CA SiteMinder® assumes that a user will be authenticated and authorized against the same user directory. Although this default behavior is sufficient in many cases, CA SiteMinder® also provides the ability to authenticate users against one directory, and authorize users against a separate directory. This feature is called directory mapping. It is especially useful when authentication information is stored in a central directory, but authorization information is distributed in separate user directories that are associated with particular network applications.
Note: Impersonation is not supported by directory mapping. The impersonatee, the user being impersonated, must be uniquely present in the authentication directories associated with the domain or the impersonation fails.
Mapping from an authentication directory to an authorization directory is a three-step process.
Directory connections you want to specify as authentication or authorization directories in a mapping must be configured on the User Directory pane.
The Policy Server uses directory mappings to locate authenticated users in separate authorization directories.
By associating a directory mapping with a specific realm, you can define the directory against which a user will be authorized for specific resources in a network.
For example, in the following diagram, all of the users in a company are authenticated against a single central user directory, but the marketing organization has a separate user directory that contains authorization data for Marketing staff. Using the Policy Server, you can configure a directory mapping to the Marketing authorization user directory, then you can create a realm for the Marketing application that uses the authorization directory specified in the mapping. Whenever a user tries to access the Marketing application, the Policy Server authenticates the user against the central user directory, but authorizes the user against the Marketing user directory.
Authorization Identity Mapping is the process of configuring a directory mapping to authenticate users against one directory and authorize users against a separate directory.
Assigning the configured authorization identity mapping to a realm lets the Policy Server authenticate a user in one directory and authorize a user in a separate directory.
Validation Identity Mapping is the process of configuring a directory mapping to authenticate users against one directory and validate users against a separate directory.
With Validation Identity Mapping, you can map an authentication user directory that is connected to a Policy Server to a validation user directory that is connected to a different Policy Server.
The following methods for mapping authentication directories with authorization and validation directories are available:
Identity Mappings provide greater flexibility than the legacy directory mapping methods. Identity Mappings let you configure multiple target user directories and use custom search criteria.
The legacy Auth/Az and AuthValidate directory mapping methods available in previous releases are still available in this release. Existing mappings of these types continue to work in the same way.
Legacy Directory mapping requires that the user directory connections to the Policy Server must already exist for the authentication directory and the authorization or validation directory.
Identity mapping does not require that the user directory connections to the Policy Server must already exist for authentication directory and validation directory.
Copyright © 2013 CA.
All rights reserved.
|
|