000014693 - AxM - Domino agent querying 'FEDERATED_IDENTITIES' table

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014693
Applies ToRSA ClearTrust 4.6 agent for Domino 6.5.x 
RSA Access Manager 4.8 agent for Domino 7.0.2
IssueAxM - Domino agent querying "FEDERATED_IDENTITIES" table

SQL logs show the following select queries for user mapping between ClearTrust and domino user ids.  In this setup the RSA ClearTrust and Domino IDs are the same(matching). Is it possible to eliminate the unnecessary lookups?

===
SELECT U.NAME, F.FEDERATED_NAME, F.FEDERATED_ALIAS, F.SECURITY_DOMAIN
FROM USERS U, FEDERATED_IDENTITES F
WHERE U.ID = F.USER_ID AND F.PROVIDER_TYPE=:1 AND F.SECURITY_DOMAIN=:2 AND U.NAME=:3
===

CauseThe native functionality of Domino Web Server enforces authentication against the Domino user ID to control access to all resources, even when the RSA ClearTrust Agent is installed.
To prevent redundant user authentication by both Domino and RSA ClearTrust, you must either use matching Domino and RSA ClearTrust IDs, or map the RSA ClearTrust user name to the Domino user ID.
Matching/Mapping settings are controlled by the parameter cleartrust.agent.domino.retrieve_dominouserID in webagent.conf. The Agent retrieves a mapped Domino user ID only if the user authenticates successfully and this parameter is set to true.
ResolutionIf ClearTrust and Domino use matching IDs, the unnecessary mapping lookups can be eliminated by setting cleartrust.agent.domino.retrieve_dominouserID=False
Legacy Article IDa46446

Attachments

    Outcomes