Help with OIDC for Additional Claims in ID Token

book

Article ID: 221043

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

-Help with OIDC configuration for the use case which
requires.Additional Claims Mapping and Scope Mappings.
 

-- [TROUBLESHOOTING] ---

OIDC works as per the SiteMinder document with regular WebAgent.

When it fails userDirectoryOID is empty 

[clientId=63d4adb4-de15-4732-8abc-9ada348f1174, userId=employeenumber=99999,ou=people,dc=home,dc=com, redirectURI=https://auth.launchpad-dev.home.com/oidc, scope=profile, authTime=1613768954, userDirectoryOID=

 

 

Cause

The directory OID comes from the API call for authentication at the policy serve which is store in the session spec, which can be only read by the policy.  For this scenario to work the SSO custom agent on the  APIM gateway must add the Dir_OID to the smsession cookie

 

Environment

Release : 10.0

Component : OTK INSTALLER

Resolution

Fix provide in defect DE497936

SiteMinder fix update the SSO SDK on gateway

/opt/CA/sdk/bin64/libsmjavaagentapi.so

APIM fix will go in 

/opt/SecureSpan/Gateway/runtime/lib/

The official release is in 10.1 and will be included in GW 10 CR04 

 

Additional Information

Version: 12.8; Update: 05.00; Build: 2546; CR: 00;

Windows 2016

Oracle LDAP 11.1.1.4

Decode without fix  (NO ATTIB 151 - Dir_OID)

Decode SSO Token.....................:
Session Cookie:  jF2dHW7Lan.......b7IxuwFx9hHnyOjB0=
Token: [email protected]
Token ver: 401
Error Code: 0 (SUCCESS)


Token Version........................:  401
Thirdparty Token.....................:  true
Attributes from Token................:  200     sm611841-gw-10-1-sdk-th1
                                        218     cn=AUser105,ou=APSUsers,o=userstore,c=US
                                        209     Iav9AA6rjFLM+W6JOt1OgDCmsZBRuqDJ1AoOheD2ZdEW4T8J0+/BVHWsMyVxCSwtS3B06Mw5+g0mA5F5tQbDpTZGCY+ND5IiFc6qu85XTinaWo938XA36egKb/iXKBjerStZjTRShvEZ/kqneOuTeFpyEl4zH81FF6Y7SudsvA9T7cDy0mdXj/wYAghQiaPAooq9hOgdeP0fWOqr7HOiwiXfIXxyktgpj/o0axVf2lkjpFCLrfsEmDUGGhM6zhClhiOemHmCMD46K2/el/z81SMEsCNdcESNlnmRgg/2SmVasipDdmbuWnDjBrv9k4oJEOwI1NtJ47zSBsWUUKRGggl7ceBUYfKZWP9DQ7Jmq3Du0uW7/8Rzx0fK/n5EoLqdVYqPvYuXdmOS6E2rmHcfQnuf8yBTN0ULVf2IPaRzh7HqpfkgXCW+jmf8g36g3iIwURIfu+16Q/1Lz8h/xJ0PKg==
                                        205     bks9jpCdwcHcs4zRxFmxe8I+c04=
                                        210     a105
                                        208     10.230.151.13
                                        225     3600
                                        226     7200
                                        154     1628002603
                                        155     1628002639
                                        228     SM


Decode with fix  (ATTIB 151 - Dir_OID = 0e-0008f9e2-68b7-10c7-887f-39bf0a4a0000

Decode SSO Token.....................:
Session Cookie:  jF2dHW7Lan.......b7IxuwFx9hHnyOjB0=
Token: [email protected]
Token ver: 401
Error Code: 0 (SUCCESS)


Token Version........................:  401
Thirdparty Token.....................:  true
Attributes from Token................:  200     sm611841-gw-10-4-sdk-th1
                                        218     cn=AUser105,ou=APSUsers,o=userstore,c=US
                                        209     Iav9AA6rjFLM+W6JOt1OgDCmsZBRuqDJ1AoOheD2ZdEW4T8J0+/BVHWsMyVxCSwtS3B06Mw5+g0mA5F5tQbDpTZGCY+ND5IiFc6qu85XTinaWo938XA36egKb/iXKBjerStZjTRShvEZ/kqneOuTeFpyEl4zH81FF6Y7SudsvA9T7cDy0mdXj/wYAghQiaPAooq9hOgdeP0fWOqr7HOiwiXfIXxyktgpj/o0axVf2lkjpFCLrfsEmDUGGhM6zhClhiOemHmCMD46K2/el/z81SMEsCNdcESNlnmRgg/2SmVasipDdmbuWnDjBrv9k4oJEOwI1NtJ47zSBsWUUKRGggl7ceBUYfKZWP9DQ7Jmq3Du0uW7/8Rzx0fK/n5EoLqdVYqPvYuXdmOS6E2rmHcfQnuf8yBTN0ULVf2IPaRzh7HqpfkgXCW+jmf8g36g3iIwURIfu+16Q/1Lz8h/xJ0PKg==
                                        205     bks9jpCdwcHcs4zRxFmxe8I+c04=
                                        210     a105
                                        208     10.230.151.13
                                        225     3600
                                        226     7200
                                        154     1628002603
                                        155     1628002639
                                        228     SM
                                        151     0e-0008f9e2-68b7-10c7-887f-39bf0a4a0000