SM_USERGROUPS and webagents

book

Article ID: 130878

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



We're running Web Agent and we'd like to know under which conditions
the SM_USERGROUPS header gets populated ?

Environment

Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:

Resolution

User attributes SM_USERGROUPS and SM_USERNESTEDGROUPS are generated 

when the user is authenticated and is stored in policy server user 

cache. This data is fetched again only if one of the below mentioned 

scenario's happen. 


1. User log off and login again 

2. When the session expires 


How can I get the User Groups by using the Java SDK (12SP3) ?


https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=729476#bm7239055f-2332-46c7-b985-97145cdc61bd


Following two registry defines the LDAP query for SM_USERGROUPS: 


HKEY_LOCAL_MACHINE\software\wow6432node\netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters 

HKEY_LOCAL_MACHINE\software\wow6432node\netegrity\SiteMinder\CurrentVersion\Ds\LdapMatchUserDN 


How is the LDAP search query for the SM_USERGROUPS formed ?


https://ca-broadcom.wolkenservicedesk.com/external/article?articleId=45283


You can make SM_USERGROUPS available for the browser by setting a response : 


Tech Tip - CA Single Sign-On:Policy Server:: How to check if user is a member of a group


https://community.broadcom.com/browse/blogs/blogviewer?BlogKey=5f79d3e2-3521-488d-bd43-50e834654b65&CommunityKey=f9d65308-ca9b-48b7-915c-7e9cb8fc3295


Documentations : 


%SM_USERGROUPS 


This attribute holds the groups to which the user belongs. If the user 

belongs to a nested group, this attribute contains the group furthest 

down in the hierarchy. For all nested groups to which the user 

belongs, use SM_USERNESTEDGROUPS. 


Example: 


If a user belongs to the group Accounts Payable and Accounts Payable 

is contained in the group Accounting, SM_USERGROUPS contains Accounts 

Payable. If you want both Accounting and Accounts Payable, use 

SM_USERNESTEDGROUPS. 


Generated User Attributes


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/responses-and-response-groups/generated-user-attributes.html



You won't see the SM_USERGROUPS in the browser, it is sent only to the 

accessed page. In order to see them, you have to put a test page in 

which you'll run code to read all the headers and display them in the 

html page. Here's a sample in php : 


  <?php 


  foreach (getallheaders() as $name => $value) { 

  echo "$name: $value\n"; 

  echo "<br />"; 

  } 


  ?> 


The Directory Mapping is used at authorization time. The SM_USERGROUPS

is set at authentication time, and as such it won't be used.