ACS 5.x: Identity Store Sequence

Document

Tue, 06/19/2012 - 04:05
Jun 18th, 2012

Introduction

The purpose of this document is to make you aware of how to configure Identity Store Sequences in ACS 5.x.

Purpose

In ACS 4.x we had a feature, where we could define Unknown User Processing. I.e. where is the users will be looked up if the user is not present in the internal database of the ACS. This sequence defined the sequential order in which ACS would look for the user in the defined databases.

Note: If the connectivity to a particular database fails then ACS 4.x would not go to the next database in the sequence. Only shall the user be not found in that database, next database is consulted.

Functionality mentioned above is provided in ACS 5.x by using Identity Store Sequences.

Functionality

An identity store sequence defines the sequence  that is used for authentication and attribute retrieval and an optional  additional sequence to retrieve additional attributes.

Authentication Sequence

An identity store sequence can contain a definition for  certificate-based authentication or password-based authentication or  both.

[a] If  you select to perform authentication based on a certificate, you  specify a single Certificate Authentication Profile, which you have  already defined in ACS.

[b] If you select to perform authentication based on a password, you can define a list of databases to be accessed in sequence.

When authentication succeeds, any defined attributes within the database  are retrieved. You must have defined the databases in ACS.

Attribute Retrieval Sequence

You can optionally define a list of databases from which to retrieve  additional attributes. These databases can be accessed regardless of  whether you use password or certificate-based authentication. When you  use certificate-based authentication, ACS populates the username field  from a certificate attribute and then uses the username to retrieve  attributes.

ACS can retrieve attributes for a user, even when:

[a] The user's password is flagged for a mandatory change.

[b] The user's account is disabled.

Note: ACS authenticates a user or host in an identity  store only when there is a single match for that user or host. If an  external database contains multiple instances of the same user,  authentication fails. Similarly, ACS retrieves attributes only when a  single match for the user or host exists; otherwise, ACS skips attribute  retrieval from that database.

Configuration

In order to configure the Identity Store Sequence:

[1] Select ACS 5.x GUI > Users and Identity Stores > Identity Store Sequences

[2] Click on Create.

[3] Select either Certificate Based or Password Based. (Certificate Based Authentication will be chosen if you are doing EAP-TLS, for everything else it will be Password Based)

[4] Now, move the databases from available to select column for Authentication and Attribute Retrieval Search List and Save Changes. A sample is show below:

acsis.gif

Note: When you perform password-based  authentication, you can define the same  identity database in the  authentication list and the attribute retrieval  list. However, if the  database is used for authentication, it will not  be accessed again as  part of the attribute retrieval flow.

[5] Now, choose the Access Service that you want to use this newly created sequence in:

acsis.gif

[6] Select the Identity Store Sequence, click OK, and click Save Changes:

acsis.gif

Now, your ACS is ready to process the authentication request against multiple databases based on the sequence defined in the Identity Store Sequences.

References

Please refer to the ACS 5.x User Guide for more details.

Loading.

Actions

This Document