​Hello all,

We have two ADs configured as multiple federated directories in ISAM. Currently, basic user support is enabled and the users are able to authenticate using user principal name (id@domain.com), as duplicate IDs exist.

This has a drawback that all AD1 and AD2 users are able to authenticate to the webseal. However, we only need specific users to be able to authenticate. This could be done by importing user and disabling basic user support, but in our case there are duplicate IDs, like for example, if a user with userid abc from AD1 is already imported and we try to import a user abc from AD2, ISAM gives an error that the user id already exists.

What other approach could we take to allow only specific users to authenticate from both ADs? Creating an OU and setting up respective federation with that specific ou is not an option because there are other applications depending on the user's DNs.

Kind regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hello,

If you are importing users, you specify the userid to use during the import process:

user import <userid> <dn>

So, use the domain-qualified name (or any other unique name) as userid during the import and you won't have the conflict.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Sat October 05, 2019 03:24 PM
From: Jahanzaib Sarwar
Subject: ISAM import user having multiple Federated Directories

​Hello all,

We have two ADs configured as multiple federated directories in ISAM. Currently, basic user support is enabled and the users are able to authenticate using user principal name (id@domain.com), as duplicate IDs exist.

This has a drawback that all AD1 and AD2 users are able to authenticate to the webseal. However, we only need specific users to be able to authenticate. This could be done by importing user and disabling basic user support, but in our case there are duplicate IDs, like for example, if a user with userid abc from AD1 is already imported and we try to import a user abc from AD2, ISAM gives an error that the user id already exists.

What other approach could we take to allow only specific users to authenticate from both ADs? Creating an OU and setting up respective federation with that specific ou is not an option because there are other applications depending on the user's DNs.

Kind regards,

------------------------------
Jahanzaib Sarwar
------------------------------

Hi Jon,

Thank you. This solved the problem.

Best regards,​

------------------------------
Jahanzaib Sarwar
------------------------------

Original Message:
Sent: Sat October 05, 2019 03:32 PM
From: Jon Harry
Subject: ISAM import user having multiple Federated Directories

Hello,

If you are importing users, you specify the userid to use during the import process:

user import <userid> <dn>

So, use the domain-qualified name (or any other unique name) as userid during the import and you won't have the conflict.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Sat October 05, 2019 03:24 PM
From: Jahanzaib Sarwar
Subject: ISAM import user having multiple Federated Directories

​Hello all,

We have two ADs configured as multiple federated directories in ISAM. Currently, basic user support is enabled and the users are able to authenticate using user principal name (id@domain.com), as duplicate IDs exist.

This has a drawback that all AD1 and AD2 users are able to authenticate to the webseal. However, we only need specific users to be able to authenticate. This could be done by importing user and disabling basic user support, but in our case there are duplicate IDs, like for example, if a user with userid abc from AD1 is already imported and we try to import a user abc from AD2, ISAM gives an error that the user id already exists.

What other approach could we take to allow only specific users to authenticate from both ADs? Creating an OU and setting up respective federation with that specific ou is not an option because there are other applications depending on the user's DNs.

Kind regards,

------------------------------
Jahanzaib Sarwar
------------------------------