How to use "Filter User Property" to exclude certain users from Federation Partnership.
search cancel

How to use "Filter User Property" to exclude certain users from Federation Partnership.

book

Article ID: 273967

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

There are 2 types of users.

1. Users who have email address - <user_with_email>

2. Users who do not have email address - <user_WITHOUT_email>


- Use case :

Only allow users who have email address to be authorized for SAML Federation.

 

Environment

Component: FEDMA : SiteMinder Federation(Federation Manager)
Release : 12.8.xx and 12.9 (Applicable to all the supported releases)

 

Resolution

Below are required to achieve this use case:

  1. A filter that only lists users who have email address value and allow
  2. Or the opposite, list users who do not have email address value and exclude

Following can be applied to achieve the goal.

Select "Filter User Property" and add "(!(mail=\00))" in the filter.

Here is the smtracedefault.log showing this filter passed.

[09/21/2023][17:59:30.765][16944][16112][][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][][][][][][][][Start of call HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][][][Policy resolution for user: 'uid=<user_with_email>,ou=People,o=<domain>', filter: '(!(mail=\00))', type: 3, recursive: No][][][][]
[09/21/2023][17:59:30.765][16944][16112][][SmDsLdapConnMgr.cpp:1226][CSmDsLdapConn::SearchExts][][][][][][][][LDAP search of (!(mail=\00)) took 0 seconds and 0 microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[09/21/2023][17:59:30.765][16944][16112][][SmDsLdapProvider.cpp:2753][CSmDsLdapProvider::SearchCount][][][][][][][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'uid=<user_with_email>,ou=People,o=<domain>', Filter: '(!(mail=\00))'. Status: 1 entries][][][][]

 

Following is user4 and user is not found for authorization.

[09/21/2023][18:05:21.542][16944][13952][][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][][][][][][][][Start of call HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][][][Policy resolution for user: 'uid=<user_WITHOUT_email>,ou=People,o=<domain>', filter: '(!(mail=\00))', type: 3, recursive: No][][][][]
[09/21/2023][18:05:21.542][16944][13952][][SmDsLdapConnMgr.cpp:1226][CSmDsLdapConn::SearchExts][][][][][][][][LDAP search of (!(mail=\00)) took 0 seconds and 0 microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[09/21/2023][18:05:21.542][16944][13952][][SmDsLdapProvider.cpp:2753][CSmDsLdapProvider::SearchCount][][][][][][][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'uid=<user_WITHOUT_email>,ou=People,o=<domain>', Filter: '(!(mail=\00))'. Status: 0 entries][][][][]

 

As a result, <user_WITHOUT_email> will be seeing HTTP 403