Help with OIDC for Additional Claims in ID Token
Article ID: 221043
Updated On:
Products
Issue/Introduction
-Help with OIDC configuration for the use case which
requires.Additional Claims Mapping and Scope Mappings.
-- [TROUBLESHOOTING] ---
OIDC works as per the SiteMinder document with regular WebAgent.
When it fails userDirectoryOID is empty
[clientId=<clientid>, userId=employeenumber=99999,<BaseDN>, redirectURI=https://<authHostname_doman>/oidc, scope=profile, authTime=1613768954, userDirectoryOID=
Environment
Release : 10.0
Component : OTK INSTALLER
Cause
The directory OID comes from the API call for authentication at the policy serve which is store in the session spec, which can be only read by the policy. For this scenario to work the SSO custom agent on the APIM gateway must add the Dir_OID to the smsession cookie
Resolution
Fix provide in defect DE497936
SiteMinder fix update the SSO SDK on gateway
/opt/CA/sdk/bin64/libsmjavaagentapi.so
APIM fix will go in
/opt/SecureSpan/Gateway/runtime/lib/
The official release is in 10.1 and will be included in GW 10 CR04
Additional Information
Version: 12.8; Update: 05.00; Build: 2546; CR: 00;
Windows 2016
Oracle LDAP 11.1.1.4
Decode without fix (NO ATTIB 151 - Dir_OID)
Decode SSO Token.....................:
Session Cookie: jF2dHW7Lan.......b7IxuwFx9hHnyOjB0=
Token: netegrity.siteminder.javaagent.TokenDescriptor@610455d6
Token ver: 401
Error Code: 0 (SUCCESS)
Token Version........................: 401
Thirdparty Token.....................: true
Attributes from Token................: 200 <trustHostname?
218 cn=<username>,<BaseDN>
209 Iav9AA6rjFLM+W6JOt1OgDCmsZBRuqDJ1AoOheD2ZdEW4T8J0+/BVHWsMyVxCSwtS3B06Mw5+g0mA5F5tQbDpTZGCY+ND5IiFc6qu85XTinaWo938XA36egKb/iXKBjerStZjTRShvEZ/kqneOuTeFpyEl4zH81FF6Y7SudsvA9T7cDy0mdXj/wYAghQiaPAooq9hOgdeP0fWOqr7HOiwiXfIXxyktgpj/o0axVf2lkjpFCLrfsEmDUGGhM6zhClhiOemHmCMD46K2/el/z81SMEsCNdcESNlnmRgg/2SmVasipDdmbuWnDjBrv9k4oJEOwI1NtJ47zSBsWUUKRGggl7ceBUYfKZWP9DQ7Jmq3Du0uW7/8Rzx0fK/n5EoLqdVYqPvYuXdmOS6E2rmHcfQnuf8yBTN0ULVf2IPaRzh7HqpfkgXCW+jmf8g36g3iIwURIfu+16Q/1Lz8h/xJ0PKg==
205 bks9jpCdwcHcs4zRxFmxe8I+c04=
210 a105
208 <ClientIP>
225 3600
226 7200
154 1628002603
155 1628002639
228 SM
Decode with fix (ATTIB 151 - Dir_OID = 0e-0008f9e2-68b7-10c7-887f-39bf0a4a0000
Decode SSO Token.....................:
Session Cookie: jF2dHW7Lan.......b7IxuwFx9hHnyOjB0=
Token: netegrity.siteminder.javaagent.TokenDescriptor@610455d6
Token ver: 401
Error Code: 0 (SUCCESS)
Token Version........................: 401
Thirdparty Token.....................: true
Attributes from Token................: 200 <TrustHost>
218 cn=<UserName>,<BaseDN>
209 Iav9AA6rjFLM+W6JOt1OgDCmsZBRuqDJ1AoOheD2ZdEW4T8J0+/BVHWsMyVxCSwtS3B06Mw5+g0mA5F5tQbDpTZGCY+ND5IiFc6qu85XTinaWo938XA36egKb/iXKBjerStZjTRShvEZ/kqneOuTeFpyEl4zH81FF6Y7SudsvA9T7cDy0mdXj/wYAghQiaPAooq9hOgdeP0fWOqr7HOiwiXfIXxyktgpj/o0axVf2lkjpFCLrfsEmDUGGhM6zhClhiOemHmCMD46K2/el/z81SMEsCNdcESNlnmRgg/2SmVasipDdmbuWnDjBrv9k4oJEOwI1NtJ47zSBsWUUKRGggl7ceBUYfKZWP9DQ7Jmq3Du0uW7/8Rzx0fK/n5EoLqdVYqPvYuXdmOS6E2rmHcfQnuf8yBTN0ULVf2IPaRzh7HqpfkgXCW+jmf8g36g3iIwURIfu+16Q/1Lz8h/xJ0PKg==
205 bks9jpCdwcHcs4zRxFmxe8I+c04=
210 a105
208 <ClientIP>
225 3600
226 7200
154 1628002603
155 1628002639
228 SM
151 0e-0008f9e2-68b7-10c7-887f-39bf0a4a0000
Feedback
