Does SiteMinder support dynamic groups if so how to configure
Yes for Oracle LDAP ONLY - see below
Dynamic group support is not documented nor is it tested. Single Sign-on (SiteMinder) uses Mozilla LDAP SDK to access LDAP directories, LDAP Object classes/Attributes names are not standardized. Dynamic groups needed to be added on individual namespace bases, because siteminder uses the Mozilla LDAP SDK dynamic groups can work with Siteminder for Oracle LDAP user stores only out of box. Changes to the siteminder registry branch are required. See below for details on how too.
Example use case: For Siteminder (SingleSignon) to find a group in LDAP, the group must contain the objectClass of "groupOfUniqueNames." [and be a static group]. However, once Siteminder discovers a group, it determines next if the group meets a dynamic profile first then static one second. If a group only contains the "GroupOfUrls" objectCLass, Siteminder is unable to find the group in LDAP.
Use case: User AUser50 to access resource /site2/test.html
Support confirmed Dynamic LDAP groups by following the steps below
Steps to add dynamic group
Modify sm.registry or regedit add the groupofurls where indicated below
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\LdapMatchUserDN
group= member; REG_SZ
groupOfNames= member; REG_SZ
groupofurls= uniqueMember; REG_SZ
groupOfUniqueNames= uniqueMember; REG_SZ
organizationalRole= roleOccupant; REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters
LDAP:= groupofurls,groupOfNames,groupOfUniqueNames,group; REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\ClassFilters
LDAP:= organization,organizationalUnit,groupofurls,groupOfNames,groupOfUniqueNames,group; REG_SZ
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyClassFilters=987838512
LDAP:= organizationalPerson,inetOrgPerson,organization,organizationalUnit, groupofurls,groupOfNames,groupOfUniqueNames,group; REG_SZ
ODBC:= Group, User; REG_SZ
Add new entry for groupofurls with REG_DWORD type and value of 2 just like groupofuniquenames in PolicyResolution.
HKEY_LOCAL_MACHINE\SOFTWARE\Netegrity\SiteMinder\CurrentVersion\Ds\PolicyResolution=1035617422
container= 0x5; REG_DWORD
DN Attribute= 0xa; REG_DWORD
Group= 0x2; REG_DWORD
Group Attribute= 0x8; REG_DWORD
groupOfurls= 0x2; REG_DWORD
groupOfNames= 0x2; REG_DWORD
groupOfUniqueNames= 0x2; REG_DWORD
inetOrgPerson= 0x1; REG_DWORD
Restart policy server and use view content (to make sure you can see the dynamic group name that you created) for any user directory that points to this ldap instance.
LDAP side:
Created Dynamic Group: Test2
Objectclass: groupofurls
MemberURL: ldap:///ou=APSUsers,dc=ca,dc=com??sub?(&(employeenumber=A))
LDAP Access log – for the authorization
[11/Dec/2015:14:40:02 -0500] conn=2 op=6 msgId=7 - SRCH base="cn=test2,dc=ca,dc=com" scope=0 filter="(uniqueMember=cn=AUser50,ou=APSUsers,dc=ca,dc=com)" attrs="objectClass"
[11/Dec/2015:14:40:02 -0500] conn=2 op=6 msgId=7 - RESULT err=0 tag=101 nentries=0 etime=0
[11/Dec/2015:14:40:02 -0500] conn=2 op=7 msgId=8 - SRCH base="cn=test2,dc=ca,dc=com" scope=0 filter="(memberURL=*)" attrs="memberURL"
[11/Dec/2015:14:40:02 -0500] conn=2 op=7 msgId=8 - RESULT err=0 tag=101 nentries=1 etime=0
[11/Dec/2015:14:40:02 -0500] conn=2 op=8 msgId=9 - SRCH base="ou=apsusers,dc=ca,dc=com" scope=2 filter="(&(cn=AUser50)(&(employeeNumber=A)))" attrs="objectClass"
[11/Dec/2015:14:40:02 -0500] conn=2 op=8 msgId=9 - RESULT err=0 tag=101 nentries=1 etime=0 notes=U
SMTRACE - Has relationship function
[12/11/2015][14:39:41.826][25346][2898586480][ Start of call HasRelationship.][14:39:41][SmDsUser.cpp:898][CSmDsUser::ResolvePolicyObject][Policy resolution for user: 'cn=AUser50,ou=APSUsers,dc=ca,dc=com', filter: 'cn=Test2,dc=ca,dc=com', type: 2, recursive: No]
[12/11/2015][14:39:41.826][25346][2898586480][ Enter ImproveLDAPConnection][14:39:41][SmDsLdapFunctionImpl.cpp:1949][ImproveLDAPConnection]
[12/11/2015][14:39:41.826][25346][2898586480][ Exit ImproveLDAPConnection][14:39:41][ImproveLDAPConnection]
[12/11/2015][14:39:41.826][25346][2898586480][ Enter SearchExts][14:39:41][SmDsLdapFunctionImpl.cpp:3124][SearchExts]
[12/11/2015][14:39:41.827][25346][2898586480][ LDAP search of uniqueMember=cn=AUser50,ou=APSUsers,dc=ca,dc=com took 0 seconds and 700 microseconds][14:39:41][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts]
[12/11/2015][14:39:41.827][25346][2898586480][ Exit SearchExts][14:39:41][SearchExts]
[12/11/2015][14:39:41.827][25346][2898586480][ Ldap SearchCount callout succeeds.][14:39:41][SmDsLdapProvider.cpp:2549][CSmDsLdapProvider::SearchCount][(SearchCount) Base: 'cn=Test2,dc=ca,dc=com', Filter: 'uniqueMember=cn=AUser50,ou=APSUsers,dc=ca,dc=com'. Status: 0 entries]
[12/11/2015][14:39:41.827][25346][2898586480][ Enter GetUserProp][14:39:41][SmDsLdapFunctionImpl.cpp:1097][GetUserProp]
[12/11/2015][14:39:41.827][25346][2898586480][ Enter ImproveLDAPConnection][14:39:41][SmDsLdapFunctionImpl.cpp:1949][ImproveLDAPConnection]
[12/11/2015][14:39:41.827][25346][2898586480][ Exit ImproveLDAPConnection][14:39:41][ImproveLDAPConnection]
[12/11/2015][14:39:41.827][25346][2898586480][ szUserPath << szPropName (cn=Test2,dc=ca,dc=com, memberURL)][14:39:41][SmDsLdapFunctionImpl.cpp:1105][GetUserProp]
[12/11/2015][14:39:41.827][25346][2898586480][ Enter SearchExts][14:39:41][SmDsLdapFunctionImpl.cpp:3124][SearchExts]
[12/11/2015][14:39:41.828][25346][2898586480][ LDAP search of memberURL=* took 0 seconds and 360 microseconds][14:39:41][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts]
[12/11/2015][14:39:41.828][25346][2898586480][ Exit SearchExts][14:39:41][SearchExts]
[12/11/2015][14:39:41.828][25346][2898586480][ Exit GetUserProp][14:39:41][GetUserProp]
[12/11/2015][14:39:41.828][25346][2898586480][ Enter ImproveLDAPConnection][14:39:41][SmDsLdapFunctionImpl.cpp:1949][ImproveLDAPConnection]
[12/11/2015][14:39:41.828][25346][2898586480][ Exit ImproveLDAPConnection][14:39:41][ImproveLDAPConnection]
[12/11/2015][14:39:41.828][25346][2898586480][ search filter is : (&(cn=AUser50)(&(employeenumber=A)))][14:39:41][SmDsLdapProvider.cpp:1729][CSmDsLdapProvider::SearchImpl]
[12/11/2015][14:39:41.828][25346][2898586480][ Enter SearchExts][14:39:41][SmDsLdapFunctionImpl.cpp:3124][SearchExts]
[12/11/2015][14:39:41.829][25346][2898586480][ LDAP search of (&(cn=AUser50)(&(employeenumber=A))) took 0 seconds and 716 microseconds][14:39:41][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts]
[12/11/2015][14:39:41.829][25346][2898586480][Exit SearchExts][14:39:41][SearchExts]
[12/11/2015][14:39:41.829][25346][2898586480][Ldap Search callout succeeds.][14:39:41][SmDsLdapProvider.cpp:2244][CSmDsLdapProvider::Search][(Search) Base: 'ou=APSUsers,dc=ca,dc=com', Filter: '(&(cn=AUser50)(&(employeenumber=A)))'. Status: 1 entries]
[12/11/2015][14:39:41.829][25346][2898586480][Return from call HasRelationship.][14:39:41][SmDsUser.cpp:905][CSmDsUser::ResolvePolicyObject][1]