search cancel

JWT Authentication Scheme User Lookup

book

Article ID: 200162

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) SITEMINDER

Issue/Introduction

We have a JWT that comes from a client where the 'sub' represents the a directory attribute called uniqueClientId that maps to a different directory attribute called SMID.

For example:
ce12345 (uniqueClientId) à V0012345 (SMID) 

SiteMinder is fails to authenticate the 'sub' in the JWT because the User Directory that is tied to the policy has the effective lookup as (&(SMID=ID-From-Login)(objectclass=imExtensions))

My current allow policy in my Domain is set to allow "All" as well which we are currently using for testing.

If the client replaces the 'sub' in the JWT with the V0012345, we are able to authenticate because of how the lookup is configured for User Directory as works as it should, but the client does not know the mapped values in our directory.

QUESTION:
How do we configure the SiteMinder policy to map and authenticate the 'sub' when it maps uniqueClientId rather than the SMID?

Environment

Release : ALL

Component : SITEMINDER -POLICY SERVER

Resolution

Since the client's JWT cannot include the SMID attribute that is currently part of the lookup string in the user store, you will need to make a copy of the user store and use the uniqueClientId attribute that is included in the JWT in the new user store lookup.  Using the example given, the lookup in the new user store would be:
(&(SMID=ID-From-Login)(objectclass=imExtensions))

This cannot be addressed via policy because policy evaluation does not take place until there is an authentication result.  All authentication occurs within the auth scheme prior to any policy evaluation.