Solutions

How to use LDAP query as a source in Windows SSO

Solutions ID:    KB4034
Version:    1.0
Status:    Published
Published date:    09/23/2010
 

Problem Description

You are using a Windows SSO authentication realm but you want the ProxySG appliance to query an LDAP source for authorization.

Resolution

After you create a Windows SSO realm, you can use the Windows SSO Authorization tab to configure authorization for the realm.

Note: Windows SSO realms do not require an authorization realm. If the policy does not make any decisions based on groups, you do not need to specify an authorization realm.

Prerequisite

You must have defined at least one Windows SSO realm (using the Windows SSO Realms tab) before attempting to set Windows SSO realm properties. If the message Realms must be added in the Windows SSO Realms tab before editing this tab is displayed in red at the bottom of this page, you do not currently have any Windows SSO realms defined.

   1. Select Configuration > Authentication > Windows SSO > Authorization.
   2. Configure authorization options:
         a. From the Realm name drop-down list, select the Windows SSO realm for which you want to change realm properties.
         b. (Optional) From the Authorization realm name drop-down list, select the previously-configured realm used to authorize users.

(To construct usernames, remember that the authorization username attributes is a string that contains policy substitutions. When authorization is required for the transaction, the character string is processed by the policy substitution mechanism, using the current transaction as input. The resulting string becomes the user's authorization name for the current transaction.)

         c. By default, the LDAP FQDN is selected as the Authorization user name. Change this value if the user's authorization information resides in a different root DN. To use a different authorization name, de-select Use FQDN and enter a different name, for example:

            cn=$(user.name),ou=partition,o=company 


   3. Click Apply.

      Common Substitutions Used in the Authorization username Field


      ELFF Substitution      CPL Equivalent         Description
      x-cs-auth-domain      $(user.domain)      The Windows domain of the authenticated user.
      cs-username             $(user.name)          The relative username of the authenticated user.

Related CLI Syntax to Configure Authorization Settings

SGOS#(config windows-sso realm_name) authorization realm-name authorization-realm-name
SGOS#(config windows-sso realm_name) authorization username authorization-username


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question