Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Active Directory On-Premise Sync - UPN/SMTP Mismatch

  • Updated

Overview

When integrating Virtru with an on-premises Active Directory (AD), a mismatch between the User Principal Name (UPN) and the SMTP (email) address can create significant issues. These issues can affect directory synchronization, user activation, and SAML authentication, ultimately disrupting access to Virtru services.

Key Considerations

1. AD Sync Adjustment

For successful synchronization between on-prem AD and Virtru, the LDAP query must retrieve email addresses instead of UPNs. Some configurations prioritize UPNs by default, leading to mismatches in the Virtru Console.

Potential Issues:

  • Users may not be recognized correctly in the Virtru Console.
  • License assignments may fail due to incorrect email mappings.
  • Activation links may be sent to the UPN instead of the email address, preventing users from receiving them.

Recommended Action:
Ensure that your LDAP query is set to pull email addresses rather than UPNs. If this is not the default behavior, adjust the query settings to match the correct attribute.

2. SAML Considerations

When SAML authentication is enabled, it typically relies on the UPN. If the UPN does not match the user's SMTP email address, activation emails will be sent to the UPN, potentially causing users to miss their activation links.

Potential Issues:

  • Users may not receive their activation emails.
  • License activation may fail due to incorrect user identifiers.
  • Users may experience authentication failures when logging in with their email.

Recommended Action:
Verify whether your SAML provider is using an email address instead of the UPN for authentication. If possible, update the SAML settings to use email addresses instead of UPNs to prevent these issues.

3. Possible Solutions

To prevent disruptions caused by a UPN/SMTP mismatch, consider the following solutions:

Modify AD Sync Queries – Ensure LDAP queries pull email addresses instead of UPNs.
Update SAML Provider Settings – If possible, configure your SAML provider to use email addresses for authentication instead of UPNs.

In the SAML Attributes & Claims section, adjust the Unique User Identifier as follows:

Attribute Value
givenname user.givenname
surname user.surname
emailaddress user.mail
name user.userprincipalname
Unique User Identifier (default) user.userprincipalname
Unique User Identifier (if UPN and SMTP do not match) user.mail

If the user’s UPN and SMTP do not match, the Unique User Identifier should be:
user.mail instead of user.userprincipalname.

Conclusion

Ignoring a UPN/SMTP mismatch can lead to sync failures, authentication problems, and activation issues, potentially disrupting access to Virtru services. By adjusting your AD sync settings and SAML configuration, you can prevent these issues and ensure a seamless user experience.

Related articles