How to use LDAP query as a source in Windows SSO


<< Back to Knowledge Search

Solution

Overview

You are using a Windows SSO authentication realm but you want the ProxySG appliance to query an LDAP source for authorization.

Cause
Resolution

After you create a Windows SSO realm, you can use the Windows SSO Authorization tab to configure authorization for the realm.

Note: Windows SSO realms do not require an authorization realm. If the policy does not make any decisions based on groups, you do not need to specify an authorization realm.

Prerequisite

You must have defined at least one Windows SSO realm (using the Windows SSO Realms tab) before attempting to set Windows SSO realm properties. If the message Realms must be added in the Windows SSO Realms tab before editing this tab is displayed in red at the bottom of this page, you do not currently have any Windows SSO realms defined.

   1. Select Configuration > Authentication > Windows SSO > Authorization.
   2. Configure authorization options:
         a. From the Realm name drop-down list, select the Windows SSO realm for which you want to change realm properties.
         b. (Optional) From the Authorization realm name drop-down list, select the previously-configured realm used to authorize users.

(To construct usernames, remember that the authorization username attributes is a string that contains policy substitutions. When authorization is required for the transaction, the character string is processed by the policy substitution mechanism, using the current transaction as input. The resulting string becomes the user's authorization name for the current transaction.)

         c. By default, the LDAP FQDN is selected as the Authorization user name. Change this value if the user's authorization information resides in a different root DN. To use a different authorization name, de-select Use FQDN and enter a different name, for example:

            cn=$(user.name),ou=partition,o=company 


   3. Click Apply.

      Common Substitutions Used in the Authorization username Field


      ELFF Substitution      CPL Equivalent         Description
      x-cs-auth-domain      $(user.domain)      The Windows domain of the authenticated user.
      cs-username             $(user.name)          The relative username of the authenticated user.

Related CLI Syntax to Configure Authorization Settings

SGOS#(config windows-sso realm_name) authorization realm-name authorization-realm-name
SGOS#(config windows-sso realm_name) authorization username authorization-username

Workaround
Additional Information
Bug Number
InQuira Doc IdKB4034
Attachment

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      ProxySG
Software      SGME 5, SGOS 4, SGOS 5, SGOS 6
Article Number      000011460
Summary     
Was this helpful?
Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat