Enabling Group Affinity Checking in a Realm
The appliance supports group affinity checking, a network environment in which a user authenticates against
one server, and a second directory provides information on what groups (if any) a user belongs to. This is a
common requirement when RADIUS SecurID tokens or SAML IdP are used for authentication but the user’s group
information comes from an LDAP or Active Directory server. (In contrast, chained authentication requires users
to authenticate against two authentication servers. See Configuring Chained Authentication for more
Group membership is an important part of access control: you can set up the appliance to reference user groups
stored in your directory, and then reference those groups in access control rules.
When an Active Directory (AD) server is used as an LDAP server, ACL checks cannot be performed.
Short names (SN) or common names (CN) are not supported on LDAP servers. They are only supported on
To enable group affinity checking
In the AMC, navigate to User Access > Realms.
Click the name of the realm you want to modify.
Click Advanced. In the Group Authorization area, select the Enable group affinity checking checkbox.
In the Server drop-down menu, select the name of the LDAP or Active Directory server that stores the
group information. You can also click New to define a new group affinity server.
If group authorization checking is disabled for an authentication server, the server will not appear in the
list of available affinity servers. See Disabling Authorization Checks for more information.
If you are enabling group affinity checking during the process of creating the realm, the available buttons are
Was This Article Helpful?
Help us to improve our support portal