The ID Token does not contain the group information. However, we are not able to trigger policies, based on group membership, when using SiteMinder as identity store. I think those problems are related, on how groups are resolved in SiteMinder identity store.
Using Siteminder Authenticator: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/2-1/Using/Authentication-services/factor-services/Password-Authentication/sm-as-a-password-authenticator.html
Application's ID store configured to use the SiteMinder Identity Provider
Request submitted with scopes: urn:iam:at:groups urn:iam:it:groups
When the user is not a member to any groups, both access and ID token contain:
"hasgroups": true,
"groups": [""],
However, when the user is member of some groups, both attributes are missing. Expected behavior is for the "groups" attribute to contain an array of groups.
SiteMinder Provider Configuration:
{ "securityMethod": "jwtbearer", "certAlias": "bnym-root-ca", "url": "{{sag_url}}", "providerProperties": [ {"name":"spi.discover.capabilities", "value":"smpasswordauthenticator"}, {"name":"spi.description", "value":"SiteMinder password authentication"}, {"name": "appId", "value": "zwaproxyauthhub" }, {"name":"subject", "value":"AUHM04M"}, {"name":"passwordProtectedResourceFilter", "value":"/loginservice"}, {"name":"jwtProtectedResourceFilter", "value":"/jwt"}, {"name":"effectiveIdentitySourceId", "value":"{{config_id_ldap_primary}}"}, {"name":"attributeMapping", "value":"user_loginid=SMUNIVERSALID, user_dn=SMUSERDN, email=mail, phone_number=telephoneNumber, status=SMAUTHREASON, SMUSERLOGINFAILURESCOUNT=SMUSERLOGINFAILURESCOUNT, effectiveIdentitySourceId=effectiveIdentitySourceId"}, {"name":"userLoginIdAttributeMappingName", "value":"user_loginid"}, {"name":"groupAttributeMapping", "value":"name=SMUSERDN, members=SMUSERGROUPS"} ], "ignoreSSLValidation": true, "spiReadTimeoutMillis": "60000", "spiConnectTimeoutMillis": "60000", "version": "1.0"}
response from SAG when a user is not a member of any groups:
UserGetter Response{ "message": "Authentication Successful", "resultCode": "LOGIN_SUCCESS", "userPasswordMessage": null, "authenticationResponses": { "response": [{ "name": "SMUSERDN", "value": "uid=AUHM001,cn=People,ou=Internal,o=mfc" }, { "name": "SMAUTHREASON", "value": "0" }, . . . { "name": "SMUSER", "value": "uid=AUHM001,cn=People,ou=Internal,o=mfc" }, { "name": "SMUSERGROUPS", "value": "" }, . . . ] }}
Response from SAG when a user is a member to some groups:
UserGetter Response{ "message": "Authentication Successful", "resultCode": "LOGIN_SUCCESS", "userPasswordMessage": null, "authenticationResponses": { "response": [{ "name": "SMUSERDN", "value": "uid=XEDD2HN,cn=People,ou=Internal,o=mfc" }, { "name": "SMAUTHREASON", "value": "0" }, . . . { "name": "SMREALM", "value": "/jwt" }, { "name": "SMUSER", "value": "uid=XEDD2HN,cn=People,ou=Internal,o=mfc" }, { "name": "SMUSERGROUPS", "value": "PUPM^NEXENAPI^ESF^ES1^WA1Editor^TOA^UDSStatic^PN1Admin^PN1Crypto^CWM^Juniper_VPN^APEX_Pipeline^DAE_USERS^FX_ADMIN^ESF Sample^NCX^WA1Admin^IWA^MOO-EventMgmt-Opr^EDY^OPD^MARKETPLACE^NGE^DP_TLU_GSP_USR^UMT Users^UMT^AUHAdmin^Veracode" }, . . . ] }}
Release : VIP Authentication Hub 2.1.2+1030
The attached document covers the App configuration to get the Group in IT and AT tokens.