Configuring IF-MAP Session Import Policy on the Infranet Controller
(NSM Procedure)
The session-export policies that you create allow IF-MAP data
that represents a session to be stored on the IF-MAP server. Session-import
policies specify how the Infranet Controller derives a set of roles
and a username from the IF-MAP data in the IF-MAP server. Session-import
policies establish rules for importing user sessions from a different
Infranet Controller or SA appliance. Import policies allow you to
match authenticated users with corresponding roles on the target device.
For example, you might configure an import policy to specify that
when IF-MAP data for a session includes the “Contractor”
capability, the imported session should have the “limited”
role. Session-import policies allow the Infranet Controller to properly
assign roles based on information that the IF-MAP server provides.
You configure session-import policies on IF-MAP client Infranet
Controllers that are connected to an Infranet Enforcer in front of
protected resources.
To configure a session-import policy:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab,
and then double-click the Infranet Controller for which you want to
configure a session-import policy.
- Click the Configuration tab.
In the configuration tree, select System > IF–MAP
Federation > Session-Import Policies.
- Add or modify settings as specified in Table 1.
- Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
Table 1: IF–MAP Session-Import Policy Configuration Details
Option
|
Function
|
Your Action
|
Name
|
Specifies a unique name for the session-import policy.
|
Enter a name for the session-import policy.
|
Description
|
Describes the policy.
|
Enter a brief description for the policy.
|
Stop on match
|
Stops matching the roles when an IF-MAP client has successfully
matched the roles.
|
Select this option to stop matching roles after a successful
match is found.
|
| Match Criteria
> Identity tab |
Match IF-MAP Identity
|
Specifies that identity should be used as the criteria
for assigning roles.
|
Select this action and the following identity options
appear.
- Identity—Enter the identity
name. For example, for a regular employee named Bob Smith you might
enter the Identity as username bsmith and select username for the identity type.
- Identity Type—Select the identity
type. If you choose Other for identity type,
enter a unique identity type in the text box.
- Administrative Domain—Type
the administrative domain for the session-import policy.
All aspects of the IF-MAP identity (name, type, and administrative
domain) must exactly match the session-import policy.
|
| Match Criteria
> Roles tab |
Match IF-MAP Roles
|
Specifies that role match should be used as the criteria
for assigning roles.
|
Select this action and the following role option appears.
- Roles— From Roles, click New and enter a specified role.
|
| Match Criteria
> Capabilities tab |
Match IF-MAP Capabilities
|
Specifies that capability match should be used as the
criteria for assigning roles.
|
Select this action and the following option appears.
- Capabilities—From Capabilities,
click New and enter a specified capability.
|
| Match Criteria
> Device Attributes tab |
Match IF-MAP Device Attributes
|
Specifies that device attribute match should be used
as the criteria for assigning roles.
|
Select this action and the following option appears.
- Device Attributes—From Device
Attributes, click New and enter a specified device
attribute.
|
| Actions > Assign Roles tab |
|
|
Use these roles
|
Assigns roles from the available list.
|
Select Infranet Controller roles from the Non-members
area and move it to the Members area.
|
| Actions > Copy
IF-MAP Roles tab |
Copy IF-MAP Roles
|
Copies the specified roles.
|
Select Copy IF-MAP roles and select All roles, Specified roles,
or All roles other than those specified below, and then list the IF-MAP roles.
|
| Actions > Copy
IF-MAP Capabilities tab |
Copy IF-MAP Capabilities
|
Copies the IF-MAP capabilities.
|
Select Copy IF-MAP capabilities and
select All capabilities, Specified
capabilities or All capabilities other than those
specified below, and then list the IF-MAP capabilities.
|
Published: 2009-08-20
