Directory Mapping

The Policy Server assumes that a user is authenticated and authorized against the same user directory. However, users can be authenticated against one directory, and authorized against a separate directory. This feature is called directory mapping.
sm1252sp1
The Policy Server assumes that a user is authenticated and authorized against the same user directory. However, users can be authenticated against one directory, and authorized against a separate directory. This feature is called directory mapping.
You can map a central directory that stores authentication information with separate distributed user directories that store authorization information. The authorization directories are associated with particular network applications. The mappings locate authenticated users in separate authorization directories.
Directory mapping does not support Impersonation. The user being impersonated, must be uniquely present in the authentication directories that are associated with the domain or the impersonation fails.
Mapping from an authentication directory to an authorization directory is a three-step process.
  1. Set up user directory connections.
  2. Configure a directory mapping.
  3. Assign a directory mapping to a realm. A user is authorized against this directory for specific network applications.
This section contains the following topics:
Authorization and Validation Identity Mappings
Identity mappings let you configure multiple target user directories and use custom search criteria. This configuration gives you flexibility in setting up your environment.
There are two types of identity mappings:
  • Authorization Identity Mapping
    A directory mapping for authenticating users against one directory and authorizes users against a different directory.
  • Validation Identity Mapping
    A directory mapping for authenticating users against one directory and validating users against a different directory. An authentication user directory that is connected to one Policy Server is mapped to a validation user directory that is connected to a different Policy Server.
Identity mappings do not require existing user directory connections.
There is a legacy method for directory mapping called Legacy (Auth/Az and AuthValidate) Directory Mappings. This legacy method is still available in this release, and any existing legacy mappings continue to work in the same way.
For legacy directory mappings, the user directory connections to the Policy Server must exist for the authentication directory and the authorization or validation directory.