New features are always added to the solution stack, some seem to slide in with minimal awareness.
This is one, that I know customers have asked for, and I am pleased to see that it was introduced in to the r14.0/14.1 releases that does not require any SSO solution integration.
Take a look. Note, that if you have multiple AD (Microsoft Active Directory) domains, you may still wish to introduce CA SSO to allow "directory chaining" for authentication, e.g. use many, many userstores to search or use with CA SSO + AA for step-up authentication to use one-use tokens.
Edit: 5/31/2018 update hyper links & attach PDFs - If hyperlinks fail in future, use docops.ca.com to search "CA Identity Manager" for active directory authentication module.
Enable the Active Directory Authentication Module
By default, CA Identity Manager comes with an out-of-the-box authentication module. This module authenticates the user against the directory that is configured for their environment. The user can also be authenticated to an external Active Directory using the following procedure. You can also encrypt ADMINPWD and KEYSTOREPWD instead of leaving them as clear text.
Note: The Active Directory endpoint must be provisioned by CA Identity Manager so the Active Directory accounts are synchronized with the CA Identity Manager user store. This procedure also assumes that the administrator is proficient with Active Directory.
Follow these steps:
- Locate the following property file:
<Identity Manager installation location>/iam_im.ear/config/ad_auth_settings.properties
- Set the following properties:
KEYSTOREPWD=<Key store password>
SEARCHFILTER = <Active Directory user search filter>
SSL = <TRUE or FALSE>
- Save the file, and then restart CA Identity Manager Server.
- In the Management Console, browse to Environments, <your Identity Manager Environment>, Advanced Settings, User Console.
In the Authentication provider module class name field, enter the following value:
- Click Save.
This architecture allows use of a separate userstore (CA Directory) for access, but then use AD as the authentication store (AN). This assumes that active users (that will authenticate) are 1:1 between the two (2) userstores.
- Recommendation: Review the pro/cons of userstore design/considerations.