Admin UI Legacy Federation User Policy Screen Not Working as Expected 
search cancel

Admin UI Legacy Federation User Policy Screen Not Working as Expected 

book

Article ID: 244641

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

- Legacy Federation user policy screen not working as expected. 

Use case:
---------

- Edit the legacy SAML Provider under the Users tab.
- Add a group to allow all users and test to confirm access is working.
- Take one user from the allowed group and add it as a new member on its own and click Exclude.
- Test the user and confirm is not able to access.
- Edit the SAML Provider and completely delete the user record that was excluded (the group is still there).

Expectation that the user will be allowed now since it belongs to the group.

Actual result is that the user is not allowed to generate an assertion.

Environment

Release : All 12.8 releases up till 12.8SP6a 

Component : SITEMINDER -POLICY SERVER

Cause

- There is a bug in the Legacy SAML Provider Users tab .
- Issue can be reproduced as follows:

3 Full Dump Exports as follows 

1) With only the group in the Users tab.
2) With the group and the excluded user in the Users tab.
3) With the group only after the user was deleted from the Users tab.

From the first dump, you can see one userPolicy Object with the Group in Question.
In the second dump, you can can see 2 UserPolicy objects one for the Group and another for the excluded user.
In the Third dump, you can see still the 2 UserPolicy objects one for the Group and another for the excluded user even tough the user was deleted and the Admin UI does not show it.

This is a bug since the user policy is not being deleted in the background even though the Admin UI is not displaying it.

 

Resolution

Fix below is included officially in 12.8 SP7 Release 

########## Solution ########

- go to Following location /CA/siteminder/xps/dd
- backup the FssSmObjects.xdd 
- Modify the FssSmObjects.xdd  and change the below as Indicated 


**** part 1: *** replace LinkIntegrity with Handling

[Attribute]
PARENT=CA.SM::AffiliateUsers
Name=UserPolicyLink
DataType=Link
MinElements=0
MaxElements=1
LinkToClass=CA.SM::UserPolicy
#LinkIntegrity=Cascade
Handling=Cascade
GranularOption=Always
APIAccess=ReadOnly


**** part 2: *** replace LinkIntegrity with Handling

[Attribute]
PARENT=CA.SM::ServiceProviderUsers
Name=UserPolicyLink
DataType=Link
MinElements=0
MaxElements=1
LinkToClass=CA.SM::UserPolicy
#LinkIntegrity=Cascade
Handling=Cascade
GranularOption=Always
APIAccess=ReadOnly


**** part 3: *** replace LinkIntegrity with Handling

[Attribute]
PARENT=CA.SM::ResourcePartnerUsers
Name=UserPolicyLink
DataType=Link
MinElements=0
MaxElements=1
LinkToClass=CA.SM::UserPolicy
#LinkIntegrity=Cascade
Handling=Cascade
GranularOption=Always
APIAccess=ReadOnly


- Once Modification is completed, please run the below:

XPSDDInstall SmMaster.xdd

- Restart your Policy servers and Admin UI.

- Test and now the delete should work. 

Powered by Wolken Software