Previous Topic: Modify a SiteMinder Password or Shared SecretNext Topic: How to Improve the Performance of LDAP Directory Operations

Configuration GuideCA SiteMinder IntegrationSiteMinder OperationsConfigure a CA IdentityMinder Environment to Use Different Directories for Authentication and Authorization

Configure a CA IdentityMinder Environment to Use Different Directories for Authentication and Authorization

An administrator may need to manage users whose profiles exist in a different user store from the one that is used for authenticating the administrator. In other words, when logging in to the CA IdentityMinder Environment, the administrator must be authenticated using one directory and authorized to manage users in a second directory, as shown in the following illustration:

The diagram shows an authentication directory is connected to Identity Manager environment through an authorization directory

Follow these steps:

  1. Log in to one of the following interfaces:

    Note: For information on using these interfaces, see the documentation for the version of SiteMinder that you are using.

  2. Create two user directories.

    One directory references the authentication data (administrator profiles); the other directory references the authorization data (user profiles).

  3. In the Management Console, create a CA IdentityMinder Environment.

    Select the authorization directory as the CA IdentityMinder directory.

  4. In the interface for the version of SiteMinder used, add the authentication directory to the domain for the CA IdentityMinder Environment that you created in the previous step.

    The domain and other objects that are required for SiteMinder are created automatically when you create an Environment and SiteMinder integrates with CA IdentityMinder.

    The domain uses the following naming convention:

    Identity Manager-environmentDomain

  5. Make sure that this directory appears first in the list of directories that are associated with the domain.
  6. Locate the Identity Manager-environment_ims_realm.
  7. Map the authorization directory to the authentication directory in the Advanced section of the realm definition.
  8. Locate the following Identity Manager-environmentresponse_ims response.
  9. Add response attributes to the responses as follows:

Field

Value

Attribute

Web-Agent-HTTP-Header-Variable

Attribute Kind

user attribute

Variable Name

sm_userdn

Attribute Name

SM_USERNAME
  1. Save the changes.

    CA IdentityMinder now uses different directories for authentication and authorization.