I have my system setup with RSA and AD auth for SSO.

My primary logon is RSA and secondary is AD that I use later for SSO.

The only trick is that when the <PASSWORD> is required for the passthru you specify <PASSWORD[2]> that is provided on the secondary set of credentials. And if the username is different then provide the <Username[2]> as well if they are the same then it doesn't matter.

dmw, how do you do your role mapping? I have an sa-2000 (6.3r3) w/ Windows AD as primary and RSA as secondary so that I can use the AD group memberships to to role assignments.

dmw,

I will need to try that! I assume this setting you mentioned is under the SSO \ Windows Credential Policy ?

Where was this information published ?

Servers
Authentication: RSAServer <----- I use this for Pirmary Auth
Directory/Attribute: LDAPServer <---- I use this for checking Group Memebership in Role Mapping
Accounting : RadiusServer

Additional authentication server

Authentication #2: AD Kerberos <--- SSO secondary Auth

Username is: specified by user on sign-in page <----- this variable on the IVE is <USER[2]>
Password is: specified by user on sign-in page <----- this variable on the IVE is <PASSWORD[2]>

In the expression builder you can use [email protected]{AD_SSO} to perfrom the checks against the SSO user. If the userid's are the same go ahead and use the user from RSA to dip directly against LDAP. I have tested the RSA userid where it is equal to my <USERNAME[2]> so group membership can be tested with the primary user.

There are all kinds of combinations that open themselves up with this kind of configuration.

question: i have two auth servers, RSA and AD. Why would you make one the 'primary' instead of the other???

Have any ssl vpn providers been hit with DOS attacks against specific logins? if so, how do you mitigate them?

stine