Ignore case sensitivity when matching user in partnership Policy Server
Article ID: 233883
Updated On:
Products
Issue/Introduction
When running a Policy Server as Service Provider, when the
SAMLResponse reaches it, the user ID is lowercase, when the User ID in
the Oracle ODBC User Directory is uppercase. This makes the Policy
Server being unable to log in the user.
Is there's a way to convert the user ID before sending the user ID to
the User Directory before authenticating it ?
Resolution
At first glance, the Oracle ODBC User Directory doesn't find the user
if the User ID doesn't fit the case. So the solution is to make the
User Directory to be case unsensitive.
Modification of the User ID might be possible, the Assertion Generator
can be customized (1).
Here are some extracts from the SDK samples where it might be possible
to modify the User ID which mainly comes from the NameID from the
Assertion :
SAML2AssertionSample.java :
/**
* Saml2AssertionSample
*
* This Assertion Generator Plugin modifies SAML 2.0 assertion in following two ways:
* - Change value of NameID element (/ns2:Assertion/ns2:Subject/ns2:NameID) in assertion
* - to the email address by appending a fixed string to it. In this file, a fixed string
* - @mycomany.com is used. For this there is no need to specify any parameter in
* - parameter text field of advanced tab of SP object
* - add new attributes in assertion from UserContext as defined in parameter text of
* - advanced tab of SP Object
/**
* Change the value of NameId element. Add a string @mycompany.com to the existing value
* of NameID. If user wants to change the value of NameID element with some other attribute
* from User Directory then it needs get the value of that attribute and set it in
* the Assertion for NameID. Here the Attribute is specified from the second parameter
AssertionSample.java :
/**
* AssertionSample
*
* This Assertion Generator Plugin modifies assertion :
* - remove "xmlns:SM" attribute from header
* - Change from user dn to user email in saml:AttributeStatement/saml:Subject/saml:NameIdentifier
* - changing user identification from dn to email
* - Change attributes from SM:NVpair to saml:Attribute
* - add new attributes from UserContext
* - change saml:NameIdentifier Format for Authentication statement from "uid" to "email"
Moreover, the code will need to know which letters to change the case
in order to match what's in the User Directory. This might not be
possible.
Oracle ODBC is known to be case sensitive (2).
Additional Information
(1)
Implement the Java Assertion Generator Plug-in Interface
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/programming/federation-programming/federation-java-sdk/using-the-federation-java-sdk.html#concept.dita_ef99784186a03888687b3317fc84c2612dee5829_JavaSDKSampleApplicationDeploymentattheRelyingParty
(2)
Directory Mapping Case Sensitivity
Case-sensitive directories, such as an Oracle database, treat the
values "ROBIN" and "robin" as two different user names. Other
directories, such as an LDAP directory, are not case-sensitive and
treat the values "Robin", "ROBIN", "robin", and "RobIn" as the same
user name. A conflict can occur if the authentication directory is not
case-sensitive, but the authorization directory is case-sensitive.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/directory-mapping/directory-mapping-examples.html
Feedback
