How to Use Login Suffixes

The login suffix is that part of the login name that follows @. For example, if the login name is bob.jones@acme.com, the login suffix is “acme.com.” The login suffix identifies the ID repository containing the user account when the user logs in to the portals or registers a device. If the login suffix is not listed on this page, the user cannot be authenticated.

Privileged Access Service automatically creates a default login suffix for your organization based on the login suffix in the work email account entered in the IBM Security sign-up form. However, if that login suffix is already in use, the Privileged Access Service appends a one- or two-digit number to the end. For example, if the email address entered when the Privileged Access Service account had the login suffix acme.com but “acme.com” was already used by another organization, the Privileged Access Service would create the login suffix acme.com.4.

You can create more login suffixes for IBM Security Directory accounts. You assign a new Privileged Access Service to a login suffix when you create the account.

IBM Security Directory Specific Information

For IBM Security Directory users, the customer ID in the URL can be an ID or a login suffix.

However, if you use a login suffix and the user name that is specified is a short name (without a login suffix), then the customer ID in the URL must be a login suffix. The login suffix should not look like an ID.

The following are examples of using a short name (without login suffix) user name to log in to Privileged Access Service.

URL User name without login suffix Restrictions
https://companyXYZ/home?customerid=myorg.com jane You must have a user account jane@myorg.com.
https://cloud.centrify.com/home?customerId=myorg jane You must have a user account jane@myorg
https://cloud.centrify.com/home?customerId=AAA0001 jane Even though AAA0001 is a valid login suffix, this log in fails because the customer ID in the URL looks like a ID. For this log in to succeed, the user name should have a login suffix (for example jane@AAA0001).

Active Directory Specific Information

If you are using an Active Directory domain as an ID repository, the Privileged Access Service adds the following login suffixes when the connector is installed:

  • The login suffix in the installer account name. This allows the administrator to log in to Admin Portal right after installing the connector.

    If the login suffix in the connector installer’s account is already in use in Privileged Access Service, an error message is displayed and you cannotuse that domain name as a login suffix. (This occurs rarely but can happen.) Contact support if this happens to your account.

  • The domain name of the domain controller to which the host computer for the connector is joined.

  • If that domain controller is part of a tree or forest, the Privileged Access Service adds a login suffix for all other domains in the tree or forest it can locate.

    If you have users with Active Directory accounts in domains in a tree or forest that was not found or users who log in with their Office 365 account,you must add those login suffixes before these users can log in to Admin Portal and register a device.

    You can also create an alias for an Active Directory domain name. You would use an alias to simplify login for users with a long or complicated Active Directory login suffix. See Creating an Alias for Long Active Directory Domain Names for further detail. You cannot create an alias for IBM Security Directory login suffixes.

Creating a Login Suffix

You can create as many login suffixes as you want for IBM Security Directory accounts. The login suffix can be composed of any of the UTF8 alphanumeric characters plus the symbols + (plus), - (dash), _ (underscore), and . (period). You can, but are not bound to, use the form label.label for your login suffixes; however, a login suffix can be composed of a single label—for example, ABCCorp.

Login suffixes must be unique in Privileged Access Service (not just within your Privileged Access Service account). If you enter a login suffix that is already in use, you get an error message.

You can select any login suffix when you create new Privileged Access Service accounts.

To create a login suffix:

  1. Log in to Admin Portal and click Settings > General > Suffix > Add.

  2. Enter the suffix in the text box and click Save.

Deleting a Login Suffix

You cannot delete a login suffix that has any user accounts. Admin Portal displays an error message if you try to delete a login suffix that still has user accounts. To delete a login suffix, remove all of its user accounts.

If you need to use an existing login suffix for another tenant, you will need to rename it. See Modifying a Login Suffix.

Modifying a Login Suffix

You can rename a login suffix. If you do, the accounts associated with the original login suffix are automatically updated to the new one. Be sure to notify the users affected that they have a new login suffix. They will not be able to log in using the original suffix.

To modify a login suffix:

  1. Open Admin Portal and click Settings > General > Suffix.

  2. Right-click the login suffix and click Modify.

  3. Make your changes in the text box and click Save.

Creating an Alias for Long Active Directory Domain Names

Best practice dictates that you use a login suffix for Active Directory users that they are already using. For example, if they’re using your organization’s domain name to open their email account, it would help them remember their Privileged Access Service user name if you used the same login suffix.

However, this is not a requirement. For example, if you have a long or complex Active Directory domain name, you can create a mapped login suffix for Active Directory accounts using the Advanced option. For example, if your login suffix is abc.bigcorp.com, you could define another login suffix, such as “abc.”

To map an Active Directory login suffix:

  1. Open Admin Portal and click Settings > General > Suffix > Add.

  2. Enter the alias in the Login suffix text box.

  3. Expand Advanced.

  4. Reset the Keep Login Suffix and Mapped Suffix the same checkbox.

  5. Backspace over the login suffix in the text box below the checkbox and enter the Active Directory domain name.

  6. Click Save.