Enable a CA SSO Integration with Deployed CA Identity Manager Environments
Customers who installed either or the vApp solution without enabling the CA SSO integration, and then decided to enable the integration, had to follow a strict, complicated set of instructions.
Customers who installed either
Identity Manageror the vApp solution without enabling the CA SSO integration, and then decided to enable the integration, had to follow a strict, complicated set of instructions.
The process is now part of the Management Console and allows you to perform the integration without the need to perform the complicated steps described in the link above.
- The customer must enable the CA SSO Policy Server resource adapter and ensure that the CA Identity Manager server can successfully connect to the policy server. For more details see Enable the CA SSO Policy Server Resource Adapter.
- The customer will maintain all run-time details in the Task Persistence database after theIdentity Managerintegration.
- The existing password policies for theIdentity Managerenvironment are not migrated in this integration. The integration creates a default password policy in the CA SSO Policy Store.
- If you update CA Identity Manager system to 14.3, and you use WebLogic or WebSphere, you need to edit the corresponding properties file so you can see the integration output in the server log.
- ForWebLogic, open the log configuration file found here:iam_im.ear\config\com\netegrity\config\ log4j_weblogic.properties, and add the following line of code:log4j.category.ims.SSOIntegration=INFOForWebSphere, open the log configuration file found here: iam_im.ear\config\com\netegrity\config\ log4j_websphere.properties, and add the following line of code:log4j.category.ims.SSOIntegration=INFO
- For more information on how to re-deploy the CA Identity Manager EAR in WebSpere, see Redeploying the EAR File.
- For JBoss or Wildfly, the installer upgrade automatically adds these new settings.
- This feature does not integrate the Provisioning directory, but only theIdentity ManagerUser directory.
Follow these steps:
- Log on to the Management console and browse toHome,Environments,<,your selected environment>SSO Integration Properties. TheSSOIntegration Propertiespage appears.
- TheSSO integration propertiespage contains two sections:The SSO user directory sectionTheCA SSO user directorydeployment section appearance depends on your CA Identity Manager User directory type and the existing CA SSO directories.
Environment Integration PropertiesYour available environment integration properties depend on whether CA Identity Environment is or is not protected by CA SSO.If theIdentity Managerisnot
- If there are no LDAP/RDB user directories in CA SSO, a CA SSO user directory is automatically created with the same name as the CA Identity Manager user directory.A message appears stating “Create a new SSO user directory for IM user store “<name of the CA Identity Manager user store directory>”.For a RDB CA Identity Manager user directory, you need to provide the following information:ODBC Data Source, Data Source Username, and a Data Source PasswordFor more information see Configure a Data Source for CA SSO.
- If there are user directories in CA SSO, you have two options:Connect to SSO user directory from dropdown listorCreate a new CA SSO user directory for.Identity Manageruser storeFor a RDBIdentity Manageruser directory, you need to provide the following Information: ODBC Data Source, Data Source Username, and a Data Source Password
- If there is a CA SSO directory with the same name as a currentIdentity Managerdirectory, you can see it under theConnect to SSO user directory fromdrop-down list.
- If the user directory is already deployed, the following message appears:IM user store “<name>” is associated SSO user directory “<name>”.Connect to SSO user directoryIf you connect anIdentity Managerdirectory to an existing CA SSO directory, the two directories must have same connection configurations.
- If the name of theIdentity Manageruser store is different from the name of CA SSO user directory, updating theIdentity Manageruser store from the management console will not impact the associated CA SSO user directory.
- Deleting aIdentity Manageruser store deletes the CA SSO user directory if:
- TheIdentity Manageruser store and CA SSO user directory have same name
- There is no CA SSO domain associated with the CA SSO user directory
- There is noIdentity Manageruser store associated with the CA SSO user directory
If the, you can only update the following two settings for the CA Identity Manager Environment:Identity ManagerEnvironmentis
- If theIdentity Manageruser store directory type is LDAP, enter the name used to uniquely identity theIdentity Managerenvironment on the policy server, and then clickValidateto test it. The default name is the same as the current environment.
- Enable Role-Based Access Control: Select this option to enable access roles for use with CA SSO. To use access roles with CA SSO, CA Identity Manager mirrors all objects in theIdentity Managerobject store that are related to the access roles in the CA SSO policy store. This was originally accomplished using a manual process, detailed in the Enable Access Roles for Use with CA SSO section in the How to Configure Access Roles topic.
- Disable Policy Store Update: Selecting this option disables the synchronization between the policy store in CA Single Sign-on (formerly SiteMinder) andIdentity Managerfrom both the Directory or the Role Definition XML. This feature only applies to a pairing of CA Single Sign-on and CA Identity Manager. A message is displayed during the XML file's import that the associated Policy Store will not be updated for this environment.
- Select the agent to use to protect this environment.Note: For the agent, CA recommends selecting a CA SSO web agent or a web agent group andnotthe 4.x web agent used for communication between the solutions.
- Enable Role-Based Access Control
- Disable Policy Store Update
- ClickOK. TheSSO Integration Summarypage appears, listing your choices along with a brief message.
- ClickDeployto confirm and submit your choices. TheCA SSO Integrationpane displays real-time log messages.
- When the process completes, you can select eitherExport Outputto export the log orContinueto return to theEnvironmentIntegrations Profilepage.
- SelectRestart Environmentto have your changes take effect.