console as a SIEM administrator.
- On the main toolbar, click Deployment Manager.
- Click the People tab.
- Right-click on the user's Person Record, and then click User Account Properties.
Before proceeding, make sure you understand the Enforce Password Policy setting and the implications of changing it.
Enforce Password Policy
The Enforce Password Policy settings are retrieved from Windows Local Security Policy. (You can view this policy with the Windows MMC Local Security Policy (secpol.msc) in the Password Policy folder.) The default setting for Minimum Password Age is 1 day. If the SIEM administrator resets a user password with this default setting, the user cannot change their own password for 1 day unless the SIEM administrator disables the Enforce Password Policy. When the SIEM administrator changes the Enforce Password Policy setting, the following warning message is triggered:You have chosen to change password policy enforcement. This will require you to reset the user password. If you wish to continue with this operation, click OK. Otherwise click Cancel.
The SIEM administrator can disable the Enforce Password Policy setting and immediately change the user's password. However, if the SIEM administrator later re-enables this setting, the warning message is triggered again and the password must be reset again.
If the SIEM administrator does not want to disable the Enforce Password Policy setting, there are two options:
1. After resetting the user's password, the user must wait 1 day to change it.
2. The SIEM administrator can set the Minimum Password Age to 0 days, and the user can change their password immediately. This option is not available to LR Cloud customers.
- In Account Options, set Enforce Password Policy based on your preferred option as outlined in the above note.
- After changing the user's password, give them their temporary password.
- The user must login to the Web Console via SSO using their normal SSO credentials.
- Upon successful login with SSO credentials, the user must then change their password to the temporary password provided by the SIEM administrator.
- In the User Options menu, click Settings, then click Change Password.
- Enter the temporary password in the Old Password field.
- Enter the desired new password in the New Password field.
This new password will be used to log in to the Client Console.
- Click Save.
The new password will not be synchronized with Active Directory and must be manually updated. If the user wants their password synchronized with Active Directory, you must first create this user login using either Active Directory Group-Based Authorization or manually creating a Person record tied to a Windows/AD account.