SM_USER is set to the UniversalID on Federation transactions

book

Article ID: 16078

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction



We have an application protected with Web Agent/WAOP, so when the users login through Federation (SP initiated) we do see the SM_USER header is being set to the UniversalID. However, if the users login directly (without Federation on SSO side) then the SM_USER header is set to user login ID.

How Federation Authentication fill the SM_USER header ?

Environment

Web Agent Option Pack R12.52 SP1 CR06Policy Server R12.52 SP1 CR06

Resolution

When the request is coming to the SP, the user identity is already authenticated in IDP side, and to pass this to the SP side for validation, it is done with the attributes included in the assertion. This is configured in the partnership settings. You may check in your current partnership (SP side) to check in the User Identification section which Identity Attribute is being obtained from the Assertion, and how it is being mapped to your current User Directories. You may choose a different attribute here as well.

In AdminUI, you can go to Federation > Partnerships > Modify your partnership > Go to step 2 (User Identification), and review the current settings to see which is being used to set the SM_USER afterwards

By default it is set to use the NameID in the assertion, and then it use the UniversalID attribute set in the User Directory used to set the SM_USER header.

Additional Information

Configuring partnership federation : User identification for a partnership