ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Does SiteMinder federation support validation Identity Mapping?

book

Article ID: 226250

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder)

Issue/Introduction

Customer tried to use validation Identity Mapping on a federation app, but user cannot be authorized. 

Cause

From Release 12.8.03, Identity Mapping in a SAML 2.0 IdP -> SP federation partnership lets you authenticate users with one user directory and authorize them with another user directory at IdP. The assertion attributes are returned from the user directory that authorizes the user. 

The following topics describe Identity Mapping in federation partnerships.

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/generate-aggregate-user-attributes-in-saml-2-0-federation/identity-mapping-in-saml-2-0-federation.html

When we check IDENTITY_MAP in SAML 2.0 Federation, interestingly enough, there was no mentioning about validation Identity Mapping, only "create an Authentication-Authorization identity mapping".

However, in the video, it stated that this feature added in Release 12.8.03, only supports Authentication-Authorization identity mapping, NOT Validation Mapping.

Environment

Release : 12.8

Component : SITEMINDER FEDERATION END POINT

Resolution

Product is working as designed. Starting from release 12.8.03, SiteMinder SAML 2.0 IdP -> SP federation partnership supports Authentication-Authorization identity mapping, but NOT include Validation Mapping.
 

Additional Information

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/generate-aggregate-user-attributes-in-saml-2-0-federation/identity-mapping-in-saml-2-0-federation.html