Configuring IF-MAP Session Import Policy on the Secure Access Device (NSM Procedure)

The session-export policies that you create allow IF-MAP data that represents a session to be stored on the IF-MAP server. Session-import policies specify how the Secure Access device derives a set of roles and a username from the IF-MAP data in the IF-MAP server. Session-import policies establish rules for importing user sessions from a different Infranet Controller or SA appliance. Import policies allow you to match authenticated users with corresponding roles on the target device. For example, you might configure an import policy to specify that when IF-MAP data for a session includes the “Contractor” capability, the imported session should have the “limited” role. Session-import policies allow the device to properly assign roles based on information that the IF-MAP server provides.

To configure a session-import policy:

  1. In the NSM navigation tree, select Device Manager > Devices. Click the Device Tree tab, and then double-click the Secure Access device for which you want to configure a session-import policy.
  2. Click the Configuration tab. In the configuration tree, select System > IF–MAP Federation > Session-Import Policies.
  3. Add or modify settings as specified in Table 85.
  4. Click one:
    • OK—Saves the changes.
    • Cancel—Cancels the modifications.

Table 85: IF–MAP Session-Import Policy Configuration Details

OptionFunctionYour Action

Name

Specifies a unique name for the session-import policy.

Enter a name for the session-import policy.

Description

Describes the policy.

Enter a brief description for the policy.

Stop on match

Stops matching the roles when an IF-MAP client has successfully matched the roles.

Select this option to stop matching roles after a successful match is found.

Match Criteria > Identity tab

Match IF-MAP Identity

Specifies that identity should be used as the criteria for assigning roles.

Select this action and the following identity options appear.

  • Identity—Enter the identity name. For example, for a regular employee named Bob Smith you might enter the Identity as username bsmith and select username for the identity type.
  • Identity Type—Select the identity type. If you choose Other for identity type, enter a unique identity type in the text box.
  • Administrative Domain—Type the administrative domain for the session-import policy.

All aspects of the IF-MAP identity (name, type, and administrative domain) must exactly match the session-import policy.

Match Criteria > Roles tab

Match IF-MAP Roles

Specifies that role match should be used as the criteria for assigning roles.

Select this action and the following role option appears.

  • Roles— From Roles, click New and enter a specified role.
Match Criteria > Capabilities tab

Match IF-MAP Capabilities

Specifies that capability match should be used as the criteria for assigning roles.

Select this action and the following option appears.

  • Capabilities—From Capabilities, click New and enter a specified capability.
Match Criteria > Device Attributes tab

Match IF-MAP Device Attributes

Specifies that device attribute match should be used as the criteria for assigning roles.

Select this action and the following option appears.

  • Device Attributes—From Device Attributes, click New and enter a specified device attribute.
Actions > Assign Roles tab  

Use these roles

Assigns roles from the available list.

Select Secure Access devices roles from the Non-members area and move it to the Members area.

Actions > Copy IF-MAP Roles tab

Copy IF-MAP Roles

Copies the specified roles.

Select Copy IF-MAP roles and select All roles, Specified roles, or All roles other than those specified below, and then list the IF-MAP roles.

Actions > Copy IF-MAP Capabilities tab

Copy IF-MAP Capabilities

Copies the IF-MAP capabilities.

Select Copy IF-MAP capabilities and select All capabilities, Specified capabilities or All capabilities other than those specified below, and then list the IF-MAP capabilities.

Related Documentation