000014754 - FIM - Install Documentation Incorrect on Liberty Mapping with Access Manager

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014754
Applies ToRSA Federated Identity Manager 4.1
RSA Federated Identity Manager 4.0
RSA Access Manager  6.x used as WAM
IssueFIM - Install Documentation Incorrect on Liberty Mapping with Access Manager

The FIM 4.1 Install_Config.pdf guide references the following additions be made to LDAP for Federated mapping to Access Manager (AxM)

For the mapping inside the AxM user store FIM install guide on page 79 states that following lines need to be added to ldap.conf:

cleartrust.data.ldap.libertystore:
cleartrust.data.ldap.libertystore.basedn: 

Resolution

Since ClearTrust 5.5.2 ( Former Access Manager Product Name), the LDAP parameters have changed names to reflect a broader support of the OASIS SAML specification.

 Excerpt from the 5.5.2 config_parameters_553 text file

###############################################################################
#
# Replace these parameters in your ldap.conf with the new ones provided below:
#
#    cleartrust.data.ldap.libertystore
#    cleartrust.data.ldap.libertystore.basedn
#
# Please ensure that you carry over your current settings for the replaced
# parameters.
#
###############################################################################


# Establishes the primary LDAP directory server that will be used to store
# identity mapping data. In order to utilize the identity mapping APIs on an
# LDAP store, you will need to:
#
#   a) Create an organizational unit on your directory store for
#      storing the data. The suggested name is
#      "ctscLibertyFederatedMappingRepository".
#   b) Set the cleartrust.data.ldap.identity_mapping_store parameter.
#      Set the cleartrust.data.ldap.identity_mapping_store.basedn parameter.
#
# Allowed Values:
#   The primary LDAP server name that this Entitlements Server or
#   Authorization Server should access for identity mapping data.
#
# Dependencies:
#   The name entered here must first be declared using the directory_name
#   parameter.
#
#cleartrust.data.ldap.identity_mapping_store   :<current value of cleartrust.data.ldap.libertystore>


# In the LDAP directory specified for storing identity mapping data, this is
# the Base DN (or highest node in your directory tree), where RSA ClearTrust
# should initiate searches for identity mappings.
#
# Allowed Values:
#   A valid LDAP DN.
#
# Dependencies:
#   You can specify only one Base DN for identity mapping data.
#
#cleartrust.data.ldap.identity_mapping_store.basedn     :<current value of cleartrust.data.ldap.libertystore.basedn>

Notes

If LDAP has failover implemented for the Access Manager datastores, a failover group should be assigned to the  cleartrust.data.ldap.identity_mapping_store.  The failover group for the user store would be the most likely choice except in the case of an AD-ADAM installation where this data would be found on the ADAM datastore. 

Example:
cleartrust.data.ldap.failover_group.iplanet_failover         :iplanet-primary,iplanet-secondary
...
cleartrust.data.ldap.userstore      :iplanet_failover
...
cleartrust.data.ldap.identity_mapping_store       :iplanet_failover


Documentation Defect SAML-4044
Legacy Article IDa48162

Attachments

    Outcomes