The Policy Server assumes that a user is authenticated and authorized against the same user directory. However, users can be authenticated against one directory, and authorized against a separate directory. This feature is called directory mapping.
You can map a central directory that stores authentication information with separate distributed user directories that store authorization information. The authorization directories are associated with particular network applications. The mappings locate authenticated users in separate authorization directories.
Note: Directory mapping does not support Impersonation. The user being impersonated, must be uniquely present in the authentication directories that are associated with the domain or the impersonation fails.
Mapping from an authentication directory to an authorization directory is a three-step process.
For example, all the users in the company are authenticated against one central user directory. The marketing organization is authorized against a separate user directory. You can configure a directory mapping between the authentication and the marketing authorization user directories then create a realm for the marketing application. The realm uses the authorization directory defined in the mapping. When a user tries to access the marketing application, the user is authenticated against the central user directory and authorized against the marketing user directory.
The following diagram shows this example.
Authorization Identity Mapping is a directory mapping that authenticates users against one directory and authorize users against a separate directory.
Validation Identity Mapping is a directory mapping that authenticates users against one directory and validate users against a separate directory. You map an authentication user directory that is connected to one Policy Server to a validation user directory that is connected to a different Policy Server.
You can map authentication directories with authorization and validation directories using the following methods:
Identity mappings let you configure multiple target user directories and use custom search criteria. Identity Mappings provide greater flexibility than the legacy directory mappings.
The legacy Auth/Az and AuthValidate directory mappings available in previous releases are still available in this release.
For legacy directory mappings, the user directory connections to the Policy Server must exist for the authentication directory and the authorization or validation directory. Identity mappings do not require existing user directory connections.
|
Copyright © 2015 CA Technologies.
All rights reserved.
|
|