After you create a Windows SSO realm, you can use the Windows SSO Authorization tab to configure authorization for the realm.
Note: Windows SSO realms do not require an authorization realm. If the policy does not make any decisions based on groups, you do not need to specify an authorization realm.
You must have defined at least one Windows SSO realm (using the Windows SSO Realms tab) before attempting to set Windows SSO realm properties. If the message Realms must be added in the Windows SSO Realms tab before editing this tab is displayed in red at the bottom of this page, you do not currently have any Windows SSO realms defined.
1. Select Configuration > Authentication > Windows SSO > Authorization.
2. Configure authorization options:
a. From the Realm name drop-down list, select the Windows SSO realm for which you want to change realm properties.
b. (Optional) From the Authorization realm name drop-down list, select the previously-configured realm used to authorize users.
(To construct usernames, remember that the authorization username attributes is a string that contains policy substitutions. When authorization is required for the transaction, the character string is processed by the policy substitution mechanism, using the current transaction as input. The resulting string becomes the user's authorization name for the current transaction.)
c. By default, the LDAP FQDN is selected as the Authorization user name. Change this value if the user's authorization information resides in a different root DN. To use a different authorization name, de-select Use FQDN and enter a different name, for example:
3. Click Apply.
Common Substitutions Used in the Authorization username Field
ELFF Substitution CPL Equivalent Description
x-cs-auth-domain $(user.domain) The Windows domain of the authenticated user.
cs-username $(user.name) The relative username of the authenticated user.
Related CLI Syntax to Configure Authorization Settings
SGOS#(config windows-sso realm_name) authorization realm-name authorization-realm-name
SGOS#(config windows-sso realm_name) authorization username authorization-username