API Gateway // SSO Integration -Gateway not receiving SSO LDAP user Attribution information
Article ID: 130675
Updated On:
Products
STARTER PACK-7
CA Rapid App Security
CA API Gateway
Issue/Introduction
Issue trying to return enriched ldap user attribute information that is explicitly sent by the SSO server is not received by the gateway in the header or the smcontext attributes.
The assertion returns valid responses for successfully authenticated users.
However, We are not receiving HTTP Headers with additional attributes that are provided.
The assertion returns valid responses for successfully authenticated users.
However, We are not receiving HTTP Headers with additional attributes that are provided.
Environment
Gateway 9.4
Resolution
Support tested to validate the SSO response can be tied to RULE, OnAccept rule (AU), OnAccess rule (AZ)
AdminUI (SSO) configured 3 LDAP attributes included them in a response group (APIM-GRP). Example User Attribute response: MyTelephoneNumber=<%userattr="TelephoneNumber"%> (LDAP attribute name = TelephoneNumber)
Details Response configuration:
Grouping of all the responses (optional)
AdminUI (SSO) policy create a RULE (NOTE it must be the same resource and agentname used during the CA Single Sign-On Check Protected Resource assertion)
SSO REALM/RULE protected resource /validate1 with agentname apim-gw_agent-devcloud
Example:
Template Response Properties:
Results:
AdminUI (SSO) configured 3 LDAP attributes included them in a response group (APIM-GRP). Example User Attribute response: MyTelephoneNumber=<%userattr="TelephoneNumber"%> (LDAP attribute name = TelephoneNumber)
Details Response configuration:
<Please see attached file for image>
Grouping of all the responses (optional)
<Please see attached file for image>
AdminUI (SSO) policy create a RULE (NOTE it must be the same resource and agentname used during the CA Single Sign-On Check Protected Resource assertion)
SSO REALM/RULE protected resource /validate1 with agentname apim-gw_agent-devcloud
<Please see attached file for image>
Responses tied to the RULE
<Please see attached file for image>
APIM Policy Manager configure IsProtect using same resource and agentname
<Please see attached file for image>
In the policy Set Context variable as followed:
${siteminder.smcontext.attributes.mobile}
${siteminder.smcontext.attributes.HomePhone}
${siteminder.smcontext.attributes.TELEPHONENUMBER}
${siteminder.smcontext.attributes.HomePhone}
${siteminder.smcontext.attributes.TELEPHONENUMBER}
Example:
Template Response Properties:
Customer ATTR:
Rule-User LDAP Object TelePhoneNumber#: ${TelephoneNumber-rule}
OnAccept-User LDAP Object HomePhone#: ${HomePhone-au}
OnAccess-User LDAP Object Mobile#: ${mobile-az}
Rule-User LDAP Object TelePhoneNumber#: ${TelephoneNumber-rule}
OnAccept-User LDAP Object HomePhone#: ${HomePhone-au}
OnAccess-User LDAP Object Mobile#: ${mobile-az}
Results:
Customer ATTR:
Rule-User LDAP Object TelePhoneNumber#: 508-898-7570, 978-898-7050
OnAccept-User LDAP Object HomePhone#: 555-5551
OnAccess-User LDAP Object Mobile#: 888-898-0570
Rule-User LDAP Object TelePhoneNumber#: 508-898-7570, 978-898-7050
OnAccept-User LDAP Object HomePhone#: 555-5551
OnAccess-User LDAP Object Mobile#: 888-898-0570
Attachments
Feedback
Yes
No
Powered by
