How to use LDAP query as a source in Windows SSO
search cancel

How to use LDAP query as a source in Windows SSO

book

Article ID: 166523

calendar_today

Updated On:

Products

Director ProxySG Software - SGOS

Issue/Introduction

You are using a Windows SSO authentication realm but you want the ProxySG appliance to query an LDAP source for authorization.

Resolution

After you create a Windows SSO realm, you can use the Windows SSO Authorization tab to configure authorization for the realm.

Note: Windows SSO realms do not require an authorization realm. If the policy does not make any decisions based on groups, you do not need to specify an authorization realm.

Prerequisite

You must have defined at least one Windows SSO realm (using the Windows SSO Realms tab) before attempting to set Windows SSO realm properties. If the message Realms must be added in the Windows SSO Realms tab before editing this tab is displayed in red at the bottom of this page, you do not currently have any Windows SSO realms defined.

   1. Select Configuration > Authentication > Windows SSO > Authorization.
   2. Configure authorization options:
         a. From the Realm name drop-down list, select the Windows SSO realm for which you want to change realm properties.
         b. (Optional) From the Authorization realm name drop-down list, select the previously-configured realm used to authorize users.

(To construct usernames, remember that the authorization username attributes is a string that contains policy substitutions. When authorization is required for the transaction, the character string is processed by the policy substitution mechanism, using the current transaction as input. The resulting string becomes the user's authorization name for the current transaction.)

         c. By default, the LDAP FQDN is selected as the Authorization user name. Change this value if the user's authorization information resides in a different root DN. To use a different authorization name, de-select Use FQDN and enter a different name, for example:

            cn=$(user.name),ou=partition,o=company 


   3. Click Apply.

      Common Substitutions Used in the Authorization username Field


      ELFF Substitution      CPL Equivalent         Description
      x-cs-auth-domain      $(user.domain)      The Windows domain of the authenticated user.
      cs-username             $(user.name)          The relative username of the authenticated user.

Related CLI Syntax to Configure Authorization Settings

SGOS#(config windows-sso realm_name) authorization realm-name authorization-realm-name
SGOS#(config windows-sso realm_name) authorization username authorization-username

Powered by Wolken Software