Configure SiteMinder Policies to Support User Mapping (Optional)

Agent Guide › Configuring Policies for the SiteMinder Agent › Configure SiteMinder Policies to Support User Mapping (Optional)

Configure SiteMinder Policies to Support User Mapping (Optional)

To support an environment in which SiteMinder is responsible for user authentication but SiteMinder and WebSphere are not configured to authenticate/authorize users against the same user store, create user mapping policies consisting of the following policy objects:

In the first configured policy realm (for Web or EJB resources) that a user accesses when they cross over to WebSphere:
- An OnAuthAccept rule that fires whenever a user is successfully authenticated
- An authentication response that returns the mapped identity that the SiteMinder Agent propagates to WebSphere
For each user mapping rule/response pair, a policy that binds that pair and users.

You can also use global rules and responses.

Note: The following procedure provides an overview of the steps required to create the required policy objects with appropriate parameter settings. For detailed procedural information, see the Policy Server Configuration Guide.

To create a user mapping policy

Open the SiteMinder Administrative UI.
For each configured SiteMinder TAI and SiteMinder Login Module policy realm, configure a rule with OnAuthAccept authentication event action.
Configure a user mapping response with the following properties:

Domain

The domain you created for the SiteMinder Agent for IBM WebSphere

Name

User mapping response.

Description

A description for the response.
Add a response attribute with the following properties to the user mapping response:

Attribute

HTTP Header Variable

Variable Name

_SM_MAPPED_USER

Variable Value

Any text that is a static attribute, DN attribute, or an active response that resolves to a user present in the WebSphere user store.

Note: If you are upgrading from an earlier SiteMinder TAI implementation, change the Variable Name used in your user mapping response from_SM_WAS_ID to _SM_MAPPED_USER. The _SM_WAS_ID variable is deprecated at this release.
Configure an authentication policy containing all configured user mapping (OnAuthAccept) rules, associate the user mapping response with each user mapping rule and add users to the policy.

More information:

Identity and User Mapping

Email CA Technologies about this topic