How does SiteMinder authenticate a user group and retrieve DN Attribute in an agent header response?
search cancel

How does SiteMinder authenticate a user group and retrieve DN Attribute in an agent header response?

book

Article ID: 261555

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder)

Issue/Introduction

Question 1

User tab inside a policy is defined as below and a user belongs to 2 different groups (Group4 & Group7). Will the user be authenticated/authorized by Group4, or Group7, or both?

Question 2.

A web agent response is defined,  'DN Attribute" option was chosen. Will SiteMinder send all 4 responses (CN) back to the application even if the user only belongs to two groups?

Or sends back the CN value only if the user record belongs to that group. 

 

Environment

Release : 12.8.05

Resolution

Answer 1:

When multiple roles/groups are added to a policy & if a user belongs to 2 different groups,  a user will be authenticated/authorized if the user is found in the first role/group. That means during policy evaluation if a user is found in Group4, then he/she is authorized by policy server, and will not check again in Group7.

[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthorization.cpp:809][CSmAz::TestPolicy][][][][][][][d_cust][][p_cust][][][][][][][][][][][][Evaluating policy...]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group0,dc=ca,dc=com', Filter: 'uniqueMember=cn=user2,ou=OrgUnit0,dc=ca,dc=com'. Status: 0 entries][][Ldap SearchCount callout succeeds.]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group1,dc=ca,dc=com', Filter: 'uniqueMember=cn=user2,ou=OrgUnit0,dc=ca,dc=com'. Status: 0 entries][][Ldap SearchCount callout succeeds.]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group2,dc=ca,dc=com', Filter: 'uniqueMember=cn=user2,ou=OrgUnit0,dc=ca,dc=com'. Status: 0 entries][][Ldap SearchCount callout succeeds.]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group3,dc=ca,dc=com', Filter: 'uniqueMember=cn=user2,ou=OrgUnit0,dc=ca,dc=com'. Status: 0 entries][][Ldap SearchCount callout succeeds.]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group4,dc=ca,dc=com', Filter: 'uniqueMember=cn=user2,ou=OrgUnit0,dc=ca,dc=com'. Status: 1 entries][][Ldap SearchCount callout succeeds.]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthorization.cpp:1219][CSmAz::TestPolicy][][][][][][][][][][][][][true][][][][][][][][Leave function CSmAz::TestPolicy]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthorization.cpp:1742][CSmAz::IsOk][][][][][][][d_cust][][p_cust][][rule_cust_1][][][][][][][][][][Policy is applicable. Rule is applicable. Get Responses.]

Answer 2:

Result: dn_attr=^Group4^Group7^

User is searched in all the groups/userroles mentioned in the DN response attribute, therefore SiteMinder produces a dynamic output via LDAP GetDnProp call, sends back the CN value only if the user record belongs to that group. 

[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthUser.cpp:3654][CSmAuthUser::GetDnProp][][][][][][][][][][][][][][][][][][][][][Enter function CSmAuthUser::GetDnProp]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group8,dc=ca,dc=com', Filter: 'uniqueMember=cn=user2,ou=OrgUnit0,dc=ca,dc=com'. Status: 0 entries][][Ldap SearchCount callout succeeds.]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthUser.cpp:3668][CSmAuthUser::GetDnProp][][][][][][][][][][][][][1][][][][][][][][Leave function CSmAuthUser::GetDnProp]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthUser.cpp:3654][CSmAuthUser::GetDnProp][][][][][][][][][][][][][][][][][][][][][Enter function CSmAuthUser::GetDnProp]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group7,dc=ca,dc=com', Filter: 'uniqueMember=cn=user2,ou=OrgUnit0,dc=ca,dc=com'. Status: 1 entries][][Ldap SearchCount callout succeeds.]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthUser.cpp:3668][CSmAuthUser::GetDnProp][][][][][][][][][][][][][1][][][][][][][][Leave function CSmAuthUser::GetDnProp]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthUser.cpp:3654][CSmAuthUser::GetDnProp][][][][][][][][][][][][][][][][][][][][][Enter function CSmAuthUser::GetDnProp]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group4,dc=ca,dc=com', Filter: 'uniqueMember=cn=user2,ou=OrgUnit0,dc=ca,dc=com'. Status: 1 entries][][Ldap SearchCount callout succeeds.]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthUser.cpp:3668][CSmAuthUser::GetDnProp][][][][][][][][][][][][][1][][][][][][][][Leave function CSmAuthUser::GetDnProp]
[03/08/2023][15:17:11.169][15:17:11][5896][1732][SmAuthUser.cpp:3654][CSmAuthUser::GetDnProp][][][][][][][][][][][][][][][][][][][][][Enter function CSmAuthUser::GetDnProp]
[03/08/2023][15:17:11.185][15:17:11][5896][1732][SmDsLdapProvider.cpp:2685][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group0,dc=ca,dc=com', Filter: 'uniqueMember=cn=user2,ou=OrgUnit0,dc=ca,dc=com'. Status: 0 entries][][Ldap SearchCount callout succeeds.]
[03/08/2023][15:17:11.185][15:17:11][5896][1732][SmAuthUser.cpp:3668][CSmAuthUser::GetDnProp][][][][][][][][][][][][][1][][][][][][][][Leave function CSmAuthUser::GetDnProp]
[03/08/2023][15:17:11.185][15:17:11][5896][1732][SmActiveExpr.cpp:527][CSmActiveExprLibrary::GetActiveValue][][][][][][][][][][][][][dn_attr=^Group4^Group7^][][][][][][][][Leave function CSmActiveExprLibrary::GetActiveValue]

Additional Information

DE559997

Powered by Wolken Software