Skip to main content

Migrate Entrust Identity Enterprise users to IDaaS

You can bulk import Entrust Identity Enterprise user/group associations and authenticators. For users that already exist in Identity as a Service, only their authenticators are migrated.

List of supported Entrust Identity Enterprise authenticators

  • KBA (Questions and Answers)

  • Entrust Soft Tokens

  • Supported Hardware Tokens (both assigned and unassigned)

  • Passwords

    • Password history is not migrated as part of the Entrust Identity Enterprise password migration.
    • The system supports multiple passwords. During migration, only the passwords from Entrust Identity Enterprise that correspond to a password currently configured in IDaaS are imported.

    For example, if a user has multiple passwords in Entrust Identity Enterprise, such as ATM and Bank, the system imports only the password types configured in IDaaS at the time of migration. Any password type not configured in IDaaS does not migrate.

  • Grid Cards (assigned and unassigned)

    • If the grid card serial number already exists in Identity as a Service, the card is not imported. See Manage grid cards for information on migrating Entrust Identity Enterprise grid cards to Identity as a Service.

  • Location History

  • Expected Location List

  • RBA Settings

Important migration information

See the Migration Guide: Entrust Identity Enterprise to Entrust Identity as a Service for more information on the token types supported for migration.

For Entrust Identity Enterprise (formerly Entrust IdentityGuard) users that do not already exist in Identity as a Service, the following occurs:

  • The user is created.
  • If the user is assigned to a group other than the default group, the user's associated group is created.
  • The user's authenticators are migrated.
  • Entrust Identity Enterprise user aliases are mapped to the Identity as a Service aliases.
  • An Identity as a Service user is created even if values for all of the mandatory attributes are not provided. An administrator may need to edit those users after the import to set missing value. See Edit, delete, unlock, and disable users. The following summarizes how user attributes are migrated:
    • Attributes imported from Entrust Identity Enterprise for users that do not exist in Identity as a Service is as follows:
    • The Entrust Identity Enterprise full name attribute is used to populate the Identity as a Service firstName and lastName attributes. If a name contains a space, everything before the first space in the full name is treated as the first name, and everything after the first space is treated as the last name.
    • For email and phone values, the Entrust Identity Enterprise contact values are searched by name in the order specified until contact information with a value is found. If an Entrust Identity Enterprise contact is not found, then the rest of the contact information is searched until one that looks like an email address is found.
    • For mobile and phone attributes, the Entrust Identity Enterprise contact information is searched in the following order until values are found:
      • Mobile phone
      • Phone
      • Work phone
      • Home phone
note

The migration imports only user‑specific override settings from Entrust Identity Enterprise. It does not import policy values. Identity as a Service uses its own Risk‑Based Authentication (RBA) policy values. After migration, update the global policy settings in Identity as a Service if you want them to match Entrust Identity Enterprise. See the Entrust Identity Enterprise to Entrust Identity as a Service Migration Guide for more information on migrating from Entrust Identity Enterprise to Identity as a Service.

Prerequisites

Confirm the following before completing a bulk Entrust Identity Enterprise Migration on an Identity as a Service account:

  • Identity as a Service user accounts have already been created.

    The Entrust Identity Enterprise user names are mapped to the Identity as a Service user IDs. For example, a user with the ID user1 must be created in Identity as a Service before migrating authenticators previously assigned to an Entrust Identity Enterprise user with the user name user1. User accounts can be created on Identity as a Service in the following ways:

    • If your organization uses Microsoft Active Directory, you can use the Identity as a Service AD Sync feature to create accounts and keep them synchronized with changes you make in Active Directory. See Manage directories for more information.

    • By performing a bulk import (see Bulk import operations)

    • Individually (see Add users)

      note

      Before you create Entrust Identity Enterprise users in Identity as a Service, go to Policies > Registration and clear Automatically create a password for users. If a user already has a password assigned, the system cannot import the Entrust Identity Enterprise password authenticator and the import fails. The system still imports other authenticators, such as Entrust Soft Tokens.

  • If you want to import additional contact attributes from Entrust Identity Enterprise, create matching attributes in Identity as a Service (matching means the names should be the same). See Create and manage user attributes.

  • The Entrust Identity Enterprise export file has been generated (see the Migration Guide: Entrust Identity Enterprise to Identity as a Service for more information). The file can be in DAT (.dat) format although other file types are supported for this operation.

  • The export file password for Entrust Identity Enterprise is accessible. See the Migration Guide: Entrust Identity Enterprise to Entrust Identity as a Service for information on accessing the password.

Migrate Entrust Identity Enterprise users to IDaaS

  1. Click > Bulk Operations. The Bulk Operations page appears.

  2. Click . The Add Bulk Operation page appears.

  3. From the Operations drop-down list, select Identity Enterprise Migration.

  4. From the Actions drop-down list, select Import.

  5. Enter the Password for Entrust Identity Enterprise export file. The password is generated automatically by Entrust Identity Enterprise during the export operation. The password can be viewed only by a master user logged in to the Master User Shell. See the Entrust Identity Enterprise Migration Guide for more information.

  6. Click Include Group for Unassigned Authenticators. If selected, unassigned authenticators from an Entrust Identity Enterprise export file, unassigned grid and token authenticators are assigned to their groups in Identity as a Service.

  7. Set the Maximum Number of Retries to set the number of bulk import attempts if it is not immediately successful. The default value is 5. This setting prevents an endless number of retry attempt if the operation fails.

  8. Enter a unique Name that identifies the operation in the Bulk Operations List page.

  9. Enter a Description so that other users can understand the purpose of the operation.

  10. Click Upload your CSV file and browse to select the bulk operations file.

    note

    Ensure that the data in your file meets the requirements for the import operation. See Bulk operations prerequisites. The file name you select must only include a file name and not a file path. File names that contain file paths are rejected.

  11. Click Initiate and Upload.

  12. A new dialog box appears displaying the Start option to initiate the bulk operation using the uploaded file.

  13. Click Start. You are returned to the Bulk Operations List page. Your bulk operation appears in the list. You can verify the status of the bulk operation.

  14. To see a summary of the upload, click to view the details of the bulk operation, including any error information.

  15. Click in the Refresh column to refresh the status of a bulk operation. This option appears only when a refresh is available.