We need to add another Active Directory (AD) domain to be managed by Identity Manager (IDM). This new domain is on a different network from the existing AD, although IDM can still reach it. What is Broadcom’s recommended best practice for managing two separate AD domains within the same IDM environment? Is it necessary to create a separate userstore?

Additionally, since users from one AD domain should only request roles associated with their own domain, should this restriction be enforced through policies that filter based on user attributes, or is there a better recommended approach?

Release : 14.5
Component : Identity Suite Virtual Appliance

Separate AD Endpoints:
Each domain will require its own separate AD endpoint. This ensures that IDM can manage each domain independently and effectively.

Unique UPNs:
User Principal Names (UPNs) need to be unique across the domains. This prevents conflicts and ensures that each user is uniquely identifiable within the IDM system.

Userstore Considerations:
A separate userstore is not strictly necessary, but it can be beneficial depending on your specific requirements and the complexity of your environment. If you choose to use a separate userstore you will need to deploy one different Identity Manager cluster. If you choose to use a single userstore, ensure that it can handle the attributes and policies for users from both domains.

Best Practices:

Endpoint Configuration:
Properly configure each AD endpoint in IDM to ensure seamless communication and management.

Policy Enforcement:
Implement and enforce policies that restrict role requests based on user attributes to maintain security and compliance.

By following these best practices, you can effectively manage multiple AD domains within a single IDM instance, ensuring both security and operational efficiency.