Configuration Guide › SiteMinder Integration › SiteMinder Operations › Configure an Identity Manager Environment to Use Different Directories for Authentication and Authorization

Configure an Identity Manager Environment to Use Different Directories for Authentication and Authorization

An administrator may need to manage users whose profiles exist in a different user store from the one that is used for authenticating the administrator. In other words, when logging in to the Identity Manager Environment, the administrator must be authenticated using one directory and authorized to manage users in a second directory, as shown in the following illustration:

To configure an Identity Manager Environment to use different directories for authentication and authorization

1. Log into one of the following interfaces:
   • For CA SiteMinder Web Access Manager r12 or higher, log into the Administrative UI
   • For CA eTrust SiteMinder 6.0 SP5, log into the Policy Server User Interface

   Note: For information on using these interfaces, see the documentation for the version of SiteMinder that you are using.

2. Create two user directories.

   One directory references the authentication data (administrator profiles); the other directory references the authorization data (user profiles).

3. In the Management Console, create an Identity Manager Environment.

   Select the authorization directory as the Identity Manager directory.

4. In the interface for the version of SiteMinder that you are using, add the authentication directory to the domain for the Identity Manager Environment that you created in the previous step.

   The domain and other objects required by SiteMinder are created automatically when you create an Environment and SiteMinder integrates with CA Identity Manager.

   The domain uses the following naming convention:

   Identity Manager-environmentDomain

5. Make sure that this directory appears first in the list of directories associated with the domain.
6. Locate the Identity Manager-environment_ims_realm.
7. Map the authorization directory to the authentication directory in the Advanced section of the realm definition.
8. Locate the following Identity Manager-environmentresponse_ims response
9. Add response attributes to the responses as follows:

1. Save the changes.

   CA Identity Manager will now use different directories for authentication and authorization.