Migrate Entrust IdentityGuard users to IDaaS

You can bulk import Entrust Identity Enterprise user/group associations and authenticators. For users that already exist in Identity as a Service, only their authenticators are migrated.

Click here for the list of migrated authenticators

● KBA (Questions and Answers)

● Entrust Soft Tokens

● Supported Hardware Tokens (both assigned and unassigned)

● Passwords

Password history is not migrated as part of the Entrust Identity Enterprise password migration.

● Grid Cards (assigned and unassigned)

If the serial number already exists in Identity as a Service, the card will not be imported. See Manage grid cards for information on migrating Entrust IdentityGuard grid cards to Identity as a Service).

● Location History

● Expected Location List

● RBA Settings

See the Migration Guide: Entrust Identity Enterprise to Entrust Identity as a Service for more information on the token types supported for migration.

For Entrust Identity Enterprise (formerly Entrust IdentityGuard) users that do not already exist in Identity as a Service, the following occurs:

● If the user is assigned to a group other than the default group, the user's associated group is created.

● Entrust Identity Enterprise user aliases are mapped to the Identity as a Service aliases.

● An Identity as a Service user is created even if values for all of the mandatory attributes are not provided. An administrator may need to edit those users after the import to set missing value. See Edit, delete, unlock, and disable users. The following summarizes how user attributes are migrated:

– Attributes imported from Entrust Identity Enterprise for users that do not exist in Identity as a Service is as follows:

– The Entrust Identity Enterprise full name attribute is used to populate the Identity as a Service firstName and lastName attributes. If a name contains a space, everything before the first space in the full name is treated as the first name, and everything after the first space is treated as the last name.

– For email and phone values, the Entrust Identity Enterprise contact values are searched by name in the order specified until contact information with a value is found. If an Entrust Identity Enterprise contact is not found, then the rest of the contact information is searched until one that looks like an email address is found.

– For mobile and phone attributes, the Entrust Identity Enterprise contact information is searched in the following order until values are found:

Note: When performing Entrust Identity Enterprise migration, user specific overrides coming from Entrust Identity Enterprise will be imported for the user in Identity as a Service. The setting policy values will not be imported with the values in Entrust Identity Enterprise and will be based on Identity as a Service RBA setting policy values. By updating the global policy in Identity as a Service to match with Entrust Identity Enterprise policy values these values will be adjusted accordingly. See the Entrust Identity Enterprise to Entrust Identity as a Service Migration Guide for more information on migrating from Entrust Identity Enterprise to Identity as a Service.

Review the prerequisites before you begin

Confirm the following before completing a bulk Entrust Identity Enterprise Migration on an Identity as a Service account:

● Identity as a Service user accounts have already been created. The Entrust Identity Enterprise user names are mapped to the Identity as a Service user IDs. For example, a user with the ID user1 must be created in Identity as a Service before migrating authenticators previously assigned to an Entrust Identity Enterprise user with the user name user1. User accounts can be created on Identity as a Service in the following ways:

– If your organization uses Microsoft Active Directory, you can use the Identity as a Service AD Sync feature to create accounts and keep them synchronized with changes you make in Active Directory. See Manage directories for more information.

– By performing a bulk import (see Bulk import operations)

– Individually (see Add users)

Note: Before creating Entrust Identity Enterprise users in Identity as a Service, in Identity as a Service go to Settings > General and deselect Create Default Password. If you attempt to import an Entrust Identity Enterprise password authenticator for a user with an already assigned password, the password authenticator import will fail. Other authenticators, such as Entrust Soft Tokens, will still import successfully.

● If you want to import additional contact attributes from Entrust Identity Enterprise, create matching attributes in Identity as a Service (matching means the names should be the same). See Create and manage user attributes.

● The Entrust Identity Enterprise export file has been generated (see the Migration Guide: Entrust Identity Enterprise to Identity as a Service for more information). The file can be in DAT (.dat) format although other file types are supported for this operation.

● The export file password for Entrust Identity Enterprise is accessible. See the Migration Guide: Entrust Identity Enterprise to Entrust Identity as a Service for information on accessing the password.

How to migrate Entrust Identity Enterprise users to Identity as a Service

1. Click > Bulk Operations. The Bulk Operations page appears.

2. Click . The Add Bulk Operation page appears.

3. From the Actions drop-down list, select Import.

4. From the Operations drop-down list, select IdentityGuard Migration.

5. Enter the Password for Entrust Identity Enterprise export file. The password is generated automatically by Entrust Identity Enterprise during the export operation. The password can be viewed only by a master user logged in to the Master User Shell. See the Entrust Identity Enterprise Migration Guide for more information.

6. Click Include Group for Unassigned Authenticators. If selected, unassigned authenticators from an Entrust Identity Enterprise export file, unassigned grid and token authenticators are assigned to their groups in Identity as a Service.

7. Set the Maximum Number of Retries to set the number of bulk import attempts if it is not immediately successful. The default value is 5. This setting prevents an endless number of retry attempt if the operation fails.

8. Enter a unique Name that identifies the operation in the Bulk Operations List page.

9. Enter a Description so that other users can understand the purpose of the operation.

10. Click Initiate. The File to upload dialog box appears.

11. Click the checkered box and browse to select your bulk import file and click Open.

Note: Ensure that the data in your file meets the requirements for the import operation. See Bulk operations prerequisites. The file name you select must only include a file name and not a file path. File names that contain file paths are rejected.

12. Click Upload. The Start/Stop dialog box appears.

13. Click Start. When the upload completes, a Finished prompt appears.

14. Click Finished. You are returned to the Bulk Operations List page. Your bulk operation appears in the list. You can verify the status of the bulk operation.

15. To see a summary of the upload, click to view the details of the bulk operation, including any error information.

16. Click in the Refresh column to refresh the status of a bulk operation. This option appears only when a refresh is available.

Migrate Entrust Identity Enterprise users to IDaaS

Click here for the list of migrated authenticators

Review the prerequisites before you begin

How to migrate Entrust Identity Enterprise users to Identity as a Service