Adding SESSIONSPEC to OIDC claim

book

Article ID: 208070

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

We're running a Policy Server and we'd like to know how to add the
SESSIONSPEC to the OIDC claims of given user. 

How can we achieve this ?

 

Resolution

At first glance, SESSIONSPEC is not a User's attribute. 

As per documentation, Claims are based on User's attributes and can be
filled only with SiteMinder generated attributes SM_USERGROUPS or
SM_USERNESTEDGROUPS :

  Configure SiteMinder as OpenID Connect Provider

    6. Complete the following fields in the Authentication and
       Authorization section:

       User Directories

       Specify the list of user directories that SiteMinder uses for
       authorizing and retrieving claims information.

    [...]

    8. Complete the following fields in the Mappings section:

  Define mapping of claims with a user directory in Claims
  Mapping. Enter a claim name and the corresponding user attribute in
  a defined user directory, and click Add Row. You can add multiple
  claims with same name but for different column names. The user
  directory attribute can be a user attribute, virtual mapped
  attribute, or SiteMinder generated attributes SM_USERGROUPS or
  SM_USERNESTEDGROUPS.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-siteminder-as-openid-connect-provider/configure-ca-single-sign-on-as-openid-connect-provider.html

You may be able to insert other value as Claims by developping a
Custom Plug-in. That might help you to implement to set a specific
Claim :

  Generate Custom Claims

    You can customize the claims if Relying Party requires claims in a
    specific format or if different Client applications require multiple
    claims in different formats. To customize, implement a plug-in class
    that adheres to the OIDC IClaimsPlugin interface that is available in
    SiteMinder Java SDK. The plug-in lets you customize claims and return
    the customized claims in ID Token or UserInfo response.

  https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/use-ca-single-sign-on-as-openid-connect-provider/generate-custom-claims.html