Identity mappings provide an enhanced method of mapping users from a source directory to a target directory using custom search criteria. You can use identity mappings for user authorization and user validation.
Identity mapping provides the following two methods of mappings:
Identity Mappings enable custom search and let you control the order of mapping rules using different identity mapping entry objects. The Policy Server first attempts to locate a user with the mapping mechanism defined in an Identity Mapping. If the mapping fails, the session user directory is used to locate the user. The session directory must be in the policy store for the Policy Server to default to this directory.
Note: For validation mapping, the authentication directory does not have to be in the local store.
The following table lists supported types of directory mapping, and the method available to map the authentication directory to the authorization or validation directory.
|
|
Authorization Directory/Validation Directory |
|
|---|---|---|
|
Authentication Directory |
LDAP |
Relational Database |
|
LDAP |
Identical DN Universal ID Custom Search |
Universal ID Custom Search |
|
AD |
Identical DN Universal ID Custom Search |
Universal ID Custom Search |
|
Relational Database |
Universal ID Custom Search |
Identical DN Universal ID Custom Search |
An identity mapping can contain one or more entries. An identity mapping entry defines a rule that specifies how to find a user in the target directory. To find the user in the target directory, the Policy Server uses search criterion that is based on the session ticket information.
An identity mapping can contain more than one target user directory. You can add entries for different target user directories in the same identity mapping object. The identity mapping entries are processed as an ordered list of mappings.
The two types of identity mapping entries are:
Specifies the links to the source and target directories. If the links are not available, the Authentication Directory is used for authorization. You can select either an Identical DN, a Universal ID, or can specify custom search criteria.
Specifies the source directory name as a text string and a link to the target directory. You can provide the name of the source directory or can select the default value, SMSESSION User Directory. The default value denotes that the user directory within the session ticket is used for validation. If there is no link to the target directory, the Authentication Directory is used for validation. You can select an Identical DN, a Universal ID, or can specify a custom search attribute.
You can map an authentication directory to an authorization directory or a validation directory using complex user search criteria. A user search criterion is a combination of attributes. The attribute can be from a source or target directory.
Typically, the user search criterion is user directory-specific. For example, an ODBC-based user search criterion can be different from an LDAP-based user search criterion.
To support user directories in different namespaces, define the search criteria for each user directory. You can also define a User Directory Attribute Mapping for the target user directory. Each user directory is then required to define its own specific search criterion for the attribute mapping. User Directory Attribute Mapping lets you define user directory-specific search criteria.
Configuring an authentication-authorization identity mapping is a two-step process:
To authenticate users against one directory and authorize users against another directory, configure an identity mapping.
Follow these steps:
Maps the distinguished name (DN) of a user from the authentication directory to the validation directory.
Matches the Universal ID attribute value from the authentication directory with the Universal ID value from the validation directory.
Specifies the attributes from the target directory and source directory. The source directory attribute can be a user-specified attribute or a CA SiteMinder® session attribute.
The identity mapping entry is added to the authorization identity mapping object.
The authorization identity mapping object is configured.
Assign an authorization identity mapping to a realm. The Policy Server uses the authorization mapping that is specified in the realm to authorize users.
Follow these steps:
The Realms page appears.
The authorization identity mapping is assigned to the selected realm.
Configuring an authentication and validation identity mapping is a two-step process:
Note: You can create validation mappings for directories within the same store. The source directory does not have to be in the local store.
Configure an identity mapping to authenticate users against one directory and validate users against another directory.
Follow these steps:
If you select Custom search, specify the attributes from the Target Directory and Source Directory.
The Source Directory attribute can be a user-specified attribute or a CA SiteMinder® session attribute.
The identity mapping entry is added to the validation identity mapping object.
The validation identity mapping object is configured.
Assign a validation identity mapping to a realm. The Policy Server uses the validation directory mapping that is specified in the realm to authorize users.
Follow these steps:
The validation identity mapping is assigned to the selected realm.
A single validation identity mapping can serve as the global default for validation mapping. Setting a global validation identity mapping saves you time because you do not have to set one for every realm. However, you can override the global validation identity mapping with a local mapping.
Follow these steps:
The Select Global Validation Directory Mapping page appears.
The selected validation identity mapping object is set as the global default for validation mapping.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|