Here's a brief summary of our environment:
We have CA SSO r12.52sp2 setup on Win2012R2 servers
Authentication Store: Active Directory 2012R2 (ADS)
Authorization Store: SQL Sever 2012 SP3 (SQL)
Web Server: IIS 8.5
We use policy domain and legacy directory mapping to protect the web applications.
Users are authenticated by ADS and authorized by SQL. In addition, we created SM responses to send information about the user to the application. these information are stored in SQL.
We need to do likewise for SharePoint 2013 applications.
We setup CA SSO Agent for Sharepoint 12.52sp1cr4.
Similarly, we use policy domain and legacy directory mapping so that users are authenticated by ADS and authorized by SQL.
1. How do we convert those SM responses into identity claims that SharPoint consume?
2. How do add additional claims from authorization directory, i.e. user attributes NOT available the authentication directory?
Any other suggestions or workaround is much appreciated.
1.) The CA Single Sign-On (fka SiteMinder) Agent for SharePoint 2010/2013 does not utilize SiteMinder Responses to generate the Claims for a User. Attributes to generate the Claims for a User are defined in the SharePoint Connection Wizard mapping to attributes from the User's record in the LDAP or ODBC User Store. Additionally Virtual Attribute Mappings are defined in the directory connection to associate the directory attributes to the Claims configured using the 'Alias' attribute mapping type. This allows a SharePoint Agent Domain to include multiple User Directories of different types to be able to map the Attributes from the specific directory to the Claim to be returned in the Assertion. For example to return a "useridentifier" Claim, you could define Virtual Attribute Mappings for "useridentifier" to map to "sAMAccountName" in AD and "uid" in an iPlanet/Oracle User Directory. The Virtual Attribute mappings for each User Directory maps the specific attributes from that specific User Directory to the Claims to be returned.
2.) The CA Single Sign-On (fka SiteMinder) Agent for SharePoint 2010/2013 does not support Directory Mapping; the Authorization Directory must be the same Directory as the Authentication Directory.
I would suggest entering an Enhancement Request with CA Product Management via the Idea action in the Communities Site to request that Directory Mapping be considered for a future release of the CA Single Sign-On (fka SiteMinder) Agent for SharePoint 2010/2013.
The Enhancement Request Process has been modified such that customers are now to open their own requests via the CA Communities Site.
Following is a link to this announcement on the Support Portal;
This page provides you with the information on the new process and contains a QA section to explain how to open Enhancement Requests.
Following is the link to the Communities page;
Appreciate for the detailed technical illustration.
Maybe we should reconsider this requirement from a different perspective.
Thank you for the help.