Cisco Systems OL-24201-01 manual Configuring Identity Store Sequences, Authentication Sequence

Chapter 8 Managing Users and Identity Stores

Configuring Identity Store Sequences

Configuring Identity Store Sequences

An access service identity policy determines the identity sources that ACS uses for authentication and attribute retrieval. An identity source consists of a single identity store or multiple identity methods. When you use multiple identity methods, you must first define them in an identity store sequence, and then specify the identity store sequence in the identity policy.

An identity store sequence defines the sequence that is used for authentication and attribute retrieval and an optional additional sequence to retrieve additional attributes.

Authentication Sequence

An identity store sequence can contain a definition for certificate-based authentication or password-based authentication or both.

•If you select to perform authentication based on a certificate, you specify a single Certificate Authentication Profile, which you have already defined in ACS.

•If you select to perform authentication based on a password, you can define a list of databases to be accessed in sequence.

When authentication succeeds, any defined attributes within the database are retrieved. You must have defined the databases in ACS.

Attribute Retrieval Sequence

You can optionally define a list of databases from which to retrieve additional attributes. These databases can be accessed regardless of whether you use password or certificate-based authentication. When you use certificate-based authentication, ACS populates the username field from a certificate attribute and then uses the username to retrieve attributes.

ACS can retrieve attributes for a user, even when:

•The user’s password is flagged for a mandatory change.

•The user’s account is disabled.

When you perform password-based authentication, you can define the same identity database in the authentication list and the attribute retrieval list. However, if the database is used for authentication, it will not be accessed again as part of the attribute retrieval flow.

ACS authenticates a user or host in an identity store only when there is a single match for that user or host. If an external database contains multiple instances of the same user, authentication fails. Similarly, ACS retrieves attributes only when a single match for the user or host exists; otherwise, ACS skips attribute retrieval from that database.

This section contains the following topics:

•Creating, Duplicating, and Editing Identity Store Sequences, page 8-74

•Deleting Identity Store Sequences, page 8-76

Creating, Duplicating, and Editing Identity Store Sequences

To create, duplicate, or edit an identity store sequence:

Step 1 Select Users and Identity Stores > Identity Store Sequences.

The Identity Store Sequences page appears.