Symantec Access Management

  • Private Community
 View Only

  • 1.  SMSESSION Traversing between Directories

    Posted Aug 02, 2018 05:34 AM

    Hello All,

     

    I have a question.

     

    Suppose that there are 2 separate applications in the same cookie domain which authenticates against 2 different directory i.e. LDAP and ODBC. A user who is present in both the directories (i.e. same username and password) access the 1st application which authenticates against LDAP , would that user be able to SSO to the other application with authenticates against ODBC? If Yes, then how? and if NO, then why?

     

    In this use case let's consider the below:

     

    1) Application 1 has default directory/Identity Mapping and is authenticating and authorizing against LDAP.

    2) Application 2 has default directory/Identity Mapping and is authenticating and authorizing against ODBC.

    3) User accessing the application has exact same username/unique identifier(i.e. UserID from login) and password in both directories. 

    4) Application Protected is of same protection level and in same cookie domain and there is SSOTrust as well. 

    5) Now if the user access Application 1 and is authenticated/Authorized and SMSESSION in generated, then would the same SMSESSION can be used to access Application 2 or would user get the login page again? If No then why? and If Yes, then how?

     

    Thanks

    Ankur



  • 2.  Re: SMSESSION Traversing between Directories
    Best Answer

    Posted Aug 02, 2018 12:27 PM

    Ankur ankurtaneja85

     

    I think this query stems from Access for user LDAP and ODBC 

     

    For SSO to work across Policy Domain few things play a very vital role.

    • Cookie Domains.
    • Authenticated Directory. This info is present within the SMSESSION.

     

    When we authenticate against Application-1, SM_USERSESSIONDIRNAME is set to the name of UD (LDAP) which was used for successful authentication in Application-1.

     

    When we traverse to Application-2, Policy Server would identify that the Policy Domain is set to Authenticate only using ODBC and the incoming SMSESSION is tied to LDAP. Hence it will reject the SMSESSION and challenge you to login again.

     

    If you need SMSESSION (SM_USERSESSIONDIRNAME = LDAP) from Application-1 to succeed in Application-2; then you'll need to add LDAP as an Authentication UD in Application-2 and then create a DirMapping in Application-2 to Authorize against ODBC. Same rule applies in reverse from Application-2 to Application-1.

     

     



  • 3.  Re: SMSESSION Traversing between Directories

    Posted Aug 03, 2018 05:02 AM

    HubertDennis Thank you for clarification and it is really helpful. Yes, this does come from my previous query and i was still in doubt regarding the outcome.