Previous Topic: Directory Mapping OverviewNext Topic: Legacy Directory Mapping Methods


Identity Mappings

CA SiteMinder® Identity Mappings provide an enhanced method of mapping users from a Source Directory to a Target Directory using custom search criteria. You can use Identity Mappings for both user authorization and user validation.

Identity Mapping provides the following two methods of mappings:

Identity Mappings enable custom search and let you control the order of mapping rules using different identity mapping entry objects. CA SiteMinder® attempts to locate a user using the mapping mechanism defined in an Identity Mapping first. Only if the mapping fails, CA SiteMinder® defaults to the session user directory. CA SiteMinder® defaults to the session directory only if the session directory is present in the policy store.

Note: For validation mapping, the authentication directory need not be available in the local store.

Supported Directories for Identity Mappings

The following table describes supported types of directory mapping, and the method that can be used to map the authentication directory to the authorization or validation directory.

 

Authorization Directory/Validation Directory

Authentication Directory

LDAP

Relational Database

LDAP

Identical DN

Universal ID

Custom Search

Universal ID

Custom Search

AD

Identical DN

Universal ID

Custom Search

Universal ID

Custom Search

Relational Database

Universal ID

Custom Search

Identical DN

Universal ID

Custom Search

Identity Mapping Entry Types

An Identity Mapping can contain one or more identity mapping entries. An identity mapping entry defines a rule that specifies how to find a user in the target directory. The Policy Server uses search criterion based on the session ticket information to find the user in the target directory.

An identity mapping can contain more than one target user directory. You can add identity mapping entries for different target user directories in the same identity mapping object. The identity mapping entries are processed as an ordered list of mappings.

The following are the two types of identity mapping entries:

Authorization Identity Mapping Entry

Specifies the links to the source and target directories. If the links are not available, the Authentication Directory is used for authorization. You can select either an Identical DN, a Universal ID, or specify custom search criteria.

Validation Identity Mapping Entry

Specifies the source directory name as a text string and a link to the target directory. You can provide the name of the source directory or select the default value, SMSESSION User Directory. The default value denotes that the user directory within the session ticket is used for validation. If there is no link to the target directory, the Authentication Directory is used for validation. You can select an Identical DN, a Universal ID, or specify a custom search attribute.

Using Complex User Search Expressions

You can map an authentication directory to an authorization directory or a validation directory using complex user search criteria. A user search criterion is a combination of attributes. The attribute can be from a source or target directory.

Typically, the user search criterion is user directory-specific. For example, an ODBC-based user search criterion can be different from an LDAP-based user search criterion.

To support user directories in different namespaces, define the search criteria for each user directory. You can also define a User Directory Attribute Mapping for the target user directory. Each user directory is then required to define its own specific search criterion for the attribute mapping. User Directory Attribute Mapping lets you define user directory-specific search criteria.

How to Configure an Authentication and Authorization Identity Mapping

Configuring an authentication-authorization identity mapping is a two-step process:

  1. Configure an authorization identity mapping
  2. Assign an authorization identity mapping to a realm
Configure an Authorization Identity Mapping

You can configure an identity mapping to authenticate users against one directory and authorize users against another directory. In addition to Identical DN and Universal ID, you can specify a custom search expression for the authorization identity mapping.

To configure an authorization identity mapping

  1. Click Infrastructure, Directory.
  2. Click Identity Mappings.

    The Identity Mappings page appears.

  3. Click Create Identity Mapping.

    The Create Directory Mapping page appears.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  4. Specify a name and description for the mapping.
  5. Select the mapping type as Authentication-Authorization.
  6. Click Create Entry.

    The Create Identity Mapping Entry page appears.

  7. Specify a name for the identity mapping entry.
  8. Select the source and target directories from the respective lists.
  9. Select a user search criterion from the following:
    Identical DN

    Maps the distinguished name (DN) of a user exactly from the authentication directory to the validation directory.

    Universal ID

    Matches the value of the Universal ID attribute from the authentication directory with the value of the Universal ID field from the validation directory to identify the user.

    Custom Search

    Specifies the attributes from the target directory and source directory. The source directory attribute can be a user-specified attribute or a SiteMinder session attribute.

  10. Click OK.

    The identity mapping entry is added to the authorization identity mapping object.

  11. Click Submit.

    The authorization identity mapping object is configured.

Assign an Authorization Identity Mapping to a Realm

You can assign an authorization identity mapping to a realm so that the Policy Server authenticates a user in one directory and authorizes a user in another directory. The Policy Server uses the authorization directory specified in the realm to authorize users.

To assign an authorization identity mapping to an existing Realm

  1. Click Policies, Domain, Realms.

    The Realms page appears.

  2. Select the realm that you want to modify.

    The View Realm page appears.

  3. Click Modify.

    The settings and controls become active.

  4. Select the identity mapping to use as the authorization directory from the Authorization Mapping list.
  5. Click Submit.

    The Authorization identity mapping is assigned to the selected realm.

More information:

Configure Advanced Policy Components for Applications

How to Configure an Authentication and Validation Identity Mapping

Configuring an authentication and validation identity mapping is a two-step process:

  1. Configure a validation identity mapping
  2. Assign a validation identity mapping to a realm

Note: You can create validation mappings for directories within the same store. The Source Directory need not necessarily be in the local store.

Configure a Validation Identity Mapping

You can configure an identity mapping to authenticate users against one directory and validate users against another directory. In addition to Identical DN and Universal ID, you can specify a custom search expression for the authorization identity mapping.

To configure a validation identity mapping

  1. Click Infrastructure, Directory.
  2. Click Identity Mappings.

    The Identity Mappings page appears.

  3. Click Create Identity Mapping.

    The Create Directory Mapping page appears.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  4. Type the name and description.
  5. Select the mapping type as Authentication-Validation.
  6. Click Create Entry.

    The Create Identity Mapping Entry page appears.

  7. Type the name.
  8. Specify a Source Directory if the directory is not from within the session.
  9. Select the target directory.
  10. Select a user search criterion.

    If you select Custom search, specify the attributes from the Target Directory and Source Directory.

    The Source Directory attribute can either be a user-specified attribute or a SiteMinder session attribute.

  11. Click OK.

    The identity mapping entry is added to the validation identity mapping object.

  12. Click Submit.

    The validation identity mapping object is configured.

Assign a Validation Identity Mapping to a Realm

You can assign a validation identity mapping to a realm so that the Policy Server authenticates a user in one directory and validates a user in another directory. The Policy Server uses the validation directory specified in the realm to authorize users.

To assign a validation identity mapping to an existing Realm

  1. Click Policies, Domain, Realms.

    The Realms page appears.

  2. Select the realm that you want to modify.

    The View Realm page appears.

  3. Click Modify.

    The settings and controls become active.

  4. Select the identity mapping to use as the authorization directory from the Validation Mapping list.
  5. Click Submit.

    The validation identity mapping is assigned to the selected realm.

More information:

Configure Advanced Policy Components for Applications

Configure a Default Global Validation Directory Mapping

You can configure a single validation identity mapping to serve as the global default for validation mapping. Setting a global validation identity mapping saves you time by not having to set one for every realm. However, you can override the global validation identity mapping with a local mapping.

Follow these steps:

  1. Click Policies, Global.
  2. Click Select Global Validation Directory Mapping.

    The Select Global Validation Directory Mapping page appears.

  3. Select a validation identity mapping object from the corresponding list.
  4. Click Submit.

    The selected validation identity mapping object is set as the global default for validation mapping.