Symantec Access Management

 View Only
  • 1.  Validation Identity Mapping  - Federation

    Posted Aug 23, 2017 07:02 PM

    We have legacy SSO applications that uses SunOne LDAP as authentication store and all new SSO applications uses Active Directory as authentication store. Both types (old & new) of applications are part of same siteminder infrastructure.


    We set up a validation identity mapping between SunOne auth dir & AD auth dir.

    We are able to navigate from old application  (webagent protected) to new application (webagent protected) in both directions using validation identity mapping.


    But, if we login to legacy webagent enabled app that use SuneOne ldap auth and try to access federation (our SM acting as IDP) app that use AD auth dir, identity mapping is not working.


    We tried to apply identity mapping to "Auth URL" specified in federation partnership. We also protected IDP end point URL (xx/affwebservices/public/saml2sso) applied identity mapping to that realm. In either case, we don't see idenity mapping is being triggered and existing smsession (with sunone ldap as auth) from legacy app login is not transfered to new smsession via validation identity mapping.

    Wonder why identity mapping is not invoked for "saml2sso" url even though it is protected and has directiry mapping attached ?


    We tried to use custom intermediate page (SSO protected and assigned dir mapping) as IDP end point URL which in turn redirects to "/affwebservices/public/saml2sso?SPID=xx" (after smsession transfer to new auth dir via dir mapping) to solve this issue. It solves the issue for "IDP init" federations. But, in "SP init" federations, when our SP redirect to custom IDP end point with AuthnRequest and if this intermediate page redirect/post to standard IDP end point (xx/affwebservices/public/saml2sso) with authnrequest, "destionation" value in authnrequest will have this custom idp end point and policy server doesn't allow "destionation" value anything other than ("xx/affwebservices/public/saml2sso"


    This is impacting our user experience as we use legacy app as home page (webagent protected) for all our employees and when they try to access federation apps (that use AD auth store) from home page, they all failing as legacy app uses one auth dir and fed apps use AD auth and validation dir mapping is not invoked.


    This is failing only legacy wegabent protected app -> federation apps.

     legacy wegabent protected app -> new webagent app works fine using dir mapping.


    Any suggestion on how to solve this issue ?



  • 2.  Re: Validation Identity Mapping  - Federation
    Best Answer

    Posted Aug 23, 2017 11:57 PM

    Hi Kishore,


    Unfortunately, Identity mapping is currently not supported for Federation.

    Refer this : Identity mapping for Federation 




  • 3.  Re: Validation Identity Mapping  - Federation

    Posted Aug 24, 2017 02:44 PM

    Ujwol, I already saw that post. That use case is bit different. Here, we are not able to navigate across from webagent proected app (which has one auth dir) to federation app (which has different auth dir). But, identity mapping support in the federation will solve both issues.


    Trying to see if there are any other options that we can use until CA support identiy validation maping in federation.


    I already voted for that enhancement in other article you shared.