SiteMinder assumes that a user will be authenticated and authorized against the same user directory. Although this default behavior is sufficient in many cases, SiteMinder also provides the ability to authenticate users against one directory, and authorize users against a separate directory. This feature is called directory mapping. It is especially useful when authentication information is stored in a central directory, but authorization information is distributed in separate user directories that are associated with particular network applications.
Note: Impersonation is not supported by directory mapping. The impersonatee, the user being impersonated, must be uniquely present in the authentication directories associated with the domain or the impersonation fails.
Mapping from an authentication directory to an authorization directory is a three-step process.
Directory connections you want to specify as authentication or authorization directories in a mapping must be configured on the User Directory pane.
The Policy Server uses directory mappings to locate authenticated users in separate authorization directories.
By associating a directory mapping with a specific realm, you can define the directory against which a user will be authorized for specific resources in a network.
For example, in the following diagram, all of the users in a company are authenticated against a single central user directory, but the marketing organization has a separate user directory that contains authorization data for Marketing staff. Using the Policy Server, you can configure a directory mapping to the Marketing authorization user directory, then you can create a realm for the Marketing application that uses the authorization directory specified in the mapping. Whenever a user tries to access the Marketing application, the Policy Server authenticates the user against the central user directory, but authorizes the user against the Marketing user directory.
|
Copyright © 2012 CA.
All rights reserved.
|
|