Managing federated directories

Keep your federated directories up-to-date so that Security Access Manager can access the most recent user information that is stored in external user registries. You can add a new directory, remove an existing one, or modify its settings.

About this task

Federated directories store the data that is associated with different users in different user registries. With federated directories, the appliance can access user information that is stored in a user registry external to Security Access Manager.

The DN of the user controls the user registry that is used when you search for user information. The Security Access Manager data that is associated with each user record is still stored in the Security Access Manager user registry. The Security Access Manageruser registry is defined when you configure the runtime environment.

The Federated Directories menu item is enabled only if the runtime component is already configured.

Note: If the federated directories configuration is changed on the appliance that is running the policy server, the policy server is automatically restarted.

Procedure

  1. From the top menu, select Secure Web Settings > Manage > Runtime Component.
  2. Select Manage > Federated Directories.
    Note: All configured directories are displayed. By default, only the number of configured suffixes is shown. To view the suffixes in a particular directory, expand the relevant row.
  3. Follow the prompts to complete the action you want to take.
    Note: After you make any of the following changes, you must restart the Security Access Manager runtime environment for the changes to take effect.
    • Add a directory
      • Click New and provide values for the displayed fields.
      • Multiple suffixes can be added on separate lines in the Suffix field.
      • If the Enable SSL option is selected, an extra field Client Certificate is displayed. Use the Client Certificate field to define the client personal certificate to present to the federated user directory server. This field is not required when one of the certificates in the keyfile was identified as the default certificate. The decision of whether to identify a certificate as the default depends on the configuration of the target user directory server.
      • You can click Save only if all of the fields are valid.
    • Modify the settings for a configured directory
      • Select the directory to update and click Edit.
    • Remove a directory or suffix
      • If you select a directory row and click Delete, the selected directory is removed. If you select a suffix row and click Delete, the selected suffix is removed.
        Note: Before you delete a federated directory, delete all federated users in this directory from Security Access Manager first.
      • The confirmation message indicates whether a directory or a suffix is being removed.
      • You cannot delete a suffix if it is the only suffix left in a directory, as such operation would leave the configuration in an invalid state. A directory must have at least one suffix to be valid.
    • Update the LDAP SSL settings
      • Click SSL Settings.
      • This function updates the values in the ldap.conf configuration file. These values are only used if SSL settings do not exist in the configuration file of the hosting server. For example, if the settings exist in the WebSEAL configuration file, they take precedence over the settings that are contained in the ldap.conf configuration file.