search cancel

response in a multiple identity map issue

book

Article ID: 190591

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction


We're running a Policy Server and we'd like to know how to get a

response based on attributes from 2 User Stores ?

We've already configured an Identity mapping. Is it accurate to
retrieve user's attributes ?

Environment


Policy Server all versions.

Resolution


As per documentation, Identity Mapping suits to locate a user and

authorize it :

  Identity Mapping by Complex User Search Criterion

    "Identity Mapping locates a user by relying on the session ticket
    information [...] "

  https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/configuring/policy-server-configuration/directory-mapping/directory-mapping-examples.html

You should note that the mentioned function IDENTITY_MAP has a problem
which is fixed in Policy Server 12.8SP2 :

Defects Fixed in 12.8.02

  1239992 DE393374 IDENTITY_MAP function fails to work with Custom
  Search in IDENTITY_MAPPING Object.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/release-notes/service-packs/defects-fixed-in-12-8-02.html

In order to set in a Response a specific user's attribute from a
specific User Directory, we'd advise you to compose a custom Active
Expression Response :

  How do you compile and use the Siteminder Java SDK Active Response sample?
  https://knowledge.broadcom.com/external/article?articleId=53821

More, our Global Delievery team has produced a module which probably
allow you to do so :

SmWalker for CA Single Sign-On User Guide Version R14.3

  SmWalker for CA Single Sign-On (a/k/a SmWalker) is a tool provided by
  the CA Technologies Global Delivery Team that can be used to retrieve
  and process information and pass it as a response from CA Single
  Sign-On (f/k/a SiteMinder).

  Originally, SmWalker was designed to access information stored in an
  LDAP directory, but there are many functions that can process
  information from other sources as well.

  SmWalker is not specifically part of CA Single Sign-On, but is a
  useful adjunct to it. SmWalker is essentially a library of Active
  Expression functions that the CA Technologies Global Delivery Team
  (and our customers) have found useful over the years.

https://casupport.broadcom.com/phpdocs/7/5262/SmWalker_for_Single_Sign_On_vR14.3_Linux64.zip