Policy membership is the part of a SiteMinder policy that specifies which users apply to the policy. SiteMinder policies are stored in domains, and as a result, you use filters to apply SiteMinder policy membership to any or all users stored in the user directories bound to the domain. The type of filter you define determines how the Policy Server evaluates SiteMinder policy membership.
Note: For more information about adding users to a SiteMinder policy, see the Policy Server Configuration Guide.
The following filters are listed in the order in which they have the smallest affect on performance:
When SiteMinder authenticates a user, the Policy Server issues a session ticket. The session ticket identifies the user directory in which the user is stored. The Policy Server only has to compare the session ticket with the directory bound to the SiteMinder policy to determine that the policy applies to the user.
Note: For more information about user sessions, see the Policy Server Configuration Guide.
The organization or organizational unit, which contains the dn of the authenticated user, is stored in the session ticket. The Policy Server has to compare the session ticket information with the SiteMinder policy membership filter to determine if the policy applies to the user.
The Policy Server must search each user group and all subgroups in the directory to determine if the SiteMinder policy applies to the user.
Important! Directories with deep group hierarchies can have a significant effect on the time it takes the Policy Server to evaluate policy membership.
Note: You can enable the User Authorization cache to reduce the number of requests the Policy Server makes to user directories to resolve policy membership.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |