Configure multiple External User Stores in IGA 15

Yasas Technologies >> Uncategorized >> Configure multiple External User Stores in IGA 15
 April 22, 2026
    |   No Comments
    |   Yasas Tech
    |   3:53 pm

Product

Symantec Identity Governance and Administration (IGA) 15

Objective

Managing Multiple External User Stores by utilizing Userstore Proxy

Details

Consider a scenario where we have 2 external user stores where one of them is used for authentication only and the second one for provisioning.

A Userstore router is not needed in the case of external user stores. So how do you configure IGA 15 to use both external user stores?

IGA 15 uses User Store Relay that specifies the connection from Identity Manager to User Store either managed or external.

Step 1 Configure Userstore Relay

  1. In the IGA Xpress console, navigate to the Cluster tab.
  2. Select the Userstore Relay option as Userstore Proxy.

Step 2 Configure User Store Proxy

  1. In the IGA Xpress console, navigate to the Services tab
  2. Click Userstore Proxy Service
  3. In the General tab, Enable Use External Userstore
  4. Select true from the drop-down

Step 3 Configure External User Store connection

  1. In the IGA Xpress console, navigate to the Services tab
  2. Click Userstore Proxy Service
  3. In the External Userstores tab, Enable External User Stores

  1. Add an External User Store connection and provide connectivity details for the user store that is used for authentication purposes which is the primary user store for Identity Manager. Provisioning is not enabled for this user stores.

Step 4 Turn off Autowire property for the non-authentication userstore

  1. Log into IdM Admin Console
  2. Under Directories, open the non-authentication userstore

  1. User Store configuration is displayed.

  1. Un-check the Autowire checkbox.

  1. Click Update at the bottom of the page which will prompt to restart the IdM environment.
  2. Restart the environment and check IdM logs and ensure no errors related to user stores

Note: Failure to disable Autowire for the non-primary user stores will result in an LDAP 49 invalid credentials error, which will prevent your environment from starting up

Additional Details

Userstore proxy

  • uproxy: The service is tied to idm and it runs on all nodes where IdM is deployed. The selection of this service depends on the Userstore Relay parameter that the igx user configures.
  • IGA supports Userstore Proxy (uproxy), Userstore Router (urouter), and None (none) as the relay services to connect to the user store. The uproxy service is used to connect to both the managed and external user store, whereas the urouter service can be used to connect to the managed user store only. Both the relay services support failover for the user store. The selected relay service is enabled on all the nodes on which the Identity Manager service is deployed.

Userstore Proxy (uproxy):

Specifies the TCP (SSL Passthrough) relay for connecting to the user store. This relay service also provides a failover facility and can be used with both managed and external user stores.

Configuring the Proxy for an External User Store

To configure the proxy to connect to an external user store instead of an internal/managed one, you must define the following primary properties:

Use External Userstore (use_external_ustore)

Set this boolean property to true to instruct the Userstore Proxy to connect to your external user store(s) instead of the managed user store(s).

Primary User Store (primary_ustore)

An optional string value that specifies the name of the primary node in your external user stores. If you do not provide a value or if the value is invalid, the system will automatically select the first user store node in the cluster list as the primary.

External User Stores (external_ustores)

An array that specifies your list of external user stores.

Note: This configuration is only applicable when an internal user store is not in use.

External User Stores Sub-Properties

When defining the specific external user stores in the external_ustores array, each entry requires three mandatory sub-properties to establish the connection:

Name (name):

A string representing the alias name used to uniquely identify the specific external user store.

Port (port):

An integer specifying the exact port number of the external user store.

Address (address):

A string specifying the IP address or the DNS name of the external user store.

Following is a sample configuration with two external user stores:

external_ustores:

– address: 192.0.2.1

port: 10101

name: extustore1

– address: 192.0.2.2

port: 10101

name: extustore2

Reference

IGA 15 – User Store Proxy External User Store

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-suite/15-0/user-store-proxy.html#_5e9f339b-bf7f-461b-835d-d76ffc2f9c5b_external_ustore

Service Interconnect (Autowire)

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-manager/15-0/configuring/service-interconnect.html

Author

Sricharan Kandala Tirumala

 

Leave a Reply

Your email address will not be published. Required fields are marked *

TOP