Can the administrative scope of the SSO username used in Identity Manager integration setup be limited to the SSO Domain?
search cancel

Can the administrative scope of the SSO username used in Identity Manager integration setup be limited to the SSO Domain?


Article ID: 139377


Updated On:


CA Identity Manager CA Identity Suite SITEMINDER CA Security Command Center


When integrating Identity Manager with Single Sign-On (SSO), can the administrative scope of the SSO username in the ra.xml be limited to the Domain defined for CA Identity Manager by SSO? We do not want a fully empowered SSO administrative account be given to an external application. 


Release : 14.3

Component : IdentityMinder(Identity Manager)


No. The SSO username in ra.xml should be an administrator account that has modification privileges, i.e. create, write, delete privileges, not only to the Domain or Realm but also Rules, Responses, User Directory, Authentication Scheme, Password Policy, etc.

If you do User Directory or Password Policy modification in Identity Manager this is supposed to be propagated to SSO. In case the SSO username in ra.xml is limited to the Domain then this propagation won't work. 

For example, if we created the imssouser that has scope to the Identity Manager domain.

And then we modified the ra.xml accordingly and restarted Identity Manager. Identity Manager was started up
successfully and we can login to Identity Manager User Console. However, when we go to Policies > Manage Password Policies > Modify Password Policy we got the following error.

Error: Password Policies are not supported. A Password Data attribute must be configured on the SiteMinder user directory to support password policies. This is automatically configured when deploying a new Identiy Manager directory with an attribute specified for the %PASSWORD_DATA% well-known.

Policy Server trace log shows the following error

 <ObjectClassName = UserDirectory>
 <Name = 0e-98a4bac6-2964-4e46-8279-b85e82e91eaf>
<status=E/0913/-4/Policy API error>

Update to User Directory on Management Console failed with the following error

An error occurred while configuring Identity Manager.  Reverting configured objects...
Error: The user directory "UserStore" does not exist.

Modifying IM Environment such as Advanced Settings > Web Services on Management Console yields following error

Configuring web services...
Error: Could not find the agent for the domain associated with the environment. Cannot configure the policy to protect web services

Identity Manager and SSO integration is not being designed to use an SSO legacy Administrator that privileges are restricted to SSO Domain.