Policy Server Guides › Policy Server Configuration Guide › Directory Mapping › Legacy Directory Mapping Methods

Legacy Directory Mapping Methods

Legacy directory mapping methods map the authentication directory to an authorization or a validation directory using an Identical DN or a Universal ID.

The following are the two types of legacy directory mapping methods:

• Auth/Az (Authorization mapping)
• AuthValidate (Validation mapping).

If an Auth/Az or AuthValidate mapping is configured, CA SiteMinder® first attempts to use the session user directory to locate a user; uses the specified mapping mechanism only if the user is not found in the session user directory.

How to Configure an Authentication and Authorization Directory Mapping

Configuring an Auth/Az directory mapping is a two-step process:

1. Configure the Directory Mapping
2. Assign an Authorization Directory to a Realm

Configure a Directory Mapping

You can configure a directory mapping to authenticate users against one directory and authorize users against another directory.

To configure a directory mapping

1. Click Infrastructure, Directory.
2. Click Auth/Az Mapping.

   The Auth/Az Mapping page appears.

3. Click Create Directory Mapping.

   The Create Directory Mapping page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

4. Select the authentication and authorization directories from the respective lists.
5. Select the Identical DN or Universal ID.

   Important! The directory mapping is successful only if the Universal ID points to a single entry in the authorization directory.

6. Click Submit.

   The Create Directory Mapping task is submitted for processing.

More information:

Universal IDs

Assign an Authorization Directory to a Realm

You assign a directory mapping to a realm so the Policy Server may authenticate a user in one directory and authorize a user in another directory. The Policy Server uses the authorization directory specified in the realm to authorize users.

To assign a directory mapping to a realm

1. Open the realm to which you want to assign a directory mapping.
2. Select the user directory for which the realm should use to authorize an authenticated user from the Directory Mapping list.

   The Default value indicates that there is no directory mapping; the authentication directory will be used as the authorization directory when a user attempts to access a resource in the realm. The list only contains user directories that have been configured as authorization directories in an existing directory mapping.

   Important! You can map only one authorization directory per realm.

3. Click Submit.

   The Policy Server saves the directory mapping. Users that access the realm authenticate normally and authorize against the directory specified in the realm.

More information:

Configure a Realm

How to Configure an AuthValidate Directory Mapping

AuthValidate Directory Mapping is an extension of Authentication and Authorization Directory Mapping. Both types of directory mapping allow users to authenticate against one user directory and authorize against another user directory. In both cases, the directory mapping type can be further specified as Identical DN or Universal ID.

AuthValidate directory mapping extends Authentication and Authorization directory mapping in three ways:

• With AuthValidate directory mapping, you can map an authentication user directory that is connected to one Policy Server to a validation user directory that is connected to another Policy Server. The user directories are located by OID and directory name.
• With AuthValidate directory mapping, the user directories can be of different types.
• With AuthValidate directory mapping, user lookup by Universal ID is attempted if user lookup by DN fails.

Configure an AuthValidate Directory Mapping

You can configure an AuthValidate directory mapping to authenticate users against one directory and validate users against another directory.

Note: AuthValidate mappings are global.

To configure an AuthValidate Directory Mapping

1. Click Infrastructure, Directory.
2. Click AuthValidate Directory Mappings.

   The AuthValidate Directory Mappings page appears.

3. Click Create AuthValidate Directory Mapping.

   The Create AuthValidate Directory Mapping page appears.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

4. Type the name of the directory that is used to authenticate users in the Authentication Directory field.
5. Select the directory that is used to validate users from the Validation Directory list.
6. Select a mapped DN from the available options.
7. Click Submit.

   The AuthValidate Directory Mapping task is created.