Enable a CA SSO Integration with Deployed CA Identity Manager Environments

Customers who installed either  or the vApp solution without enabling the CA SSO integration, and then decided to enable the integration, had to follow a strict, complicated set of instructions.
cim143
Customers who installed either
Identity Manager
or the vApp solution without enabling the CA SSO integration, and then decided to enable the integration, had to follow a strict, complicated set of instructions.
The process is now part of the Management Console and allows you to perform the integration without the need to perform the complicated steps described in the link above.
NOTES
:
  • The customer must enable the CA SSO Policy Server resource adapter and ensure that the CA Identity Manager server can successfully connect to the policy server. For more details see Enable the CA SSO Policy Server Resource Adapter.
  • The customer will maintain all run-time details in the Task Persistence database after the
    Identity Manager
    integration.
  • The existing password policies for the
    Identity Manager
    environment are not migrated in this integration. The integration creates a default password policy in the CA SSO Policy Store.
  • If you update CA Identity Manager system to 14.3, and you use WebLogic or WebSphere, you need to edit the corresponding properties file so you can see the integration output in the server log.
    • For
      WebLogic
      , open the log configuration file found here:
      iam_im.ear\config\com\netegrity\config\ log4j_weblogic.properties
      , and add the following line of code:
      log4j.category.ims.SSOIntegration=INFO
      For
      WebSphere
      , open the log configuration file found here: iam_im.ear\config\com\netegrity\config\ log4j_websphere.properties, and add the following line of code:
      log4j.category.ims.SSOIntegration=INFO
  • For more information on how to re-deploy the CA Identity Manager EAR in WebSpere, see Redeploying the EAR File.
  • For JBoss or Wildfly, the installer upgrade automatically adds these new settings.
  • This feature does not integrate the Provisioning directory, but only the
    Identity Manager
    User directory.
Follow these steps:
  1. Log on to the Management console and browse to
    Home
    ,
    Environments
    ,
    <
    your selected environment
    >
    ,
    SSO Integration Properties
    . The
    SSO
    Integration Properties
    page appears.
  2. The
    SSO integration properties
    page contains two sections:
    The SSO user directory section
    The
    CA SSO user directory
    deployment section appearance depends on your CA Identity Manager User directory type and the existing CA SSO directories.
      • If there are no LDAP/RDB user directories in CA SSO, a CA SSO user directory is automatically created with the same name as the CA Identity Manager user directory.
        A message appears stating “Create a new SSO user directory for IM user store “<
        name of the CA Identity Manager user store directory
        >”.
        For a RDB CA Identity Manager user directory, you need to provide the following information:
        ODBC Data Source, Data Source Username, and a Data Source Password
        For more information see Configure a Data Source for CA SSO.
      • If there are user directories in CA SSO, you have two options:
        Connect to SSO user directory from dropdown list
        or
        Create a new CA SSO user directory for
        Identity Manager
        user store
        .
        For a RDB
        Identity Manager
        user directory, you need to provide the following Information: ODBC Data Source, Data Source Username, and a Data Source Password
      • If there is a CA SSO directory with the same name as a current
        Identity Manager
        directory, you can see it under the
        Connect to SSO user directory from
        drop-down list.
      • If the user directory is already deployed, the following message appears:
        IM user store “<
        name
        >” is associated SSO user directory “<
        name
        >”.
        Connect to SSO user directory
        If you connect an
        Identity Manager
        directory to an existing CA SSO directory, the two directories must have same connection configurations.
        • If the name of the
          Identity Manager
          user store is different from the name of CA SSO user directory, updating the
          Identity Manager
          user store from the management console will not impact the associated CA SSO user directory.
        • Deleting a
          Identity Manager
          user store deletes the CA SSO user directory if:
          1. The
            Identity Manager
            user store and CA SSO user directory have same name
          2. There is no CA SSO domain associated with the CA SSO user directory
          3. There is no
            Identity Manager
            user store associated with the CA SSO user directory
    Environment Integration Properties
    Your available environment integration properties depend on whether CA Identity Environment is or is not protected by CA SSO.
    If the
    Identity Manager
    is
    not
    protected by CA SSO:
      • If the
        Identity Manager
        user store directory type is LDAP, enter the name used to uniquely identity the
        Identity Manager
        environment on the policy server, and then click
        Validate
        to test it. The default name is the same as the current environment.
      • Enable Role-Based Access Control
        : Select this option to enable access roles for use with CA SSO. To use access roles with CA SSO, CA Identity Manager mirrors all objects in the
        Identity Manager
        object store that are related to the access roles in the CA SSO policy store. This was originally accomplished using a manual process, detailed in the Enable Access Roles for Use with CA SSO section in the How to Configure Access Roles topic.
      • Disable Policy Store Update
        : Selecting this option disables the synchronization between the policy store in CA Single Sign-on (formerly SiteMinder) and
        Identity Manager
        from both the Directory or the Role Definition XML. This feature only applies to a pairing of CA Single Sign-on and CA Identity Manager. A message is displayed during the XML file's import that the associated Policy Store will not be updated for this environment.
      • Select the agent to use to protect this environment.
        Note
        : For the agent, CA recommends selecting a CA SSO web agent or a web agent group and
        not
        the 4.x web agent used for communication between the solutions.
    If the
    Identity Manager
    Environment
    is
    already protected by CA SSO
    , you can only update the following two settings for the CA Identity Manager Environment:
      • Enable Role-Based Access Control
      • Disable Policy Store Update
  3. Click
    OK
    . The
    SSO Integration Summary
    page appears, listing your choices along with a brief message.
  4. Click
    Deploy
    to confirm and submit your choices. The
    CA SSO Integration
    pane displays real-time log messages.
  5. When the process completes, you can select either
    Export Output
    to export the log or
    Continue
    to return to the
    Environment
    Integrations Profile
    page.
  6. Select
    Restart Environment
    to have your changes take effect.