Ignore case sensitivity when matching user in partnership Policy Server
search cancel

Ignore case sensitivity when matching user in partnership Policy Server


Article ID: 233883


Updated On:


SITEMINDER CA Single Sign On Federation (SiteMinder)



When running a Policy Server as Service Provider, when the
SAMLResponse reaches it, the user ID is lowercase, when the User ID in
the Oracle ODBC User Directory is uppercase. This makes the Policy
Server being unable to log in the user.

Is there's a way to convert the user ID before sending the user ID to
the User Directory before authenticating it ?




At first glance, the Oracle ODBC User Directory doesn't find the user
if the User ID doesn't fit the case. So the solution is to make the
User Directory to be case unsensitive.

Modification of the User ID might be possible, the Assertion Generator
can be customized (1).

Here are some extracts from the SDK samples where it might be possible
to modify the User ID which mainly comes from the NameID from the
Assertion : 

  SAML2AssertionSample.java :

   * Saml2AssertionSample
   * This Assertion Generator Plugin modifies SAML 2.0 assertion in following two ways:
   * - Change value of NameID element (/ns2:Assertion/ns2:Subject/ns2:NameID) in assertion
   * -     to the email address by appending a fixed string to it. In this file, a fixed string 
   * -     @mycomany.com is used. For this there is no need to specify any parameter in 
   * -     parameter text field of advanced tab of SP object
   * - add new attributes in assertion from UserContext as defined in parameter text of 
   * -     advanced tab of SP Object
           * Change the value of NameId element. Add a string @mycompany.com to the existing value 
           * of NameID. If user wants to change the value of NameID element with some other attribute
           * from User Directory then it needs get the value of that attribute and set it in
           * the Assertion for NameID. Here the Attribute is specified from the second parameter

  AssertionSample.java :

   * AssertionSample
   * This Assertion Generator Plugin modifies assertion :
   * - remove "xmlns:SM" attribute from header
   * - Change from user dn to user email in saml:AttributeStatement/saml:Subject/saml:NameIdentifier
   * - changing user identification from dn to email
   * - Change attributes from SM:NVpair to saml:Attribute
   * - add new attributes from UserContext
   * - change saml:NameIdentifier Format for Authentication statement from "uid" to "email"

Moreover, the code will need to know which letters to change the case
in order to match what's in the User Directory. This might not be

Oracle ODBC is known to be case sensitive (2).


Additional Information



    Implement the Java Assertion Generator Plug-in Interface


    Directory Mapping Case Sensitivity

      Case-sensitive directories, such as an Oracle database, treat the
      values "ROBIN" and "robin" as two different user names. Other
      directories, such as an LDAP directory, are not case-sensitive and
      treat the values "Robin", "ROBIN", "robin", and "RobIn" as the same
      user name. A conflict can occur if the authentication directory is not
      case-sensitive, but the authorization directory is case-sensitive.