We are preparing to switch our Service Desk Manager, Service Catalog, and xFlow Analyst to a SAML authentication and it is working properly. However, ITAM and PAM would still be using EEM, since SAML is not available. Since our EEM connects to our Active Directory which uses userIDs as the username and our SAML connection to Okta uses email addresses as email addresses, I found that users who have access to both SDM and ITAM had issues after the userid values were updated. I logged into ITAM and authorized my account from EEM and was able to log into that, but I found I have two records in ca_contact now. This will cause some confusion when users are selecting contacts in SDM. Is there anyway to authorize EEM users in ITAM without creating duplicate contacts in SDM?

Release : 17.3

Component : ITAM - EEM

Here is how to convert ITPAM and ITAM users to enable login using the email address instead of the userid:

In EEM:

- Change User Store attribute mapping so that UserName maps to the email address field in LDAP
- Re-assign application groups to the necessary records for PAM

In the MDB:

- Update the contact records usernames

For communication between the applications:

- Generate a new SOAP web services policy and usmcertfiles
- Restart services

For CA Process Automation and CA Service Catalog update the user credentials in the Options Manager:
  - caextwf_ws_user
  - caextwf_ws_password
  - casc_user
  - casc_user_password

And then recycle SDM services to update the NX.env files on all servers.