Account mapping

Single sign-on, account mapping occurs between IBM® Security Verify Access and IBM Verify Identity Governance during login authentication.

When a user accesses IBM Verify Identity Governance with WebSEAL and single sign-on, the user must specify a IBM Security Verify Access user account and password. IBM Security Verify Access checks if the user is authorized to access IBM Verify Identity Governance.

If the authentication and authorization are successful, the IBM Security Verify Access user account is passed in the iv-user HTTP request header to IBM Verify Identity Governance. IBM Verify Identity Governance passes the information in the HTTP request header to IBM Verify Identity Governance for further processing. IBM Verify Identity Governance uses the IBM Security Verify Access user account to find a matching user account in the IBM Verify Identity Governance directory.

Typically, IBM Security Verify Access and IBM Verify Identity Governance user accounts are identical. If they are identical, the IBM Verify Identity Governance user can log in to IBM Verify Identity Governance.

If they are not identical, you can configure IBM Verify Identity Governance user account mapping. There are two configuration options. They are controlled by the enrole.authentication.idsEqual attribute in the enRoleAuthentication.properties file in the IM_HOME/data directory:

enrole.authentication.idsEqual=true
No mapping is attempted. The IBM Security Verify Access user account passed in the iv-user HTTP request header must be identical to an IBM Verify Identity Governance user account defined in the IBM Verify Identity Governance directory for the user to log in to IBM Verify Identity Governance.

If the policy in your installation is that all IBM Verify Identity Governance user accounts must have matching IBM Security Verify Access user accounts, specify enrole.authentication.idsEqual=true to avoid the unnecessary mapping processing and overhead.

enrole.authentication.idsEqual=false
The IBM Security Verify Access user account passed in the iv-user HTTP request header searched the IBM Security Verify Access directory for a matching IBM Verify Identity Governance user account:
  • If an identical IBM Verify Identity Governance is found, the user can log in to IBM Verify Identity Governance.
  • If an identical IBM Verify Identity Governance account is not found, then IBM Verify Identity Governance attempts to locate a matching IBM Verify Identity Governance user account with the following mapping logic:

    The IBM Security Verify Access user account in the iv-user HTTP request header searches the IBM Verify Identity Governance directory for a IBM Security Verify Access user account.

    If an identical IBM Security Verify Access user account is found in the IBM Verify Identity Governance directory, it searches for the IBM Verify Identity Governance Person entity that owns the IBM Security Verify Access user account. If an owning IBM Verify Identity Governance Person entity cannot be located, the user cannot log in.

    If the IBM Verify Identity Governance Person entity that owns the matching IBM Security Verify Access user account is found, then a search is performed for anIBM Verify Identity Governance user account owned by that entity. If an IBM Verify Identity Governance user account owned by the IBM Verify Identity Governance Person is found, then the user can log in to IBM Verify Identity Governance with that IBM Verify Identity Governance user account. Otherwise, the user cannot log in.