When running a Policy Server, when does it produce the SM_USER value ?
- What are all scenarios to get the SM_USER header value ?
- Does the http header SM_USER being set in Authentication failure
scenarios or only success use cases ?
- Does SM_USER get set for the SM Authreason values 20, 22 and
24 ?
The SM_USER will be produced on all requests as soon as the user name
is known by the Policy Server as per documentation (1).
About SM Authreason values 20, 22 and 24, which represent
ImmedPWChangeRequired = 20
BadPWChange = 22
ExcessiveFailedLoginAttempts = 24
the Password Services page will use another variable. SM_USER header
being sent to the target page, this header won't be available for the
Password Services page. Instead, the out of the box Password Services
page uses the variable "username" :
smpwservices.fcc :
@username=%username%
(1)
Generated User Attributes
The following list contains user attributes that Siteminder
generates automatically. These attributes can be specified as
response attributes for Web Agent responses and are available to
named expressions.
%SM_USER
The web agent places the username in an SM_USER http header variable
for all requests. The web agent does not set the value of the
SM_USER header variable when one of the following items are true:
- A user does not provide a user name, such as with
certificate–based authentication.
- A user name is not known.
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/responses-and-response-groups/generated-user-attributes.html