Configuring Authentication for Common Resources

If you have multiple resources that are logically the same (for example, multiple Active Directory domain servers that share a trust relationship), or if you have multiple resources that all reside on the same physical host, then you can specify that these resources are common resources.

You should declare common resources so that Identity Manager knows that it should only try and authenticate to a group of resources one time. Otherwise, if a user types a wrong password, Identity Manager will try the same password against each resource. This can lead to the user’s account being locked out due to multiple login failures, even though the user only typed the wrong password one time.

With common resources, a user can authenticate to one common resource, and Identity Manager will automatically try and map the user to the remaining resources in the common resources group. For example, an Identity Manager user account may be linked to a resource account for resource AD-1. The login module group, however, may define that users must authenticate to resource AD-2.

If AD-1 and AD-2 are defined as common resources (in this case, in the same trusted domain), then if the user successfully authenticates to AD-2, Identity Manager can also map the user to AD-1 by finding the same user accountId on resource AD-1.

All resources listed in a common resources group must also be included in the Login Module definition. If a complete list of common resources does not also appear in the Login Module definition, then the common resources functionality will not work correctly.

Common resources can be defined in the System Configuration object (Editing Identity Manager Configuration Objects) using the following format.

Example 12–3 Configuring Authentication for Common Resources

<Attribute name=’common resources’> 
<Attribute name=’Common Resource Group Name’> 
<List> 
<String>Common Resource Name</String> 
<String>Common Resource Name</String> 
</List 
</Attribute> </Attribute>