Environment
Novell Access Management 3
Novell Access Manager 3 SP1 Release Candidate 1
Linux Access Gateway
Novell Access Manager 3 SP1 Release Candidate 1
Linux Access Gateway
Situation
Customer had one Identity Provider and had multiple IDP
configurations defined.
One IDP configuration can be active the others where just for testing.
The IDP configurations where pointing to different user stores.
When you define a Role Based policy based on LDAP groups the user stores for the non assigned IDP configurations showed up as well.
One IDP configuration can be active the others where just for testing.
The IDP configurations where pointing to different user stores.
When you define a Role Based policy based on LDAP groups the user stores for the non assigned IDP configurations showed up as well.
Resolution
This behavior is by design.
The policy engine sits independently of an identity server configuration and that is the way it has been designed.
The policy UI builder page must be able to find and use user stores from all configurations since multiple configurations can be defined within one administration console.
To restrict a policy to a specific identity server page would take away the genericness that has been built into the engine.
Policies are exportable, so a policy can be exported from one Identity Server and imported into another.
If a policy is tied to a specific configuration, then that would disallow a policy to be exported.
The policy UI is unable to determine "relevant" user stores and is entirely dependent on what has been defined at the user stores page.
The policy UI asks the Identity Server for the user stores to enumerate and receives a response list from the Identity Server which it then begins to enumerate.
The policy engine sits independently of an identity server configuration and that is the way it has been designed.
The policy UI builder page must be able to find and use user stores from all configurations since multiple configurations can be defined within one administration console.
To restrict a policy to a specific identity server page would take away the genericness that has been built into the engine.
Policies are exportable, so a policy can be exported from one Identity Server and imported into another.
If a policy is tied to a specific configuration, then that would disallow a policy to be exported.
The policy UI is unable to determine "relevant" user stores and is entirely dependent on what has been defined at the user stores page.
The policy UI asks the Identity Server for the user stores to enumerate and receives a response list from the Identity Server which it then begins to enumerate.
Additional Information
Steps to reproduce:
Make a second IDP configuration thats not assigned to the cluster and that is
pointing to another user store.
Whenever you try to modify a role policy based on LDAP groups it will make an
LDAP bind to all defined user stores assigned to IDP configurations you have
defined. So also to the ones which are defined in IDP configurations that are
not assigned to the cluster.
You can browse through all of the defined user stores when you define a role
based policy based on LDAP groups.
Make a second IDP configuration thats not assigned to the cluster and that is
pointing to another user store.
Whenever you try to modify a role policy based on LDAP groups it will make an
LDAP bind to all defined user stores assigned to IDP configurations you have
defined. So also to the ones which are defined in IDP configurations that are
not assigned to the cluster.
You can browse through all of the defined user stores when you define a role
based policy based on LDAP groups.