Can the administrative scope of the SSO username used in Identity Manager integration setup be limited to the SSO Domain?
search cancel

Can the administrative scope of the SSO username used in Identity Manager integration setup be limited to the SSO Domain?

book

Article ID: 139377

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Suite SITEMINDER CA Security Command Center

Issue/Introduction

When integrating Identity Manager with Single Sign-On (SSO), can the administrative scope of the SSO username in the ra.xml be limited to the Domain defined for CA Identity Manager by SSO? We do not want a fully empowered SSO administrative account be given to an external application. 

Environment

Release : 14.3

Component : IdentityMinder(Identity Manager)

Resolution

No. The SSO username in ra.xml should be an administrator account that has modification privileges, i.e. create, write, delete privileges, not only to the Domain or Realm but also Rules, Responses, User Directory, Authentication Scheme, Password Policy, etc.


If you do User Directory or Password Policy modification in Identity Manager this is supposed to be propagated to SSO. In case the SSO username in ra.xml is limited to the Domain then this propagation won't work. 


For example, if we created the imssouser that has scope to the Identity Manager domain.



And then we modified the ra.xml accordingly and restarted Identity Manager. Identity Manager was started up
successfully and we can login to Identity Manager User Console. However, when we go to Policies > Manage Password Policies > Modify Password Policy we got the following error.


Error: Password Policies are not supported. A Password Data attribute must be configured on the SiteMinder user directory to support password policies. This is automatically configured when deploying a new Identiy Manager directory with an attribute specified for the %PASSWORD_DATA% well-known.



Policy Server trace log shows the following error


[11/06/2019][16:33:42.351][16:33:42][6524][7496][SmEmsCommandBase.cpp:537][CSmEmsCommandBase::traceResponse][][][][][][][][][][][][2323][][][][][][][<session=imssouser@IXszo4lVSR69DEVu+8sgJrqZbqI=>
<command=smgetobjprops>
 <ObjectClassName = UserDirectory>
 <Name = 0e-98a4bac6-2964-4e46-8279-b85e82e91eaf>
<status=E/0913/-4/Policy API error>


Update to User Directory on Management Console failed with the following error


An error occurred while configuring Identity Manager.  Reverting configured objects...
Error: The user directory "UserStore" does not exist.


Modifying IM Environment such as Advanced Settings > Web Services on Management Console yields following error


Configuring web services...
Error: Could not find the agent for the domain associated with the environment. Cannot configure the policy to protect web services


Identity Manager and SSO integration is not being designed to use an SSO legacy Administrator that privileges are restricted to SSO Domain.