Related Documentation
Configuring IF-MAP Session Import Policy on the Infranet Controller (NSM Procedure)
The session-export policies that you create allow IF-MAP data that represents a session to be stored on the IF-MAP server. Session-import policies specify how the Infranet Controller derives a set of roles and a username from the IF-MAP data in the IF-MAP server. Session-import policies establish rules for importing user sessions from a different Infranet Controller or SA appliance. Import policies allow you to match authenticated users with corresponding roles on the target device. For example, you might configure an import policy to specify that when IF-MAP data for a session includes the “Contractor” capability, the imported session should have the “limited” role. Session-import policies allow the Infranet Controller to properly assign roles based on information that the IF-MAP server provides.
You configure session-import policies on IF-MAP client Infranet Controllers that are connected to an Infranet Enforcer in front of protected resources.
To configure a session-import policy:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab, and then double-click the Infranet Controller for which you want to configure a session-import policy.
- Click the Configuration tab. In the configuration tree, select System > IF–MAP Federation > Session-Import Policies.
- Add or modify settings as specified in Table 1.
- Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
Table 1: IF–MAP Session-Import Policy Configuration Details
Option | Function | Your Action |
|---|---|---|
Name | Specifies a unique name for the session-import policy. | Enter a name for the session-import policy. |
Description | Describes the policy. | Enter a brief description for the policy. |
Stop on match | Stops matching the roles when an IF-MAP client has successfully matched the roles. | Select this option to stop matching roles after a successful match is found. |
| Match Criteria > Identity tab | ||
Match IF-MAP Identity | Specifies that identity should be used as the criteria for assigning roles. | Select this action and the following identity options appear.
All aspects of the IF-MAP identity (name, type, and administrative domain) must exactly match the session-import policy. |
| Match Criteria > Roles tab | ||
Match IF-MAP Roles | Specifies that role match should be used as the criteria for assigning roles. | Select this action and the following role option appears.
|
| Match Criteria > Capabilities tab | ||
Match IF-MAP Capabilities | Specifies that capability match should be used as the criteria for assigning roles. | Select this action and the following option appears.
|
| Match Criteria > Device Attributes tab | ||
Match IF-MAP Device Attributes | Specifies that device attribute match should be used as the criteria for assigning roles. | Select this action and the following option appears.
|
| Actions > Assign Roles tab | ||
Use these roles | Assigns roles from the available list. | Select Infranet Controller roles from the Non-members area and move it to the Members area. |
| Actions > Copy IF-MAP Roles tab | ||
Copy IF-MAP Roles | Copies the specified roles. | Select Copy IF-MAP roles and select All roles, Specified roles, or All roles other than those specified below, and then list the IF-MAP roles. |
| Actions > Copy IF-MAP Capabilities tab | ||
Copy IF-MAP Capabilities | Copies the IF-MAP capabilities. | Select Copy IF-MAP capabilities and select All capabilities, Specified capabilities or All capabilities other than those specified below, and then list the IF-MAP capabilities. |
