Account mapping between ISAM and ISIM during login
Typically, ISAM and ISIM user accounts are identical. If they are identical, ISIM user can log in to ISIM. If they are not identical, we can configure ISIM user account mapping. There are two configuration options. They are controlled by the enrole.authentication.idsEqual attribute in the enRoleAuthentication.properties file.
Single sign-on account mapping occurs between IBM Security Access Manager and IBM Security Identity Manager during login authentication. When a user accesses ISIM with WebSEAL and SSO, the user specifies an ISAM user account and password. ISAM checks if the user is authorized to access ISIM. If the authentication and authorization are successful, the ISAM user account is passed in the iv-user HTTP request header to ISIM. ISIM passes the information in the HTTP request header to ISIM for further processing. ISIM uses the ISAM user account to find a matching user account in ISIM directory.
Do these steps:
- Log on to ISIM virtual appliance console.
- From the top-level menu of the Appliance Dashboard, select....
Display the Update Property > Configure > Advanced Configuration > Update Property > All properties > Identity server property > enRoleAuthentication.properties
- Follow the steps described in Manage the server properties. Configuration options:
enrole.authentication.idsEqual=true No mapping is attempted. The ISAM user account passed in the iv-user HTTP request header must be identical to an ISIM user account defined in ISIM directory for the user to log in to ISIM. If the policy in your installation is that all ISIM user accounts must have matching ISAM user accounts, specify enrole.authentication.idsEqual=true to avoid the unnecessary mapping processing and overhead. enrole.authentication.idsEqual=false The ISAM user account passed in the iv-user HTTP request header is used to search for a matching ISIM user account: If an identical ISIM is found, the user can log in to ISIM.
If an identical ISIM account is not found the ISAM user account in the iv-user HTTP request header searches ISIM directory for an ISAM user account. If an identical ISAM user account is found in ISIM directory, it searches for ISIM Person entity that owns the ISAM user account. If an owning ISIM Person entity cannot be located, the user cannot log in. If ISIM Person entity that owns the matching ISAM user account is found, then a search is performed for an ISIM user account owned by that entity. If an ISIM user account owned by ISIM Person is found, then the user can log in to ISIM with that ISIM user account. Otherwise, the user cannot log in.
Parent topic: Configuration of ISIM for SSO with Application server Trust Association Interceptor and ISAM WebSEAL