I thought of creating three realms/loginA protected in domain A/protected protected in domain A/loginB protected in domain Bboth /loginA and /loginB redirect to /protected
On the realm /protected I was thinking of hooking an Auth-Autz mapping based on UniversalIdI will therefore have two policies* PA policy which contain /loginA and /protected realms that has "all users of the directory A" as authorized users* PB policy witch contains /loginB that has "all the users of the directory B" as authorized users
What do you think? It might work? Is this the correct way to do it?
Ok. I played with it a little and now it works. Not in the way I described above. The solution is to create a single domain with all the users and in this case on the login page both the passwords of the user store A and of B (even if the same user exists both in A and in B)
It was easier than I thought.Domain must contain all two UserStore.Siteminder will try to authenticate with same password in order on both user store and it will exit with success on the first match.So you don't really need two separate login pages.The important thing is the mapping.In the policy you need to select only the user store that you'd like to use for authorization. That because on authorization phase all data in the response will be taken from that directory.
You need to create a mapping rule. You can use "Identity Mapping" entry in Directory menù or "authorization/authentication mapping".
The mapping rule must be select also in the Realm.