Symantec Access Management

Hi,

I am trying to protect an application using siteminder. How can I use CA directory as authentication directory and AD as authorization directory? Any help would be highly appreciable.

Regards-

Yashpal

Hi Yashpal,

The Directory Mapping: Auth/Az Mapping Dialog is where you create directory mappings that let you authenticate users against one directory and authorize users against another

Refer : Directory Mapping--Auth/Az Mapping Dialog - CA Single Sign-On - 12.7 - CA Technologies Documentation 

Regards,

Leo Joseph.

Hi Leo,

I have created directory mapping under Auth/Az mapping dialog where CA directory is for authentication and AD is for authorization and mapped DNs is Universal ID. Then, I have added this mapping under Realm in Local Authorization Directory Mapping, flushed cache and everything. When I trying to access the URL, I am able to login and access the page using the IDs present in CA directory but those IDs are not present in AD. I think I am missing something here. Can you please guide me with it?

Regards-

Yashpal

Yash yashpal607

A typical directory mapping solution (using UniversalID) works as below. First refer the table below. User1 is present in UD-Auth, but not present in UD-Az. But we are mapping a common attribute between UD-Auth and UD-Az to map User1 from UD-Auth to UserA in UD-Az using UniqueID=1234. Thus the common factor between both uncommon user is UniqueID=1234.

For Directory Mapping to work, you need to identify something that is common between both User Directories i.e. Authentication and Authorization. If there is nothing common, then you'll need to do through an exercise to modify one User Directory to contain a common attribute from the other User Directory, and then map users using the correct values.

Consider CA Directory = UD-Auth and AD = UD-Az in above table.

Hi Hubert,

I have created a custom attribute as sAMAccountName in the CA directory and added this to Universal ID in the authentication directory. And did the same for the authorization directory(AD) where I have added sAMAccountName as Universal ID. Now, when I try to login, I am able to login with the IDs present in auth directory but not in auz directory which should not happen. Any further suggestions please?

Regards-

Yashpal

Yash yashpal607

####################

I have created a custom attribute as sAMAccountName in the CA directory and added this to Universal ID in the authentication directory. And did the same for the authorization directory(AD) where I have added sAMAccountName as Universal ID.

####################

COMMENTS : This is correct. Hence you are able to login using an ID in CA Directory and Authorize successfully against AD. Could you confirm this is working ? 

####################

I am able to login with the IDs present in auth directory but not in auz directory which should not happen.

####################

COMMENTS : So you want to login using a Username in CA Directory and Authorize against AD. But at the sametime you want to use a Username in AD and Authorize against AD ? Could you list your use cases please (See below table).

Regards

Hubert

Hubert, HubertDennis

I am able to login using an ID in CA Directory but not sure if it's getting authorize successfully against AD. But what I am trying to work is, if an ID is present in both the directories ie. auth directory and auz directory, only then the user should be able to access the page. In my current scenario, an ID is present only in auth directory and not in the auz directory, but the user is able to access the page.

Regards-

Yashpal

Yash yashpal607

###################################################

In my current scenario, an ID is present only in auth directory and not in the auz directory, but the user is able to access the page.

###################################################

COMMENT : Check in Policy against which user directory you have added users. Here's how it should be configured.

1. Add only AuthDir (CA Directory) object in Policy Domain level.
2. Do not add AzDir (AD) object in Policy Domain level.
3. At this point if you go to Policies, you'll only see AuthDir (CA Directory) within Policy.
4. If you have added users OR ALL against AuthDir (CA Directory) in Policy, please remove that.
5. There should be no users against CA Directory.
6. Submit the changes to Policy Domain.
7. At this stage I am assuming you have created the directory mapping but not added into realm.
8. Now edit the Policy Domain.
9. Go to Realm.
10. From there in Directory Mapping select AzDir (AD).
11. Now if you go to the Policy you'll see both User Directory i.e. AuthDir and AzDir.
12. Select ALL or Select Users only under AzDir (AD).
13. Save the changes to Policy Domain.
14. At this point if you test, only Authorized users resulting from successful directory mapping would be able to access.

###################################################

I am able to login using an ID in CA Directory but not sure if it's getting authorize successfully against AD.

###################################################

COMMENT : Check the smaccess.log and smtracedefault.log.

###################################################

What I am trying to work is, if an ID is present in both the directories ie. auth directory and auz directory, only then the user should be able to access the page.

###################################################

COMMENT : Make configuration changes as suggested above. Test. Laid out your definition of "if an ID is present in both directories ie. auth directory and auz directory, only then the user should be able to access the page". So that we are on the same page of understanding. If needed and you still have doubts, please populate the below table with the actual OR sample user values in the table below which make you comfortable to understand.

Hi Hubert,

Thank you so much for the help. I am able to achieve what I was thinking. Your suggestions really worked for me.

Regards-

Yashpal

Hi Hubert,

I have a requirement to allow set of users to auth/az against az directory and another set of users to be able to authenticate against auth dir and authorize against az dir. Please suggest if there is any method to achieve the below use case?

Thanks

Vijay