How to use "Filter User Property" to exclude certain users from Federation Partnership
search cancel

How to use "Filter User Property" to exclude certain users from Federation Partnership

book

Article ID: 273967

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

 

There are 2 types of users.

1. Users who have email address - <user_with_email>
2. Users who do not have email address - <user_WITHOUT_email>


Use case :


Only allow users who have email address to be authorized for SAML Federation.

 

Environment

 

Release : 12.8.x

 

Resolution

 

To acheve this, you will need:

  1. A filter that only lists users who have email address value and allow
  2. Or the opposite, list users who do not have email address value and exclude

Following can be applied to acheive the goal.

Select "Filter User Property" and add "(!(mail=\00))" in the filter.

Here is the smtracedefault.log showing this filter passed.

[09/21/2023][17:59:30.765][16944][16112][][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][][][][][][][][Start of call HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][][][Policy resolution for user: 'uid=<user_with_email>,ou=People,o=<domain>', filter: '(!(mail=\00))', type: 3, recursive: No][][][][]
[09/21/2023][17:59:30.765][16944][16112][][SmDsLdapConnMgr.cpp:1226][CSmDsLdapConn::SearchExts][][][][][][][][LDAP search of (!(mail=\00)) took 0 seconds and 0 microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[09/21/2023][17:59:30.765][16944][16112][][SmDsLdapProvider.cpp:2753][CSmDsLdapProvider::SearchCount][][][][][][][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'uid=<user_with_email>,ou=People,o=<domain>', Filter: '(!(mail=\00))'. Status: 1 entries][][][][]

 

Following is user4 and user is not found for authorization.

[09/21/2023][18:05:21.542][16944][13952][][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][][][][][][][][Start of call HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][][][Policy resolution for user: 'uid=<user_WITHOUT_email>,ou=People,o=<domain>', filter: '(!(mail=\00))', type: 3, recursive: No][][][][]
[09/21/2023][18:05:21.542][16944][13952][][SmDsLdapConnMgr.cpp:1226][CSmDsLdapConn::SearchExts][][][][][][][][LDAP search of (!(mail=\00)) took 0 seconds and 0 microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]
[09/21/2023][18:05:21.542][16944][13952][][SmDsLdapProvider.cpp:2753][CSmDsLdapProvider::SearchCount][][][][][][][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'uid=<user_WITHOUT_email>,ou=People,o=<domain>', Filter: '(!(mail=\00))'. Status: 0 entries][][][][]

 

As a result, <user_WITHOUT_email> will be seeing HTTP 403

Powered by Wolken Software