Symantec Access Management

  • 1.  Mapping to authorize and return headers from 2x directories

    Posted Mar 27, 2015 12:29 PM

    Ok, so I have what I thought would be very simple requirement with SiteMinder...but the tons of "identity mappings" and some work on Domain/Realm but not Application Objects etc is killing me. Not sure why this isn't easier.....Or maybe I'm just making it more difficult than it needs to be .

     

    Setup:

    - 1x User Directory - Oracle

    - 1x User Directory - AD

     

    Both are LDAP directories and the user 'can' exist in one or both. Attribute headers and authorization are always needed from the Oracle directory but 'may' also be needed for some applications from the AD directory.

     

    Requirements:

    - ALL apps configured as Application Objects (no domain/realm)

    - ALL application objects need to be able to return user attributes as headers and authorize from the "Oracle" directory

    - SOME applications need to authorize to "AD" directory but continue to get user attribute headers from the "Oracle" directory  <--- this is 'new' requirement

     

    In order to support the requirement that ALL apps get user attributes from the Oracle directory I setup an Auth-Validate mapping under Identity Mappings and applied it as a global validation directory mapping. This was the only way to do this that I could find even after working with CA support. Without it the only attributes that could be returned were bound to the authentication directory.

     

    However, that seems to break ANY possibility to get authorization to the "AD" directory - even if applying a legacy authn/authz mapping to the component. Still won't go across and authorize to "AD".

     

     

    So here's where I'm at currently:

     

    - Global Validation mapping directory for "AD" --> "Oracle" to meet the requirement "ALL application objects need to be able to return user attributes as headers and authorize from the "Oracle" directory"

    - Adding legacy authn/authz mapping still fails, I'm guessing because global validation mapping hosing it up?????

    - Identity Mapping cannot be applied to individual applications, so no options to play around with different mappings there except as global heh

     

     

    Any thoughts on how to accomplish this? Basically I need SiteMinder to essentially act like a quasi-virtual directory; so using 2x directories allow header attributes or authorization to occur for any given user no matter which directory they authenticated to.

     

    It really seems like I'm either missing something really obvious here O_o. So any pointers would be appreciated - even if just getting me down the right path.



  • 2.  Re: Mapping to authorize and return headers from 2x directories

    Posted Mar 27, 2015 12:36 PM

    only thing i can think of is to split when headers are found/set...

     

    can you au from oracle and set oracle headers then, while grabbing az from ad and setting them then, or the opposite  way?

     

    if not  i think smwalker can do this, but  that's an add on. ca will make you fork over  more $$$



  • 3.  Re: Mapping to authorize and return headers from 2x directories

    Posted Mar 27, 2015 01:11 PM

    Sorry, not quite sure I understand the exact setup there.

     

    If I disable the global validation then I'm stuck getting headers from only the authentication directory and can never get them from another. So if a user authenticated to AD I could not get Oracle headers. And if they authenticated to Oracle I could not do anything to AD. Users regularly authenticate to either directory depending on their choice of credential.

     

    With 500+ applications, it would be really difficult to get any major overhauls out to everything.

     

    And I really really don't want to have to get yet another product / license. SiteMinder is already an adventure, all I need is another licensed add-on at this point