User Groups mapping not in ID Token when using SiteMinder as identity provider
search cancel

User Groups mapping not in ID Token when using SiteMinder as identity provider

book

Article ID: 271949

calendar_today

Updated On:

Products

VIP Authentication Hub

Issue/Introduction

The ID Token does not contain the group information. However, we are not able to trigger policies, based on group membership, when using SiteMinder as identity store. I think those problems are related, on how groups are resolved in SiteMinder identity store.

Using Siteminder Authenticator: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/vip-authentication-hub/2-1/Using/Authentication-services/factor-services/Password-Authentication/sm-as-a-password-authenticator.html

Application's ID store configured to use the SiteMinder Identity Provider

Request submitted with scopes: urn:iam:at:groups urn:iam:it:groups

When the user is not a member to any groups, both access and ID token contain:

    "hasgroups": true,
    "groups": [""],

However, when the user is member of some groups, both attributes are missing. Expected behavior is for the "groups" attribute to contain an array of groups.

SiteMinder Provider Configuration:

{    "securityMethod": "jwtbearer",    "certAlias": "bnym-root-ca",    "url": "{{sag_url}}",    "providerProperties": [      {"name":"spi.discover.capabilities", "value":"smpasswordauthenticator"},      {"name":"spi.description", "value":"SiteMinder password authentication"},      {"name": "appId", "value": "zwaproxyauthhub" },      {"name":"subject", "value":"AUHM04M"},      {"name":"passwordProtectedResourceFilter", "value":"/loginservice"},      {"name":"jwtProtectedResourceFilter", "value":"/jwt"},      {"name":"effectiveIdentitySourceId", "value":"{{config_id_ldap_primary}}"},      {"name":"attributeMapping", "value":"user_loginid=SMUNIVERSALID, user_dn=SMUSERDN, email=mail, phone_number=telephoneNumber, status=SMAUTHREASON, SMUSERLOGINFAILURESCOUNT=SMUSERLOGINFAILURESCOUNT, effectiveIdentitySourceId=effectiveIdentitySourceId"},      {"name":"userLoginIdAttributeMappingName", "value":"user_loginid"},      {"name":"groupAttributeMapping", "value":"name=SMUSERDN, members=SMUSERGROUPS"}    ],    "ignoreSSLValidation": true,    "spiReadTimeoutMillis": "60000",    "spiConnectTimeoutMillis": "60000",    "version": "1.0"} 

response from SAG when a user is not a member of any groups:

UserGetter Response{    "message": "Authentication Successful",    "resultCode": "LOGIN_SUCCESS",    "userPasswordMessage": null,    "authenticationResponses": {        "response": [{            "name": "SMUSERDN",            "value": "uid=AUHM001,cn=People,ou=Internal,o=mfc"        }, {            "name": "SMAUTHREASON",            "value": "0"        }, . . . {            "name": "SMUSER",            "value": "uid=AUHM001,cn=People,ou=Internal,o=mfc"        }, {            "name": "SMUSERGROUPS",            "value": ""        }, . . . ]    }} 

Response from SAG when a user is a member to some groups:

UserGetter Response{    "message": "Authentication Successful",    "resultCode": "LOGIN_SUCCESS",    "userPasswordMessage": null,    "authenticationResponses": {        "response": [{            "name": "SMUSERDN",            "value": "uid=XEDD2HN,cn=People,ou=Internal,o=mfc"        }, {            "name": "SMAUTHREASON",            "value": "0"        },  . . . {            "name": "SMREALM",            "value": "/jwt"        }, {            "name": "SMUSER",            "value": "uid=XEDD2HN,cn=People,ou=Internal,o=mfc"        }, {            "name": "SMUSERGROUPS",            "value": "PUPM^NEXENAPI^ESF^ES1^WA1Editor^TOA^UDSStatic^PN1Admin^PN1Crypto^CWM^Juniper_VPN^APEX_Pipeline^DAE_USERS^FX_ADMIN^ESF Sample^NCX^WA1Admin^IWA^MOO-EventMgmt-Opr^EDY^OPD^MARKETPLACE^NGE^DP_TLU_GSP_USR^UMT Users^UMT^AUHAdmin^Veracode"        },  . . . ]    }} 

Environment

Release : VIP Authentication Hub 2.1.2+1030

Resolution

The attached document covers the App configuration to get the Group in IT and AT tokens.

Attachments

GroupsInAT_1692371485066.docx get_app