Manage login suffixes

This topic describes how to manage login suffixes in order to identify the directory service containing the user.

The login suffix is the part of the login name that follows the @ symbol. For example, if the login name is bob.jones@acme.com, the login suffix is “acme.com.” The login suffix identifies the directory service containing the user account when the user logs in to portals or enrolls a device. If the login suffix is not listed on this page, the user cannot be authenticated.

CyberArk Identity automatically creates a default login suffix for your organization based on the login suffix in the work email account entered in the CyberArk sign-up form. However, if that login suffix is already in use, the CyberArk Identity appends a one- or two-digit number to the end. For example, if the email address entered had the login suffix acme.com but “acme.com” was already used by another organization, the CyberArk Identity would create the login suffix acme.com.4.

You can create additional login suffixes for CyberArk Cloud Directory accounts. You assign a new CyberArk Identity to a login suffix when you create the account.

The following tabs have additional information specific to CyberArk Cloud Directory and AD

For CyberArk Cloud Directory users, the customer ID in the URL can be an ID or a login suffix.

However, if you use a login suffix and the specified user name is a short name (without a login suffix), then the customer ID in the URL must be a login suffix. The login suffix should not look like an ID.

The following table describes examples of using a short name (without a login suffix) to log in to CyberArk Identity.

URL User name used for logging in is a short name without a login suffix Restrictions

https://companyXYZ/my?customerId=myorg.com

jane

You must have a user account jane@myorg.com.

https://companyxyz.idaptive.app/my?customerId=myorg

jane

You must have a user account jane@myorg

https://companyxyz.idaptive.app/my?customerId=AAA0001

jane

Even though AAA0001 is a valid login suffix, this log in fails because the customer ID in the URL looks like an ID. For this log in to succeed, the user name should have a login suffix (for example jane@AAA0001).

If you are using an Active Directory domain as an ID repository, the CyberArk Identity adds the following login suffixes when the connector is installed:

  • The login suffix in the installer account name. This allows the administrator to log in to the Admin Portal right after installing the connector.

    If the login suffix in the connector installer’s account is already in use in CyberArk Identity, an error message is displayed and you cannot use that domain name as a login suffix. (This occurs rarely but can happen.) Contact support if this happens to your account.

  • The domain name of the domain controller to which the host computer for the connector is joined.
  • If that domain controller is part of a tree or forest, the CyberArk Identity adds a login suffix for all other domains in the tree or forest it can locate.

    If you have users with Active Directory accounts in domains in a tree or forest that was not found, or users who log in with their Office 365 account, you must add those login suffixes before these users can log in to the Admin Portal or the CyberArk IdentityUser Portal, and enroll a device.

    You can also create an alias for an Active Directory domain name. You would use an alias to simplify login for users with a long or complicated Active Directory login suffix. See Create an alias for long Active Directory domain names for the details. You cannot create an alias for CyberArk Cloud Directory login suffixes.

 Create a login suffix

  • You can create as many login suffixes as you want for CyberArk Cloud Directory accounts. The login suffix can be composed of any of the UTF8 alphanumeric characters plus the symbols + (plus), - (dash), _ (underscore), and . (period). You can, but are not bound to, use the form label.label for your login suffixes; however, a login suffix can be composed of a single label—for example, ABCCorp.

  • Login suffixes must be unique in CyberArk Identity (not just within your CyberArk Identity account). If you enter a login suffix that is already in use, you get an error message.

  • You can select any login suffix when you create new CyberArk Identity accounts.

tvtk9a7fj5

To create a login suffix

  1. Log in to the Admin Portal and click Settings > Customization > Suffix > Add.

  2. Enter the suffix in the text box and click Save.

Delete a login suffix

You cannot delete a login suffix that has associated user accounts. the Admin Portal displays an error message if you try to delete a login suffix that still has user accounts associated with it. To delete a login suffix, remove all of its user accounts.

If you need to use an existing login suffix for another tenant, you will need to rename it. See Modify a login suffix.

Modify a login suffix

You can rename a login suffix. If you do, the accounts associated with the original login suffix are automatically updated to the new one. Be sure to notify the users affected that they have a new login suffix. They will not be able to log in using the original suffix.

To modify a login suffix:

  1. Open Admin Portal and click Settings > Customization > Suffix.
  2. Right-click the login suffix and click Modify.
  3. Make your changes in the text box and click Save.

Set a CyberArk Cloud Directory login suffix as default

Users with administrator privileges can enable a default login suffix for CyberArk Cloud Directory users. This allows users to sign in to the Admin Portal or User Portal using just their user name without adding the login suffix.

To add a default CyberArk Cloud Directory login suffix

  1. Open the Admin Portal and click Settings > Users > Directory Services.
  2. Click CyberArk Cloud Directory.
  3. In the Cloud Directory Service, select a default login suffix from the drop-down menu.

  4. Click Save.

    Once saved, users with that login suffix can sign in to the Admin Portal or User Portal without adding the login suffix.

Create an alias for long Active Directory domain names

Best practice dictates that you use a login suffix for Active Directory users that is already in use. For example, if users are using your organization’s domain name to open their email account, it would help them remember their CyberArk Identity user name if you used the same login suffix. This is not a requirement, however. If you have a long or complex Active Directory domain name, you can create a mapped login suffix for Active Directory accounts using the Advanced option. For example, if your login suffix is abc.bigcorp.com, you could define another login suffix, such as “abc.” Users can then log in to the User Portal using just <username>@abc.

To map an Active Directory login suffix:

  1. Open the Admin Portal and click Settings > Customization > Suffix > Add.
  2. Enter the alias in the Login suffix text box.
  3. Expand Advanced.
  4. Reset the Keep Login Suffix and Mapped Suffix the same checkbox.
  5. Backspace over the login suffix in the text box below the checkbox and enter the Active Directory domain name.
  6. Click Save.