Nested group in attribute statement for legacy and/or partnership federation
search cancel

Nested group in attribute statement for legacy and/or partnership federation


Article ID: 233165


Updated On:


SITEMINDER CA Single Sign On Federation (SiteMinder)


How do I add the user's nested groups in the assertion's attribute statement for legacy or partnership federation?


Release : 12.8.04 and above

Component :  Federation


The attribute statement in the assertion can be used to send additional information to the service provider or assertion consumer.


You can send any/all user attributes that are generated, by default, by the SiteMinder policy server. The list of SiteMinder generated user attributes are listed here.

The SiteMinder generated user attribute SM_USERNESTEDGROUPS holds all the groups and nested groups of the authenticated user. To add the authenticated user's nested groups in the attribute statement, add an attribute with "User Attribute" type and value as "SM_USERNESTEDGROUPS".

Here is an example configuration from partnership federation:

Assertion Attributes: mygroups
Retrieval Method: BOTH
Format: Unspecified
Type: User Attribute 

With this configuration, the attribute statement will have the nested group listed as:

            <ns2:Attribute Name="mygroups" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

Additional Information

- The nested groups information is available in the partnership model from the 12.8.04 version

- The user directory configuration in the SiteMinder administrative UI should have settings to support nested groups