Is it possible to integrated RSA Archer with multiple Active directory?

1.7k views Asked by At

Is it possible to integrated RSA Archer with multiple Active directory ?

1

There are 1 answers

1
Stan Utevski On

Everything is possible, it just a matter how much effort you are willing to apply :)

Option 1 (recommended): RSA Archer v5.x support multiple LDAP sync configurations. So you can have more than one AD server you can sync users against.
Side Effects:
[a] If AD1 and AD2 both have user with the same name, then you will have two users created in Archer in different domains. With manual login users will need to supply different domains.
[b] Not sure how it will work with SingleSignOn enabled. I think that SSO will work only for the primary domain, but I'm not sure - you may want to test this.

Option 2 (AD work around): I have little knowledge of Active Directory technology, but I believe that you can establish trust relationships between multiple AD's in a such a way that some group from AD2 can reside within another group in AD1 (and they will autosync as well). This way you can sync only against one AD with Archer, but have users from both AD's.

Option 3 (database back end work around): In the database you can find tables where the LDAP configuration, users, and users to groups mapping is stored. You can introduce a trigger that will make a copy of users table and usergroup tables after each LDAP sync. So after you run two LDAP syncs, you will have two back up copies. Then with your SQL trigger you can merge them and override the original table. With this approach you can sync users within same "archer domain" against multiple LDAP sources.
Side Effects:
[a] You have to write and maintain custom SQL code.
[b] Users can expect not to have proper access to the environment until all of your LDAP syncs are executed one by one and processed by the triggered code.

Good luck!