Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
472
Views
0
Helpful
1
Replies

ACS 5.1. Using an identity store for authentication and another for authorization.

altorres75
Level 1
Level 1

‎03-28-2011 07:18 AM - edited ‎03-10-2019 05:57 PM

Hello, I'm installing an ACS 5.1 and I'm trying to authenticate users for network access using one identity store and authorize the same user using another identity store (AD).  What I'm seeing is that the access-request after authentication is OK, but for authorization the ACS is trying to use the same initial identity store instead of quering the second one.

Can this be done, if so does anybody has a procedure for doing this?

Thanks in advance,

Regards,

Alex

Labels:
0 Helpful
1 Reply 1

rottenberg
Level 1
Level 1

‎04-12-2011 01:05 PM

Hi,

In general the answer to your question is yes, but there could be some problems. You should use identity sequence (what I guess you are already using), where you can specify, which identity store you use and optionaly specify a list of databases from which to retrieve additional authorization attributes. You can use this identity sequence in your policy. According to the documentation I would say that user is firstly authenticated and during this process also authorization parameters are acquired and then additional authorization databases is queried for additional authorization parameters. But what will happen in case when you acquire the same authorization parametr in authetication and authorization phase? Which parametr will get precedence? My guess is that authorization parametr retrieved during authentication will win.

ZR

0 Helpful
Customers Also Viewed These Support Documents