Layer7 Identity Management

How to use SM Dir Mapping with IDM

  • 1.  How to use SM Dir Mapping with IDM

    Posted 01-29-2015 11:06 AM

    SM allows to authenticate against one User Directory and authorize against another. This is a SM feature.

    To use that one should create a Auth/Az directory mapping (defined in SM WAM UI). The mapping needs to result in a one-to-one mapping relationship between the object authenticated in the authentication user dir and the object in the authorization user dir so that SM will know who is the object being authorized. If it's one-to-many mapping then SM will not know who to authorize for the authentication attempt.


    How do you apply this to Identity Manager?


    SM associates a user directory with a domain (the domain includes protected realms which are the URLs for the protected apps). That user directory in SM has an authentication filter. That filter includes an attribute that’s evaluated in runtime and being matched against the credentials to perform the authentication.


    When creating/importing/updating directories from the /immanage as IDM directories then (only in case of integration with SM enabled) the SM dir that’s associated with the domain for IDM would be the IDM directory. Further, the auth filter for that dir in SM will be based on %USER_ID%. If customer need to change the authentication for another attribute they can edit that directory object in SM WAM UI and use the physical name of the attribute they need. However, they need to remember to do that subsequent to any future import or update of that same directory since that process will restore the %USER_ID% to the auth filter.


    If the SM auth directory is different then the IDM directory then they must create a Authentication-Authroization dir mapping in the SM WAM UI. Two options for that: either matching DNs (which are rarely used) that require the DNs of the two objects on both directories to be identical, OR based on Universal IDs. Universal IDs mean the designation of one attribute in the SM authentication dir and one attribute in the IDM authorization dir (that must be %USER_ID% !) and the guarantee that the values of these attributes is matched and unique to allow a deterministic mapping.





    Sagi Gabay,

    CA Technologies.