Symantec Access Management

Experts need your help with below use case –

We have an application protected using CA SiteMinder with LDAP as an authentication/authorization directory. Pretty much we have rules for GET/POST WA Actions and OnAccessReject authorization event.

The requirement is  -

•      Use LDAP as authentication directory and AD as authorization directory for “A” realm. However, for “B” realm there won’t be any change i.e. LDAP as an authentication/authorization directory
•      For both the resources, we will be having group based authorization.
•      Send a HTTP Header response with user’s group membership from authorization directory

Solution implemented till now –

•      Created Auth/AZ mapping with Universal ID
•      For realm “A”, configure the AD as authorization directory at realm level and keep it default for 2^nd realm
•      For realm “A”, I added “ALL” in LDAP directory and mentioned group details in AD directory
•      For realm “B”, it showing both LDAP and AD directory in policies. So I just added application groups in LDAP directory and allowed access to ALL users in AD
•      Configured a response header for sending “memberOf” attribute values

Questions –

•      Since we have rules created for GET/POST WA Actions, it gets memberOf attribute value from Authorization directory. So how does it will behave for realm “B” since it has both directories listed? We require this value from LDAP and not from AD which is populated in policy. Do we need to create the AuthAccept rule and tie the response to it?? For realm “A”, I guess it will pull it from AD directly.
•      Any other configuration changes needs to be done.

I couldn’t test it using SMTestTool which I’ll do it. But any recommendations will be appreciable.

Hi,

You dont have to add users from both the directory for 2nd realm (B). Please do the following.

1. create a new policy for 2nd realm and add users from LDAP directory.

2. create OnAccessAccept rule and add the response to it

Thanks,
Sharan

Adding a few more details to be taken care of.

LDAP as authentication directory and AD as authorization directory.

>>>> Create Directory Mapping LDAP AuthDir and AD AzDir. You may use the Legacy Directory Mapping OR Authentication-Authorization in IdentityMapping.

Use LDAP as authentication directory and AD as authorization directory for “A” realm. However, for “B” realm there won’t be any change i.e. LDAP as an authentication/authorization directory

>>>> IMPORTANT : In the Policy Domain only add LDAP as User Directory. AD as User Directory should not be added at Policy Domain Level.

>>>> Go to Realm-A and select the Directory Mapping from the applicable drop down (Legacy Directory Mapping or Identity Mapping). Create a separate Policy for Realm-A. Here in the policy you'll see LDAP and AD (result of Mapping being in realm). Select users from AD who need to be allowed access. In LDAP you could leave it blank. Add the rule and response. Save the Policy.

>>>> Go to Realm-B. Here we do not select any Directory Mapping. Create a separate Policy for Realm-B. I think (if memory serves right), here too you'll see LDAP and AD. Select users from LDAP who need to be allowed access. In AD you could leave this blank. Add the rule from Realm-2 and associate with response. Save the Policy.

Thank you Sharan & Hubert !

Can you please comment out on memberOf attribute? How I can pass it to Realm A & B resources post successful authorization from respective authorization directories?

Hi VVK,

You would need to create OnAccessAccept rule in both RealmA and B then you need to add this rule under respective policy and add the response of memberOf attribute.

Thanks,

Sharan

Hi Sharan,

What if I just have GET/POST rules for both Realm A and Realm B with different authorization directory? Shouldn't it send the authorization response(MemberOf) attribute from respective authorization directory?

I'm little confuse with need of OnAccessAccept Rule.

It should work with just GET / POST / PUT rule.

Create two Responses  (I guess memberOf only works in AD, for LDAP it is IsMemberOf).

Response-A (for AD) : memberOf.

Response-B (for LDAP) : IsMemberOf.

Realm-A (With DirMap) --> GET-POST-PUT-RuleA --> Policy-A (Select Users from AD) --> Link Response-A.

Realm-B (No DirMap)  --> GET-POST-PUT-RuleB --> Policy-B (Select Users from LDAP) --> --> Link Response-B.

Thanks Hubert !

Currently, we are sending the response in a XYZ attribute. Application team wants us to send user's group membership from both LDAP(Authentication Directory) and AD(Authorization Directory) in this attribute. 

Ex - User 1 member of ABC group in LDAP(Authentication Directory) & PQR group in AD(Authorization Directory). In existing setup, I am keeping LDAP user base blank and sending the group details from AD(Authorization Directory) on GET/POST event. I created OnAuthAccept rule and attached it with new response which sends group details from LDAP. However, they don't want these group details in two different responses. They want it to be clubbed under one.

Is there way we can achieve this? Do you think SMWALKER or Variables are of any help in this?