Table of Contents

  1. About the Security Guide
  2. Introduction to Informatica Security
  3. User Authentication
  4. LDAP Security Domains
  5. Kerberos Authentication
  6. Domain Security
  7. SAML Authentication for Informatica Web Applications
  8. Security Management in Informatica Administrator
  9. Users and Groups
  10. Privileges and Roles
  11. Permissions
  12. Audit Reports
  13. Command Line Privileges and Permissions
  14. Custom Roles
  15. Default List of Cipher Suites

Security Guide

Security Guide

Step 1. Create a Security Domain for Web Application User Accounts

Step 1. Create a Security Domain for Web Application User Accounts

Create a security domain for web application user accounts that will use SAML authentication, and then import each user's LDAP account from Active Directory into the domain.
You must import the LDAP accounts for all users that use SAML authentication to access the Administrator tool, the Analyst tool, and the Monitoring tool into the security domain. After importing the accounts into the domain, assign the appropriate Informatica domain roles, privileges and permissions to the accounts within the LDAP security domain.
  1. In the Administrator tool, click the Users tab, and then select the Security view.
  2. Click the Actions menu and select LDAP Configuration.
    The LDAP Configuration dialog box opens.
  3. Click the LDAP Connectivity tab.
  4. Configure the connection properties for the Active Directory server.
    The following table describes the server connection properties:
    Property Description
    Server Name Host name or IP address of the Active Directory server.
    Port Listening port for the server. The default value is 389.
    LDAP Directory Service Select Microsoft Active Directory.
    Name Distinguished name (DN) for the principal LDAP user. The user name often consists of a common name (CN), an organization (O), and a country (C). The principal user name is an administrative user with access to the directory. Specify a user that has permission to read other user entries in the directory service.
    Password Password for the principal LDAP user.
    Use SSL Certificate
    Indicates that the LDAP server uses the Secure Socket Layer (SSL) protocol.
    If the LDAP server uses SSL, you must import the certificate into a truststore file on every gateway node within the Informatica domain. You must also set the INFA_TRUSTSTORE and INFA_TRUSTSTORE_PASSWORD environment variables if you do not import the certificate into the default Informatica truststore.
    Trust LDAP Certificate
    Determines whether the Service Manager can trust the SSL certificate of the LDAP server. If selected, the Service Manager connects to the LDAP server without verifying the SSL certificate. If not selected, the Service Manager verifies that the SSL certificate is signed by a certificate authority before connecting to the LDAP server.
    Not Case Sensitive
    Indicates that the Service Manager must ignore case sensitivity for distinguished name attributes when assigning users to groups. Enable this option.
    Group Membership Attribute
    Name of the attribute that contains group membership information for a user. This is the attribute in the LDAP group object that contains the distinguished names (DNs) of the users or groups who are members of a group. For example, member or memberof.
    Maximum size Maximum number of user accounts to import into a security domain.
    If the number of user to be imported exceeds the value for this property, the Service Manager generates an error message and does not import any user. Set this property to a higher value if you have many users to import.
    The default value is 1000.
    The following image shows the connection details for an LDAP server set in the LDAP Connectivity panel of the LDAP Configuration dialog box.
  5. Click Test Connection to verify that the connection to the Active Directory server is valid.
  6. Click the Security Domains tab.
  7. Click Add to create a security domain.
  8. Enter the security domain properties.
    The following table describes the security domain properties:
    Property Description
    Security Domain
    Name of the LDAP security domain. The name is not case sensitive and must be unique within the domain. The name cannot exceed 128 characters or contain the following special characters:
    , + / < > @ ; \ % ?
    The name can contain an ASCII space character except for the first and last character. All other space characters are not allowed.
    User search base
    Distinguished name (DN) of the entry that serves as the starting point to search for user names in the LDAP directory service. The search finds an object in the directory according to the path in the distinguished name of the object.
    In Active Directory, the distinguished name of a user object might be cn=UserName,ou=OrganizationalUnit,dc=DomainName, where the series of relative distinguished names denoted by dc=DomainName identifies the DNS domain of the object.
    User filter
    An LDAP query string that specifies the criteria for searching for users in Active Directory. The filter can specify attribute types, assertion values, and matching criteria.
    For Active Directory, format the query sting as:
    sAMAccountName=<account>
    Group search base
    Distinguished name (DN) of the entry that serves as the starting point to search for group names in Active Directory.
    Group filter
    An LDAP query string that specifies the criteria for searching for groups in the directory service.
    The following image shows the properties for an LDAP security domain named SAML_USERS set in the Security Domains panel of the LDAP Configuration dialog box. The user filter is set to import all users beginning with the letter "s".
  9. Click Synchonize Now.
    The security domain appears in the Users view.
  10. Expand the domain in the Navigator to view the imported user accounts.
  11. Set the appropriate roles, privileges, and permissions on the user accounts that will access each web application.

Updated May 17, 2019


Explore Informatica Network