Symantec Access Management

Expand all | Collapse all

Siteminder - Auth and Auz Directories

Jump to Best Answer
  • 1.  Siteminder - Auth and Auz Directories

    Posted 03-13-2018 10:00 AM

    Hi,

     

    I am trying to protect an application using siteminder. How can I use CA directory as authentication directory and AD as authorization directory? Any help would be highly appreciable.

     

    Regards-

    Yashpal



  • 2.  Re: Siteminder - Auth and Auz Directories

    Posted 03-13-2018 10:07 AM

    Hi Yashpal,

     

    The Directory Mapping: Auth/Az Mapping Dialog is where you create directory mappings that let you authenticate users against one directory and authorize users against another

     

    Refer : Directory Mapping--Auth/Az Mapping Dialog - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    Regards,

    Leo Joseph.



  • 3.  Re: Siteminder - Auth and Auz Directories

    Posted 03-13-2018 10:58 AM

    Hi Leo,

     

    I have created directory mapping under Auth/Az mapping dialog where CA directory is for authentication and AD is for authorization and mapped DNs is Universal ID. Then, I have added this mapping under Realm in Local Authorization Directory Mapping, flushed cache and everything. When I trying to access the URL, I am able to login and access the page using the IDs present in CA directory but those IDs are not present in AD. I think I am missing something here. Can you please guide me with it?

     

    Regards-

    Yashpal



  • 4.  Re: Siteminder - Auth and Auz Directories

    Posted 03-13-2018 11:57 AM

    Yash yashpal607

     

    A typical directory mapping solution (using UniversalID) works as below. First refer the table below. User1 is present in UD-Auth, but not present in UD-Az. But we are mapping a common attribute between UD-Auth and UD-Az to map User1 from UD-Auth to UserA in UD-Az using UniqueID=1234. Thus the common factor between both uncommon user is UniqueID=1234.

     

    For Directory Mapping to work, you need to identify something that is common between both User Directories i.e. Authentication and Authorization. If there is nothing common, then you'll need to do through an exercise to modify one User Directory to contain a common attribute from the other User Directory, and then map users using the correct values.

     

     

    UD-Auth (UniversalID = UserID)

    UD-Az (UniversalID = UniqueID)

    Username

    UserID

    LoginName

    UniqueID

    User1

    1234

    UserA

    1234

     

     

    Consider CA Directory = UD-Auth and AD = UD-Az in above table.



  • 5.  Re: Siteminder - Auth and Auz Directories

    Posted 03-13-2018 04:08 PM

    Hi Hubert,

     

    I have created a custom attribute as sAMAccountName in the CA directory and added this to Universal ID in the authentication directory. And did the same for the authorization directory(AD) where I have added sAMAccountName as Universal ID. Now, when I try to login, I am able to login with the IDs present in auth directory but not in auz directory which should not happen. Any further suggestions please?

     

    Regards-

    Yashpal



  • 6.  Re: Siteminder - Auth and Auz Directories

    Posted 03-13-2018 06:13 PM

    Yash yashpal607

     

     

    ####################

    I have created a custom attribute as sAMAccountName in the CA directory and added this to Universal ID in the authentication directory. And did the same for the authorization directory(AD) where I have added sAMAccountName as Universal ID.

    ####################

     

    COMMENTS : This is correct. Hence you are able to login using an ID in CA Directory and Authorize successfully against AD. Could you confirm this is working ? 

     

     

     

    ####################

    I am able to login with the IDs present in auth directory but not in auz directory which should not happen.

    ####################

     

    COMMENTS : So you want to login using a Username in CA Directory and Authorize against AD. But at the sametime you want to use a Username in AD and Authorize against AD ? Could you list your use cases please (See below table).

     

     

    Use CasesYes / No
    1. CA Directory as Authentication Directory, AD as Authorization Directory?
    2. AD as Authentication Directory, AD as Authorization Directory?
    3. AD as Authentication Directory, CA Directory as Authorization Directory?
    4. CA Directory as Authentication Directory, CA Directory as Authorization Directory?

     

     

     

    Regards

    Hubert



  • 7.  Re: Siteminder - Auth and Auz Directories

    Posted 03-13-2018 06:33 PM

    Hubert, HubertDennis

     

    I am able to login using an ID in CA Directory but not sure if it's getting authorize successfully against AD. But what I am trying to work is, if an ID is present in both the directories ie. auth directory and auz directory, only then the user should be able to access the page. In my current scenario, an ID is present only in auth directory and not in the auz directory, but the user is able to access the page.

     

    Use CasesYes / No
    1. CA Directory as Authentication Directory, AD as Authorization DirectoryYes
    2. AD as Authentication Directory, AD as Authorization DirectoryNo
    3. AD as Authentication Directory, CA Directory as Authorization DirectoryNo
    4. CA Directory as Authentication Directory, CA Directory as Authorization DirectoryNo

     

    Regards-

    Yashpal



  • 8.  Re: Siteminder - Auth and Auz Directories
    Best Answer

    Posted 03-13-2018 10:38 PM

    Yash yashpal607

     

    ###################################################

    In my current scenario, an ID is present only in auth directory and not in the auz directory, but the user is able to access the page.

    ###################################################

     

    COMMENT : Check in Policy against which user directory you have added users. Here's how it should be configured.

    1. Add only AuthDir (CA Directory) object in Policy Domain level.
    2. Do not add AzDir (AD) object in Policy Domain level.
    3. At this point if you go to Policies, you'll only see AuthDir (CA Directory) within Policy.
    4. If you have added users OR ALL against AuthDir (CA Directory) in Policy, please remove that.
    5. There should be no users against CA Directory.
    6. Submit the changes to Policy Domain.
    7. At this stage I am assuming you have created the directory mapping but not added into realm.
    8. Now edit the Policy Domain.
    9. Go to Realm.
    10. From there in Directory Mapping select AzDir (AD).
    11. Now if you go to the Policy you'll see both User Directory i.e. AuthDir and AzDir.
    12. Select ALL or Select Users only under AzDir (AD).
    13. Save the changes to Policy Domain.
    14. At this point if you test, only Authorized users resulting from successful directory mapping would be able to access.

     

     

    ###################################################

    I am able to login using an ID in CA Directory but not sure if it's getting authorize successfully against AD.

    ###################################################

     

    COMMENT : Check the smaccess.log and smtracedefault.log.

     

     

    ###################################################

    What I am trying to work is, if an ID is present in both the directories ie. auth directory and auz directory, only then the user should be able to access the page.

    ###################################################

     

    COMMENT : Make configuration changes as suggested above. Test. Laid out your definition of "if an ID is present in both directories ie. auth directory and auz directory, only then the user should be able to access the page". So that we are on the same page of understanding. If needed and you still have doubts, please populate the below table with the actual OR sample user values in the table below which make you comfortable to understand.

     

    UD-Auth-CA Dir (UniversalID = sAMAccountName)

    UD-Az-AD (UniversalID = sAMAccountName)

    Username

    sAMAccountName

    cn

    sAMAccountName

    User1

    1234

    UserA

    1234



  • 9.  Re: Siteminder - Auth and Auz Directories

    Posted 03-14-2018 11:57 AM

    Hi Hubert,

     

    Thank you so much for the help. I am able to achieve what I was thinking. Your suggestions really worked for me.

     

    Regards-

    Yashpal



  • 10.  Re: Siteminder - Auth and Auz Directories

    Posted 03-03-2019 10:04 PM

    Hi Hubert,

     

    I have a requirement to allow set of users to auth/az against az directory and another set of users to be able to authenticate against auth dir and authorize against az dir. Please suggest if there is any method to achieve the below use case?

     

    Thanks

    Vijay

     

    1. CA Directory as Authentication Directory, AD as Authorization DirectoryYes
    2. AD as Authentication Directory, AD as Authorization DirectoryYes