Federation Partnership AD Search Specification syntax and how-to
search cancel

Federation Partnership AD Search Specification syntax and how-to


Article ID: 272358


Updated On:


SITEMINDER CA Single Sign On Federation (SiteMinder)



Running AdminUI, and configuring "AD Search Specification" feature of the "Map Identity Attribute to User Directories", is it possible to use multiple values separated by AND or OR operators?




As per the documentation, operators and multiple attributes aren't allowed (1).

    Directory Search Specification

      Determines the search string that the consumer uses to locate
      the attribute in a user directory. Enter a search string
      appropriate for the directory type, such as:

      LDAP: uid=%s
      ODBC: name=%s or %s    

Further, the documentation mentions the use of the "Message Consumer Plug-in" that might be used to customize the behavior (2):

    Search specification for AD directories.

    If user disambiguation is being performed on a user in an AD
    directory, but no AD search specification has been provided for this
    property, the default search specification defined on the SiteMinder

    User Directory Properties dialog is used.

    If you are extending the functionality of a SAML 2.0 authentication
    scheme with a custom message consumer plugin, the plugin will not be
    called in the user disambiguation phase if the Policy Server
    disambiguates the user with the default search specification defined
    on the User Directory Properties dialog. For more information, see

From documentation, the "Message Consumer Plug-in" might be used in the disambiguation phase (3):    

    Provides processing to disambiguate a user when the authentication
    scheme is unable to do so. Alternatively, this method can add data
    for new federation users to a user store. This method receives the
    decrypted assertion. The decrypted assertion is added to the
    properties map that is passed to the plug-in under the
    "DecryptedAssertion" key. From Release 12.8.07, this method also
    receives the RelayState parameter within an IdP-initiated URL. The
    RelayState parameter is added to properties map that is passed to
    the plug-in under the "_RelayState" key.

    The "output" parameter should be set to "user identifier value"
    with which the user directory search should be performed. Do NOT
    add the SAML assertion in the output parameter.
    The postDisambiguate method in the plugin will only help to
    disambiguate the user with a different value and does not update
    the assertion.

Specific questions regarding the "Message Consumer Plug-in" are answered in a KD (4).

If the possibility to use multiple attribute and use operators in the "AD Search Specification" and "LDAP AD Search Specification" are needed, then set an Enhancement Request (Idea):

  1. Go to the "All Ideas" page :


  2. Click on the "Add" button.
  3. In the "Select categories...", select "Symantec Access Management".
  4. Write a title in the "title" box.
  5. Write a complete description of the Enhancement Request or Certification you'd like to post.
  6. Click on "Save" to get the Idea submitted!

Additional Information



    User Identification Dialog (SAML 2.0 SP)




    Implement the MessageConsumerPlugin Interface


    Federation Message Consumer Plugin postDisambiguate function in SDK