Symantec IGA

 View Only
  • 1.  Enabling mutli domain authentication

    Posted May 16, 2019 07:25 AM

    Good day

     

    I need assistance.

    I want to enable multi domain authentication in my environment.

    I'm told that CA Identity Governance has that in place.

     

    CA Support has provide me the below infomation, but it's very unclear.

    "We do support multidomain authentication, but a single server, so a trust relationship between the domains needs to be configured.

     

    Each user has to have an attribute for his full login name, i.e. Domain\login (e.g. ZElUPIO\sansh09). Different users can have multiple domains on that attribute.

    "

     

    We have three domains in our environment and they already have a trusted relationship between them.

    But i'm still able to authenticate

     

    Question

    -Is there a specific relationship that is required between the domains? (We currently have Bi-directional relationship)

    -We can only point at one LDAP server(as CA support has advised), does it have to be the primary DC? (We are currently pointing to a secondary DC)

    -Does anyone have a step by step guide on how to do this? If you can provide screenshots of what the config file should look like, please do.

     

     

    Regards

    Wesley

     

    #caidentitysuite14.2 #caidentityportal #identity_manager #identitygovernance



  • 2.  Re: Enabling mutli domain authentication
    Best Answer

    Broadcom Employee
    Posted May 16, 2019 11:07 AM

    Hi Wesley,

     

    To answer your questions here

     

    -Is there a specific relationship that is required between the domains? (We currently have Bi-directional relationship)

    I think Bi-directional relationship is good.  

    -We can only point at one LDAP server(as CA support has advised), does it have to be the primary DC? (We are currently pointing to a secondary DC)

    No need to be primary DC.  As long as Second DC can authenticate your domains. 

    -Does anyone have a step by step guide on how to do this? If you can provide screenshots of what the config file should look like, please do.

     

    You can try the following.  Under those properties

    security.ldap.server

    security.manager.dn

    security.manager.password

     

    In each of those properties you have to add the domain name at the end of the property. For example, you set a system property of security.ldap.server.Domain1 with a value of “someserver.domain1.com”.

     

    If you have trust relationship, you can point security.ldap.server to your secondary DC host  for all the domains. In your case, if you have 3 domains.  You will need to have 3 set of properties above.

     

     

     

     



  • 3.  Re: Enabling mutli domain authentication

    Posted May 16, 2019 01:05 PM

    Hi Yuan

     

    Thank you for your response.

    I have tried your above solution and i didnt work.

     

    Please see attached the screenshoots of how i added the additional properties.

     

     

     

    Please advise.

     

    Regards

    Wesley



  • 4.  Re: Enabling mutli domain authentication

    Broadcom Employee
    Posted May 20, 2019 09:30 AM

    Hi Wesley,

     

    I notice there is a set of properties did not contain domain name.  You should also add a domainname on them as well.

     

    Best regards,

    Frank



  • 5.  Re: Enabling mutli domain authentication

    Posted May 22, 2019 05:53 AM

    Hi Frank

     

    Many thanks.

    Could you please provide me an example of this configuration?

    Screenshots if you can.

    1. Screenshots of the config file (Role and Compliance Manager)

    " Each user has to have an attribute for his full login name, i.e. Domain\login (e.g. ZElUPIO\sansh09). Different users can have multiple domains on that attribute." this was a comment from CA support

       2. Screenshots of the properties

     

     

    Maybe i'm missing something from your previos instructions.

     

     

    Regards

    Wesley



  • 6.  Re: Enabling mutli domain authentication

    Broadcom Employee
    Posted May 24, 2019 04:58 AM

    Please make sure the below properties are added for your second domain (say “MyDomain”).


    security.default.authentication.domain=MyDomain
    security.ldap.server.MyDomain=<ADServer2>
    security.manager.dn.MyDomain=<AD-DN>
    security.manager.password.MyDomain=<DN Password>


    To add these properties, go to :

    Administration > settings > Property settings and click on “Add New” button at the bottom of the screen.



  • 7.  RE: Re: Enabling mutli domain authentication

    Posted Aug 26, 2019 04:32 AM
    Does this solution works on CA Identity Manager User Console ?