Manage login suffixes
This topic describes how to manage the login suffixes that identify user directories at login.
The login suffix is the part of the login name that follows the @ symbol. For example, if the login name is
firstname.lastname@example.org, the login suffix is
acme.com. The login suffix identifies the directory service containing the user account when the user logs in to portals or enrolls a device. If the login suffix is not listed on this page, the user cannot be authenticated.
CyberArk Identity automatically creates a default login suffix for your organization based on the suffix of the work email account entered in the CyberArk sign-up form. If that login suffix is already in use, CyberArk Identity appends a one-digit or two-digit number to the end. For example, if the email address entered had the login suffix
acme.com was already used by another organization, CyberArk Identity would create the login suffix
You can create additional login suffixes for CyberArk Cloud Directory accounts. You assign a new CyberArk Identity to a login suffix when you create the account.
The following tabs have additional information specific to CyberArk Cloud Directory and Active Directory (AD):
For CyberArk Cloud Directory users, the customer ID in the URL can be an ID or a login suffix.
If you use a login suffix and the specified user name is a short name (without a login suffix), then the customer ID in the URL must be a login suffix. The login suffix should not resemble an ID.
The following table gives examples of using a short name (without a login suffix) to log in to CyberArk Identity.
|URL||User name to log in with a short name without a login suffix||Restrictions|
You must have a user account email@example.com.
You must have a user account jane@myorg
Even though AAA0001 is a valid login suffix, this login fails because the customer ID in the URL looks like an ID. For this log in to succeed, the user name should have a login suffix (for example jane@AAA0001).
If you are using an AD domain as an ID repository, CyberArk Identity adds the following login suffixes when the connector is installed:
The login suffix in the installer account name. This enables the administrator to log in to the Identity Administration portal right after installing the connector.
If the login suffix in the connector installer’s account is already in use in CyberArk Identity, an error message is displayed and you cannot use that domain name as a login suffix. (This occurs rarely but can happen.) Contact support if this happens to your account.
- The domain name of the domain controller to which the host computer for the connector is joined.
If that domain controller is part of a tree or forest, CyberArk Identity adds a login suffix for all other domains in the tree or forest it can locate.
If you have users with AD accounts in domains in a tree or forest that was not found, or users who log in with their Office 365 account, you must add those login suffixes before these users can log in to the Identity Administration portal or CyberArk IdentityUser Portal, and enroll a device.
You can also create an alias for an AD domain name. You would use an alias to simplify login for users with a long or complicated AD login suffix. See Create an alias for long AD domain names for more information. You cannot create an alias for CyberArk Cloud Directory login suffixes.
Create a login suffix
You can create as many login suffixes as you want for CyberArk Cloud Directory accounts. The login suffix can be composed of any of the UTF-8 alphanumeric characters, including the special characters + (plus), - (dash), _ (underscore), and . (period). You can optionally use the form
label.labelfor your login suffixes; however, a login suffix can be composed of a single label; for example,
Login suffixes must be unique in CyberArk Identity (not just within your CyberArk Identity account). If you enter a login suffix that is already in use, you get an error message.
You can select any login suffix when you create new CyberArk Identity accounts.
To create a login suffix:
Log in to the Identity Administration portal and click Settings > Customization > Suffix > Add.
Enter the suffix in the text box and click Save.
Delete a login suffix
You cannot delete a login suffix that has associated user accounts. The Identity Administration portal displays an error message if you try to delete a login suffix with associated user accounts. You need to remove all user accounts to delete a login suffix.
If you need to use an existing login suffix for another tenant, you need to rename it. For more information, see Modify a login suffix.
Modify a login suffix
When you rename a login suffix, the accounts associated with the original login suffix are automatically updated to the new one. Be sure to notify the users affected that they have a new login suffix. They will not be able to log in using the original suffix.
To modify a login suffix:
- Open Identity Administration portal and click Settings > Customization > Suffix.
- Right-click the login suffix and click Modify.
- Make your changes in the text box and click Save.
Default to a CyberArk Cloud Directory login suffix
Users with administrator privileges can enable a default login suffix for CyberArk Cloud Directory users. This enables users to sign in to the Identity Administration portal or User Portal using just their user name without adding the login suffix.
To add a default CyberArk Cloud Directory login suffix:
- Open the Identity Administration portal and click Settings > Users > Directory Services.
- Click CyberArk Cloud Directory.
In the Cloud Directory Service, select a default login suffix from the drop-down menu and click Save.
Once this is saved, users with that login suffix can sign in to the Identity Administration portal or User Portal without adding the login suffix.
Create an alias for long AD domain names
We recommend using the same login suffix that AD and federated users already use. For example, if users are using your organization’s domain name to open their email account, it would help them remember their CyberArk Identity user name if you used the same login suffix. If you have a long or complex AD domain name, you can create a mapped login suffix for AD or federated accounts using the Advanced option. For example, if your login suffix is
abc.bigcorp.com, you could define another login suffix, such as
abc. Users can then log in to the User Portal using just
Suffix mapping is only for AD and federated users.
To map an AD or federated login suffix:
- Open the Identity Administration portal and click Settings > Customization > Suffix > Add.
- Enter the alias in the Login suffix text box.
- Expand Advanced.
- Clear the Keep Login Suffix and Mapped Suffix the same checkbox.
- Backspace over the login suffix in the text box below the checkbox and enter the AD domain name and click Save.
Remove the login suffix for a tenant
You can request a tenant without a login suffix. Contact your CyberArk account representative for more information. A tenant without the login suffix has the following limitations:
- The Identity mobile app and CyberArk browser extension should include the tenant URLs since pod0 routing does not work without the login suffix.
- Inbound provisioning is not supported when the login suffix is removed for the tenant. For more information, see Inbound provisioning.