Configure an Environment to Use Different Directories for Authentication and Authorization

An administrator may need to manage users whose profiles exist in a different user store from the one that is used for authenticating the administrator. In other words, when logging in to the  Environment, the administrator must be authenticated using one directory and authorized to manage users in a second directory, as shown in the following illustration:
cim142
An administrator may need to manage users whose profiles exist in a different user store from the one that is used for authenticating the administrator. In other words, when logging in to the 
Identity Manager
 Environment, the administrator must be authenticated using one directory and authorized to manage users in a second directory, as shown in the following illustration:
Administrators logging in to the Environment must be authenticated using one directory and authorized to manage users in a second directory.
Administrators logging in to the Environment must be authenticated using one directory and authorized to manage users in a second directory.
Follow these steps:
  1. Log in to one of the following interfaces:
    • For CA SSO Web Access Manager r12 or higher, log in to the Administrative UI.
    • For CA eTrust CA SSO 6.0 SP5, log in to the Policy Server User Interface.
  2. Create two user directories.
    One directory references the authentication data (administrator profiles); the other directory references the authorization data (user profiles).
  3. In the Management Console, create a
    Identity Manager
    Environment.
    Select the authorization directory as the
    Identity Manager
    directory.
  4. In the interface for the version of CA SSO used, add the authentication directory to the domain for the
    Identity Manager
    Environment that you created in the previous step.
    The domain and other objects that are required for CA SSO are created automatically when you create an Environment and CA SSO integrates with
    Identity Manager
    .
    The domain uses the following naming convention:
    Identity Manager-environment
    Domain
  5. Make sure that this directory appears first in the list of directories that are associated with the domain.
  6. Locate the
    Identity Manager-environment
    _ims_realm.
  7. Map the authorization directory to the authentication directory in the Advanced section of the realm definition.
  8. Locate the following
    Identity Manager-environment
    response_ims response.
  9. Add response attributes to the responses as follows:
    Field
    Value
    Attribute
    Web-Agent-HTTP-Header-Variable
    Attribute Kind
    user attribute
    Variable Name
    sm_userdn
    Attribute Name
    SM_USERNAME
  10. Save the changes.
    Identity Manager
    now uses different directories for authentication and authorization.