CA SiteMinder® Identity Mappings provide an enhanced method of mapping users from a Source Directory to a Target Directory using custom search criteria. You can use Identity Mappings for both user authorization and user validation.
Identity Mapping provides the following two methods of mappings:
Identity Mappings enable custom search and let you control the order of mapping rules using different identity mapping entry objects. CA SiteMinder® attempts to locate a user using the mapping mechanism defined in an Identity Mapping first. Only if the mapping fails, CA SiteMinder® defaults to the session user directory. CA SiteMinder® defaults to the session directory only if the session directory is present in the policy store.
Note: For validation mapping, the authentication directory need not be available in the local store.
The following table describes supported types of directory mapping, and the method that can be used to map the authentication directory to the authorization or validation directory.
|
Authorization Directory/Validation Directory |
|
---|---|---|
Authentication Directory |
LDAP |
Relational Database |
LDAP |
Identical DN Universal ID Custom Search |
Universal ID Custom Search |
AD |
Identical DN Universal ID Custom Search |
Universal ID Custom Search |
Relational Database |
Universal ID Custom Search |
Identical DN Universal ID Custom Search |
An Identity Mapping can contain one or more identity mapping entries. An identity mapping entry defines a rule that specifies how to find a user in the target directory. The Policy Server uses search criterion based on the session ticket information to find the user in the target directory.
An identity mapping can contain more than one target user directory. You can add identity mapping entries for different target user directories in the same identity mapping object. The identity mapping entries are processed as an ordered list of mappings.
The following are the two types of identity mapping entries:
Specifies the links to the source and target directories. If the links are not available, the Authentication Directory is used for authorization. You can select either an Identical DN, a Universal ID, or specify custom search criteria.
Specifies the source directory name as a text string and a link to the target directory. You can provide the name of the source directory or select the default value, SMSESSION User Directory. The default value denotes that the user directory within the session ticket is used for validation. If there is no link to the target directory, the Authentication Directory is used for validation. You can select an Identical DN, a Universal ID, or specify a custom search attribute.
You can map an authentication directory to an authorization directory or a validation directory using complex user search criteria. A user search criterion is a combination of attributes. The attribute can be from a source or target directory.
Typically, the user search criterion is user directory-specific. For example, an ODBC-based user search criterion can be different from an LDAP-based user search criterion.
To support user directories in different namespaces, define the search criteria for each user directory. You can also define a User Directory Attribute Mapping for the target user directory. Each user directory is then required to define its own specific search criterion for the attribute mapping. User Directory Attribute Mapping lets you define user directory-specific search criteria.
Configuring an authentication-authorization identity mapping is a two-step process:
You can configure an identity mapping to authenticate users against one directory and authorize users against another directory. In addition to Identical DN and Universal ID, you can specify a custom search expression for the authorization identity mapping.
To configure an authorization identity mapping
The Identity Mappings page appears.
The Create Directory Mapping page appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
The Create Identity Mapping Entry page appears.
Maps the distinguished name (DN) of a user exactly from the authentication directory to the validation directory.
Matches the value of the Universal ID attribute from the authentication directory with the value of the Universal ID field from the validation directory to identify the user.
Specifies the attributes from the target directory and source directory. The source directory attribute can be a user-specified attribute or a SiteMinder session attribute.
The identity mapping entry is added to the authorization identity mapping object.
The authorization identity mapping object is configured.
You can assign an authorization identity mapping to a realm so that the Policy Server authenticates a user in one directory and authorizes a user in another directory. The Policy Server uses the authorization directory specified in the realm to authorize users.
To assign an authorization identity mapping to an existing Realm
The Realms page appears.
The View Realm page appears.
The settings and controls become active.
The Authorization identity mapping is assigned to the selected realm.
Configuring an authentication and validation identity mapping is a two-step process:
Note: You can create validation mappings for directories within the same store. The Source Directory need not necessarily be in the local store.
You can configure an identity mapping to authenticate users against one directory and validate users against another directory. In addition to Identical DN and Universal ID, you can specify a custom search expression for the authorization identity mapping.
To configure a validation identity mapping
The Identity Mappings page appears.
The Create Directory Mapping page appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
The Create Identity Mapping Entry page appears.
If you select Custom search, specify the attributes from the Target Directory and Source Directory.
The Source Directory attribute can either be a user-specified attribute or a SiteMinder session attribute.
The identity mapping entry is added to the validation identity mapping object.
The validation identity mapping object is configured.
You can assign a validation identity mapping to a realm so that the Policy Server authenticates a user in one directory and validates a user in another directory. The Policy Server uses the validation directory specified in the realm to authorize users.
To assign a validation identity mapping to an existing Realm
The Realms page appears.
The View Realm page appears.
The settings and controls become active.
The validation identity mapping is assigned to the selected realm.
You can configure a single validation identity mapping to serve as the global default for validation mapping. Setting a global validation identity mapping saves you time by not having to set one for every realm. However, you can override the global validation identity mapping with a local mapping.
Follow these steps:
The Select Global Validation Directory Mapping page appears.
The selected validation identity mapping object is set as the global default for validation mapping.
Copyright © 2013 CA.
All rights reserved.
|
|