Previous Topic: Directory MappingNext Topic: Directory Mapping Requirements


Directory Mapping Overview

SiteMinder assumes that a user will be authenticated and authorized against the same user directory. Although this default behavior is sufficient in many cases, SiteMinder also provides the ability to authenticate users against one directory, and authorize users against a separate directory. This feature is called directory mapping. It is especially useful when authentication information is stored in a central directory, but authorization information is distributed in separate user directories that are associated with particular network applications.

Note: Impersonation is not supported by directory mapping. The impersonatee, the user being impersonated, must be uniquely present in the authentication directories associated with the domain or the impersonation fails.

Mapping from an authentication directory to an authorization directory is a three-step process.

  1. Set Up User Directory Connections

    Directory connections you want to specify as authentication or authorization directories in a mapping must be configured on the User Directory pane.

  2. Configure a Directory Mapping

    The Policy Server uses directory mappings to locate authenticated users in separate authorization directories.

  3. Assign a Directory Mapping to a Realm

    By associating a directory mapping with a specific realm, you can define the directory against which a user will be authorized for specific resources in a network.

    For example, in the following diagram, all of the users in a company are authenticated against a single central user directory, but the marketing organization has a separate user directory that contains authorization data for Marketing staff. Using the Policy Server, you can configure a directory mapping to the Marketing authorization user directory, then you can create a realm for the Marketing application that uses the authorization directory specified in the mapping. Whenever a user tries to access the Marketing application, the Policy Server authenticates the user against the central user directory, but authorizes the user against the Marketing user directory.

    Graphic showing a user being authenticated against the central user directory but authorized against the marketing user directory

More information:

How to Configure a CA Directory User Directory Connection

Configure a Directory Mapping

Realms

Advanced Policy Components for Applications