Federation Assertion Attributes - where userid is multi-value and require to send the actual user loginname used for login

book

Article ID: 242600

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Federation (SiteMinder)

Issue/Introduction

[Use case]

User is "cn=user1,ou=people,dc=kimlabs,dc=net"

This user has multiple 'uid' value

uid=user1
uid=user1a
uid=user1b
uid=user1c



This user will login using either one of the 'uid' value as username.

"uid" user attribute is specified for "NameID".

This results in NameID value of "user1^user1a^user1b^user1c".

Service Provider is unable to authenticate the user based on this NameID.

Is it possible to capture the actual login username and add it as Assertion Attribute?

 

 

Environment

Release : 12.8.x

Component : Federation

Resolution

Without any customization, add "User Attribute" as "FMATTR:SM_USERLOGINNAME".

This will generate Assertion Attribute as below when you login as "user1b".

            <ns2:Attribute Name="SmUserLoginName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
                <ns2:AttributeValue>user1b</ns2:AttributeValue>
            </ns2:Attribute>

Service Provider can use this to authenticate the user.