API Gateway // SSO Integration -Gateway not receiving SSO LDAP user Attribution information

book

Article ID: 130675

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

Issue trying to return  enriched ldap user attribute information that is explicitly sent by the SSO server is not received by the gateway in the header or the smcontext attributes. 

The assertion returns valid responses for successfully authenticated users. 
However, We are not receiving HTTP Headers with additional attributes that are provided. 

 

Environment

Gateway 9.4

Resolution

Support tested to validate the SSO response can be tied to RULE, OnAccept rule (AU), OnAccess rule (AZ)

AdminUI (SSO) configured 3 LDAP attributes included them in a response group (APIM-GRP). Example User Attribute response: MyTelephoneNumber=<%userattr="TelephoneNumber"%>  (LDAP attribute name = TelephoneNumber)

Details Response configuration:

<Please see attached file for image>

Detail response

Grouping of all the responses (optional)

<Please see attached file for image>

Responses

AdminUI (SSO) policy create a RULE  (NOTE it must be the same resource and agentname used during the CA Single Sign-On Check Protected Resource assertion)

SSO REALM/RULE protected resource /validate1 with agentname apim-gw_agent-devcloud
 

<Please see attached file for image>

Realm-cnf
Responses tied to the RULE 

<Please see attached file for image>

Rule-response
APIM Policy Manager configure IsProtect using same resource and agentname 

<Please see attached file for image>

APIM IsProtected
In the policy Set Context variable as followed: 
${siteminder.smcontext.attributes.mobile}
${siteminder.smcontext.attributes.HomePhone}
${siteminder.smcontext.attributes.TELEPHONENUMBER}

Example:
Template Response Properties:
Customer ATTR:
Rule-User LDAP Object TelePhoneNumber#: ${TelephoneNumber-rule}
OnAccept-User LDAP Object HomePhone#: ${HomePhone-au}
OnAccess-User LDAP Object Mobile#: ${mobile-az}

Results:
Customer ATTR:
Rule-User LDAP Object TelePhoneNumber#: 508-898-7570, 978-898-7050
OnAccept-User LDAP Object HomePhone#: 555-5551
OnAccess-User LDAP Object Mobile#: 888-898-0570

Attachments

1558687722724000130675_sktwi1f5rjvs16fdi.png get_app
1558687721015000130675_sktwi1f5rjvs16fdh.png get_app
1558687719222000130675_sktwi1f5rjvs16fdg.png get_app
1558687717337000130675_sktwi1f5rjvs16fdf.png get_app
1558687714393000130675_sktwi1f5rjvs16fde.png get_app
1558537178269validate1.zip get_app