Layer 7 Access Management

Expand all | Collapse all

About Auth-Authz mapping

Jump to Best Answer
  • 1.  About Auth-Authz mapping

    Posted 07-03-2019 01:43 PM

    I have two user directories that have the same users (same username) but different password. Let call them A and B.
    I wish I could authenticate user with A or B but use only directroy A as authorization (I'd like to have a response that takes information from directory A as cookie or header).

    I thought about doing it this way:

    Create two domains.
    • DA domain where I have as user directory A
    • DB domain where I have as user directory B.

    I would an unprotected resource that has two links
    • "Login" that point   /loginA 
    • "Legacy Login" that point /loginB

    I thought of creating three realms

    /loginA          protected in domain A
    /protected     protected in domain A
    /loginB         protected in domain  B

    both /loginA and /loginB redirect to /protected

    On the realm /protected I was thinking of hooking an Auth-Autz mapping based on UniversalId

    I will therefore have two policies

    * PA policy which contain /loginA and /protected realms that has "all users of the directory A" as authorized users
    * PB policy witch contains /loginB that has "all the users of the directory B" as authorized users

    What do you think? It might work? Is this the correct way to do it?

  • 2.  RE: About Auth-Authz mapping
    Best Answer

    Posted 07-04-2019 02:31 PM

    Ok. I played with it a little and now it works. Not in the way I described above. The solution is to create a single domain with all the users and in this case on the login page both the passwords of the user store A and of B (even if the same user exists both in A and in B)


  • 3.  RE: About Auth-Authz mapping

    Posted 07-16-2019 07:44 AM
    Could you please elaborate a bit more on how did you achieve it?

  • 4.  RE: About Auth-Authz mapping

    Posted 07-16-2019 08:50 AM

    It was easier than I thought.
    Domain must contain all two UserStore.
    Siteminder will try to authenticate with same password in order on both user store and it will exit with success on the first match.
    So you don't really need two separate login pages.
    The important thing is the mapping.
    In the policy you need to select only the user store that you'd like to use for authorization. That because on authorization phase all data in the response will be taken from that directory.

    You need to create a mapping rule. You can use "Identity Mapping" entry in Directory menù or "authorization/authentication mapping".

    The mapping rule must be select also in the Realm.