How to Use Multiple User Directories in a Partnership

Document ID : KB000009622
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

This short guide is how to use multiple User Directories (i.e. LDAP and ODBC) in a Partnership. Helpful if migrating users from one User Store to another without having an outage.

 

Background:

In the event of a User Store migration (i.e. from an LDAP-based User Store to an ODBC-based User Store), it can be beneficial to build up the new User Store and connect it to the Partnership alongside the existing User Store before bringing the old one down to avoid an outage in a user's ability to access the protected resource.

Instructions:

1. Configure your Active Directory User Directory under Infrastructure -> Directory -> User Directories. 

2. Under the partnership settings, on tab 1, scroll down to the section titled "User Directories and Search Order" 

3. Move the new Active Directory UD from "Available Directories" to "Selected Directories" by highlighting the User Directory and clicking the Right Arrow ( -> ) Click "Next" 

4. Under "Federated Users", where you have configured your LDAP User Directory, on the right side, click "Add Row" 

5. Configure your new Active Directory User Directory 

6. It is recommended to keep your existing LDAP connection as the first one it searches until you have migrated all of the users over to the new AD connection.

Additional Information:

Important: If your Entity is configured as the IDP, you will need to ensure that both User Directories are also added to the Policy that is protecting the redirect.jsp

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/legacy-federation/configure-a-saml-2-0-identity-provider/configure-general-information-for-the-service-provider-object> 

Under the section "To configure the general settings", you'll see a step called "Authentication URL": 

"This URL points to the redirect.jsp file. Protect the redirect.jsp file with a CA Single Sign-On policy. The policy triggers an authentication challenge to users who request a protected Service Provider resource but do not have a CA Single Sign-On session."