API Gateway with SSO Integration not receiving SSO LDAP user additional Attribution attribute information smcontext header
Article ID: 130675
Updated On: 04-29-2025
Products
STARTER PACK-7
CA Rapid App Security
CA API Gateway
Issue/Introduction
Issue trying to return enriched ldap user attribute information that is explicitly sent by the SSO server is not received by the gateway in the header or the smcontext attributes.
The assertion returns valid responses for successfully authenticated users.
However, We are not receiving HTTP Headers with additional attributes that are provided.
Environment
Gateway 9.4
Resolution
Support tested to validate the SSO response can be tied to RULE, OnAccept rule (AU), OnAccess rule (AZ)
AdminUI (SSO) configured 3 LDAP attributes included them in a response group (GRP). Example User Attribute response: MyTelephoneNumber=<%userattr="TelephoneNumber"%> (LDAP attribute name = TelephoneNumber)
Details Response configuration:
Grouping of all the responses (optional)
AdminUI (SSO) policy create a RULE (NOTE it must be the same resource and agentname used during the CA Single Sign-On Check Protected Resource assertion)
SSO REALM/RULE protected resource /validate1 with agentname example
Responses tied to the RULE
APIM Policy Manager configure IsProtect using same resource and agentname
In the policy Set Context variable as followed:
${siteminder.smcontext.attributes.mobile}
${siteminder.smcontext.attributes.HomePhone}
${siteminder.smcontext.attributes.TELEPHONENUMBER}
${siteminder.smcontext.attributes.HomePhone}
${siteminder.smcontext.attributes.TELEPHONENUMBER}
Example:
Template Response Properties:
Customer ATTR:
Rule-User LDAP Object TelePhoneNumber#: ${TelephoneNumber-rule}
OnAccept-User LDAP Object HomePhone#: ${HomePhone-au}
OnAccess-User LDAP Object Mobile#: ${mobile-az}
Rule-User LDAP Object TelePhoneNumber#: ${TelephoneNumber-rule}
OnAccept-User LDAP Object HomePhone#: ${HomePhone-au}
OnAccess-User LDAP Object Mobile#: ${mobile-az}
Results:
Customer ATTR:
Rule-User LDAP Object TelePhoneNumber#: xxx-xxx-xxxx, xxx-xxx-yyy
OnAccept-User LDAP Object HomePhone#: yyy-yyyy
OnAccess-User LDAP Object Mobile#: zzz-zzz-zzzz
Rule-User LDAP Object TelePhoneNumber#: xxx-xxx-xxxx, xxx-xxx-yyy
OnAccept-User LDAP Object HomePhone#: yyy-yyyy
OnAccess-User LDAP Object Mobile#: zzz-zzz-zzzz
Feedback
Was this article helpful?
Yes
No
Powered by
