Hi To all!
When I installed SSO / SITEMINDER I installed it along with CA Identity Manager.
I had an Active Directory extension (which was the user store for both SSO and IM) with a new attribute IM-DisabledState
I used this attribute both for IAM (%DISABLE% attribute) and SSO ("Disabled Flag (RW)" attribute)
So everything has worked.
Of course I have two levels of "disabled" state:
* One on the Active Directory side (eg when a user fails to authenticate N times on an active directory pc)
* And one on SSO sside (eg when a user fails M times the password on SSO)
I currently have M < N, enhanced AD Integration enabled and password services enabled.
If a user is locked out on the Active Directory side they don't even log into SSO and this is what I want.
The change password flag also works well for me.
In the meantime, two things have happened
1) I decommissioned IAM (however it still exists but no longer uses Active Directory as a User Store)
2) I have installed Advanced Authentication. I've mapped userAccountControl for user status.
What is the best practice now?
-> Change the siteminder configuration and use userAccountControl for SSO too "Disabled Flag (RW)" ?
-> Use IM-DisabledState for Advanced Authetication too
-> Leave everything as it is
Thanks in advance
Marco