Reset Search



KB9428 - If users are unable to authenticate, verify that the Role Mapping is configured correctly.

« Go Back


Last Modified Date7/31/2015 10:26 PM
If users are unable to authenticate, it could be caused by an incorrect role mapping rule.  This article outlines how to verify that the role mapping rule is configured correctly.
Problem or Goal
Users are unable to login to the Pulse Connect Secure, could the issue be the role mapping?

There are several ways to configure the role mapping for users based on the type of authentication being used.  The types of authentication servers that can be used vary based on the licensing of the PCS. 

The possible types of authentication servers are:


For all the servers, except for the anonymous server, role mapping can be based on Username, Certificate Attribute, or Custom Expression.  With both an Active Directory server and an LDAP server you have the additional option to base a rule on Group Membership.  With both a Site Minder server and a RADIUS server you have the additional option to base a rule on a User Attribute.

To find out what type of authentication is being used and how the role mapping is configured, login to the IVE as an administrator and navigate to User Realms > <name of the realm being used> > General.


Under the Servers section is where the name of the Authentication server is defined.


To find out how the role mapping is configured, navigate to the Role Mapping tab at the top of the page.

role mapping

This will display the role mapping rules for the realm that has been selected.  Here are examples of what each type of rule would look like.  The examples are rules based on: Username, User Attribute, Group Membership, Certificate Attribute, and Custom Expression (in that order):


Once you have found out the type of authentication used and the way that the role mapping is set up, verify that the user(s) having the issue match conditions of the rule.  For example, if you have a rule based on group membership, make sure that the user(s) that are signing in are members of that group.  Or if the rule is based on Username, verify that the rule matches what the user(s) are entering for their username.  If the rule is based on a User Attribute, verify that the user account on the authentication server has the correct attribute.  This process may require that you work with the administrator of the authentication server to verify the settings of the user(s) on the server side.

Related Links
Attachment 1 
Created ByData Deployment



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255