[SiteMinder][OIDC] User directory mapping in OIDC Authorization Server

book

Article ID: 221349

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Documentation explains the Identity Mapping with OIDC Provider.
This is a demonstration of how it is actually configured for AD(Authentication) and MSSQL(Authorization).

Environment

Release : 12.8.05

Authentication Directory: AD (UD1)
Authorization Directory: MSSQL (UD2)

Both Directories have "user1" and "Universal ID" is configured with an attribute that will have the matching value.

[UD1] samaccountname is set for Universal ID.

[UD2] Name set for Universal ID.

Resolution

There is "Enable Identity Mapping" switch that you can enable in the Authorization Provider. (If this option is not available, please upgrade to the most current version)

 

You will first need to have 2 user directories.

And need to create Authentication-Authorization Identity Mapping.

UD1 - AD (samaccountname=user1)
UD2 - SQLDB (Name=user1)

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=7+0whq7Tl7NNVt0aWH7geg==

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=J/b5MLherVrSBas9QDaT5A==

NOTE : The FIRST NAME is different. (Sung Hoon vs User1)


Create the following Identity Mapping between AD(Auth) and DB(Az).

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=e62EWxB2YbSoWGqr1+aKPA==

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=n2eXSJuNKjEup9M7IscEfQ==

Then at the Authorization Provider, enable "Enable Identity Mapping" switch.
Also, select the Authorization Directory (DB). Previously before the Identity Mapping I had "KIMLABS AD" in the "Selected Directories".

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=q+/pxH6gHeew0orEF4XbrA==

And select the Identity Mapping from the dropdown list. Because my authorization directory is DB I had to specify the ODBC Search Specification (Name=%s).

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=s22z9nVsFZjzaV1ZSzxeQw==

Now change the Claims Mapping to match the Authorization Directory.

Following is what I had for AD before (cn, mail, samaccountname).

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=3cWOZkCvYpyCR5osCkSYIw==

Which I had to change to (FirstName, EmailAddress, Name)

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=F2NKphZPat/10GNY2cf7hQ==

Now when I initiate the OIDC, I still login as AD user (user1).
But at the OIDC, I can see the DB side user attributes were sent.

https://api-broadcom-ca.wolkenservicedesk.com/attachment/get_attachment_content?uniqueFileId=1nQrmxh+E/p5ixNWfVqqIQ==

NOTE the "OIDC_CLAIM_GIVEN_NAME=Sung Hoon" which would have been "User1" if it was fetched from the AD.

Attachments