Applications > New Application > Appmark or Application > Authorization Policies > Rule-based
Single Sign-on provide different types of rule-based authorization policies. A rule-based authorization policy consists of multiple rules and rule sets. A rule contains a name, description, and one or more rule sets. A rule set is where you select the type of rule-based authorization policy you want to use. It also combines multiple rules together using AND OR qualifiers. You can also combine multiple rule sets together with the AND and OR qualifiers.
Applications > New Application > Appmark or Application > Authorization Policies > Rule-based > Rule Sets + > User Attributes
Single Sign-on allows you to create an authorization policy with user attributes to limit access to applications. You do this by defining the attributes in the Advanced Authentication repository that the authorization service checks when a user accesses an application or appmark. You can create authorization policies when you create applications or on stand-alone appmarks.
To create an authorization policy with user attributes:
On the application or appmark that you are creating, select Authorization Policies.
Select the plus sign (+) to add an authorization policy, then select Rule-based.
Use the following information to create an authorization policy:
Specify a name for the rule-based authorization policy.
Select Enable to enable the rule-based authorization policy after you save it.
Provide a detailed description of what the rule-based authorization policy does. The description helps people know what the authorization policy does without having to open the authorization policy.
At the end of Rule Sets, select the appropriate qualifier (AND, OR) for the rule-based policy.
Next to Rule Sets, select the plus sign (+) to create a rule set.
Select User Attribute to create a user attribute authorization policy.
Select New User Attribute Set to expand the options.
Use the following information to define the rule sets for the authorization policy using the user attributes:
Specify a name for the rule set.
Specify a detailed description for the rule set so that other administrators will understand its purpose.
Select the plus sign + next to Rules to create a rule.
Select AND or OR for the proper qualifier for this rule.
Select the appropriate attribute from the list of attributes the repository that Single Sign-on evaluates when a user accesses the application or appmark.
Select the equal (=) or not equal (≠) to change it, defining how Single Sign-on evaluates the value of the attribute.
Specify the value of the attribute that Single Sign-on evaluates when a user accesses the application or appmark.
(Optional) Add additional attributes that you want included in this rule set.
(Optional) Repeat Step 5 and Step 8 for each additional rule set that you want to create.
Select Done to create the authorization policy.
(Optional) Repeat Step 3 through Step 11 to create additional policies.
Select Done on the Authorization Policies panel to save the authorization policies that you have created.
The next time a user accesses an application or appmark, Single Sign-on applies the user attribute authorization policies. The authorization service either grants the user access to the application or appmark or displays a message stating the user is not authorized to access the application or appmark.
The authorization service provides a list of default attributes for you to use in the rule-based authorization policies. The attributes the authorization service provides comes from the Advanced Authentication identity repositories. You can customize the list of attributes by changing the configuration of your repositories.
The following lists contains the default attributes for the different identity repository types.
The following attributes are the same in the SCIM and LDAP repositories.
Contains the user name.
Contains the identifier of the server where the repository that contains the users accounts reside.
Contains the user’s mobile phone number if present.
Contains the user’s email address if present.
You can view these attributes when you edit the SCIM repository.
Contains the user’s NETBIOS name, if the user came from Active Directory.
Contains your tenant name. You only have access to your own tenant information.
Contains the user’s preferred name.
You can view and edit these attributes through your LDAP repositories administration tools.
Contains the user’s canonical domain name.
Contains the user’s SID user_name. For example, the user name COMPANY\JSmith. This attribute is not in eDirectory by default.
Contains the user’s SID as a hex-string. This attribute is not in eDirectory by default.
Contains the user’s principal name, if a user came from Active Directory.
Contains the user’s fully qualified domain name (FQDN).
Contains a RADIUS attribute for the user that provides network access with a user’s IP address before user authentication.
Contains the user’s first name if present.
Contains the user’s last name if present.
Applications > New Application > Appmark or Application > Authorization Policies > Rule-based > Rule Sets + > Identity Governance role
Single Sign-on allows you to create rule-base authorization policies using Identity Governance authorization, business, and technical roles. You can limit which users have access to which applications using the Identity Governance authentication, business, and technical roles.
You must create the authorization, business, and technical roles created in Identity Governance as a Service for authorization service to display the roles in the rule-based authorization policies.
To create an authorization policy with Identity Governance roles:
Ensure that the user accounts in Advanced Authentication and Identity Governance have an attribute that you match.
On the application or appmark that you are creating, select Authorization Policies.
Select the plus sign (+) to add an authorization policy, then select Rule-based.
Use the following information to create an authorization policy using Identity Governance roles:
Specify a name for the Identity Governance authorization policy.
Select Enable to enable the Identity Governance authorization policy after you save it.
Provide a detailed description of what the Identity Governance authorization policy does. The description helps people know what the authorization policy does without having to open the authorization policy.
At the end of Rule Sets, select the appropriate qualifier (AND, OR) for the authorization policy using Identity Governance roles.
Next to Rule Sets, select the plus sign (+) to create a rule set.
Select Identity Governance role to create an authorization policy using Identity Governance roles.
At the end of Rules, select the appropriate qualifier (AND, OR) for the authorization policy using Identity Governance roles.
Next to User Role, select Edit to expand the available Identity Governance roles to select.
Select one of the following roles to include in the authorization policy:
Authorization
Business
Technical
Select Done to create the authorization policy.
(Optional) Repeat Step 8 through Step 11 for each additional Identity Governance role you want to add to this rule.
(Optional) Repeat Step 4 through Step 12 to create additional policies.
Select Done on the Authorization Policies panel to save the authorization policies that you have created.
The next time a user accesses an application or appmark, the authorization service applies the Identity Governance role authorization policies. The authorization service either grants the user access to the application or appmark or displays a message stating the user is not authorized to access the application or appmark.
The authorization policies that use Identity Governance roles require that use account attributes have common values in both Advanced Authentication and Identity Governance. You must manually create this mapping through the standard UI to create and manage user attributes.
For the authorization policies using Identity Governance roles to work, it must be able to identify an Identity Governance user. The authorization service does this using the Advanced Authentication attribute values using the following mappings:
Table 10-1 Attribute Mappings between Advanced Authentication and Identity Governance
|
AA Attributes |
IG Attributes |
|---|---|
|
email (user_email) |
emails |
|
dn (user_dn) |
dn |
|
firstName |
|
lastName |
|
user_mobile_phone |
otherPhone |
The above table goes from highest priority on the top to lowest priority on the bottom -- meaning the code will start to collect attributes starting with "emails" working downward until an Advanced Authentication attribute with a value is found.
The authorization service sends a single attribute value to Identity Governance for all the instances above except for "first/last" name. In that case, there must be both a first and last name value in Advanced Authentication and the authorization service sends them together to Identity Governance.
If the authorization service cannot uniquely identify an Identity Governance user, the question, "Does this user have these roles?" cannot be asked and the evaluation result of the policy will be FALSE.