ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SiteMinder Attribute Mapping Performance Impact

book

Article ID: 212379

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

When running a Policy Server, on a given User Directory, when
configured attributes mapping as :

  TRANSLATE(Filter(ENUMERATE(SM_USERNESTEDGROUPS,STRING(RDN(STRING(%0),FALSE))),'myPref-*'),'myPref-','')
  OR
  TRANSLATE(Filter(businessCategory,'ROLE=myRole-*'),'ROLE=myRole-','')

One might like to know if Policy Server calculates each time when
these are requested ? Or are they only calculated when used in
Response or SAML assertion ?

 

Resolution

 

At first glance, an attribute value is calculated and retrieved from
the LDAP Server once a request needs it. This will happen to identify
the user and to verify the user credentials. And on a Response, it
will be also calculated. Note that on Response, you can cache the
value to avoid the Policy Server to calculate it again for an interval
of time (1)(2).

So for Response, you can configure if the attribute found will be
cached or re-calculate depending a given time in seconds (3).

 

Additional Information

(1)

    Use Authentication Guidelines to Estimate Directory Searches

      (Required) Two searches to authenticate each user:

 - One search/query, per store, to identify the user
 - One search/query to verify the user credentials

      (Optional) Additional searches may be required depending on how you
      design policies and if you decide to enable Password Services:

 - One search/query for each policy that is bound to a response
   that returns user attributes.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/implementing/implementing-siteminder/performance-tuning/data-tier-performance.html

(2)

    SM_USERGROUPS and webagents
    https://knowledge.broadcom.com/external/article?articleId=130878

(3)

    Attribute Caching

    For SAML Assertion, attributes are cached in the Session Store :

    Supply SAML Attributes as HTTP Headers

      If the authentication scheme redirect mode parameter is set to
      PersistAttributes, the Policy Server caches the attributes in the
      session store as session variables.

      The Policy Server retrieves the attributes by a configured response.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/legacy-federation/configure-as-a-saml-1-x-consumer/supply-saml-attributes-as-http-headers.html