AnsweredAssumed Answered

Mapping to authorize and return headers from 2x directories

Question asked by CBertagnolli Champion on Mar 27, 2015
Latest reply on Mar 27, 2015 by CBertagnolli

Ok, so I have what I thought would be very simple requirement with SiteMinder...but the tons of "identity mappings" and some work on Domain/Realm but not Application Objects etc is killing me. Not sure why this isn't easier.....Or maybe I'm just making it more difficult than it needs to be .

 

Setup:

- 1x User Directory - Oracle

- 1x User Directory - AD

 

Both are LDAP directories and the user 'can' exist in one or both. Attribute headers and authorization are always needed from the Oracle directory but 'may' also be needed for some applications from the AD directory.

 

Requirements:

- ALL apps configured as Application Objects (no domain/realm)

- ALL application objects need to be able to return user attributes as headers and authorize from the "Oracle" directory

- SOME applications need to authorize to "AD" directory but continue to get user attribute headers from the "Oracle" directory  <--- this is 'new' requirement

 

In order to support the requirement that ALL apps get user attributes from the Oracle directory I setup an Auth-Validate mapping under Identity Mappings and applied it as a global validation directory mapping. This was the only way to do this that I could find even after working with CA support. Without it the only attributes that could be returned were bound to the authentication directory.

 

However, that seems to break ANY possibility to get authorization to the "AD" directory - even if applying a legacy authn/authz mapping to the component. Still won't go across and authorize to "AD".

 

 

So here's where I'm at currently:

 

- Global Validation mapping directory for "AD" --> "Oracle" to meet the requirement "ALL application objects need to be able to return user attributes as headers and authorize from the "Oracle" directory"

- Adding legacy authn/authz mapping still fails, I'm guessing because global validation mapping hosing it up?????

- Identity Mapping cannot be applied to individual applications, so no options to play around with different mappings there except as global heh

 

 

Any thoughts on how to accomplish this? Basically I need SiteMinder to essentially act like a quasi-virtual directory; so using 2x directories allow header attributes or authorization to occur for any given user no matter which directory they authenticated to.

 

It really seems like I'm either missing something really obvious here O_o. So any pointers would be appreciated - even if just getting me down the right path.

Outcomes