There are 2 types of users.
1. Users who have email address - user1
2. Users who do not have email address - user4
Use case :
Only allow users who have email address to be authorized for SAML Federation.
Release : 12.8.x
To acheve this, you will need:
1. A filter that only lists users who have email address value and allow
2. Or the opposite, list users who do not have email address value and exclude
Following can be applied to acheive the goal.
Select "Filter User Property" and add "(!(mail=\00))" in the filter.
Here is the smtracedefault.log showing this filter passed.
[09/21/2023][17:59:30.765][16944][16112][][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][][][][][][][][Start of call HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][][][Policy resolution for user: 'uid=user1,ou=People,o=SM', filter: '(!(mail=\00))', type: 3, recursive: No][][][][] [09/21/2023][17:59:30.765][16944][16112][][SmDsLdapConnMgr.cpp:1226][CSmDsLdapConn::SearchExts][][][][][][][][LDAP search of (!(mail=\00)) took 0 seconds and 0 microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [09/21/2023][17:59:30.765][16944][16112][][SmDsLdapProvider.cpp:2753][CSmDsLdapProvider::SearchCount][][][][][][][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'uid=user1,ou=People,o=SM', Filter: '(!(mail=\00))'. Status: 1 entries][][][][] |
Following is user4 and user is not found for authorization.
[09/21/2023][18:05:21.542][16944][13952][][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][][][][][][][][Start of call HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][][][Policy resolution for user: 'uid=user4,ou=People,o=SM', filter: '(!(mail=\00))', type: 3, recursive: No][][][][] [09/21/2023][18:05:21.542][16944][13952][][SmDsLdapConnMgr.cpp:1226][CSmDsLdapConn::SearchExts][][][][][][][][LDAP search of (!(mail=\00)) took 0 seconds and 0 microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][] [09/21/2023][18:05:21.542][16944][13952][][SmDsLdapProvider.cpp:2753][CSmDsLdapProvider::SearchCount][][][][][][][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'uid=user4,ou=People,o=SM', Filter: '(!(mail=\00))'. Status: 0 entries][][][][] |
As a result, user4 will be seeing HTTP 403