Support for OIDC claims mapping to session variables.
Article ID: 377722
Updated On:
Products
Issue/Introduction
According to the product documentation, we cannot map OIDC claims to session variables other than SM_USERGROUPS, SM_USERNESTEDGROUPS and SM_AUTHENTICATIONLEVEL.
As per the below documentation, we are supporting below SiteMinder generated attributes for mapping of claims with a user directory attribute.
SM_USERGROUPS
SM_USERNESTEDGROUPS
From Release 12.8.04, we can specify SM_AUTHENTICATIONLEVEL too.
- Document reference:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/openid-connect-provider-reference/authorization-provider-dialog.html
Would like to know If we have any plans to expand support for mapping to any session variables (that can be extracted/referenced via SM_SESSIONCTXVAR) in the future?
Environment
Release: 12.8 SP7 (The attached PATCH is only applicable to 12.8 SP7 release)
For other releases, please open a support ticket and request for the PATCH.
Component: Federation Manager
Resolution
Kindly find the below Information.
Please find the attached PATCH for session variables to be included in the OIDC claim.
- Attachment: DE610862_OIDC.zip
Please follow the below steps to deploy the patch.
--------------------
- Stop Policy Server
- Take the backup of the existing file and copy the binary in the <Siteminder>/bin folder.
- Start Policy Server
------------------------
- After deploying the PATCH, customer need to follow the below steps to achieve the use case requirement.
This requirement could be possibly implemented by configuring and mapping session variables using SM_SESSIONCTXVAR to the required additional attributes. Please refer to the below. Instead of expression, customers can configure any other additional attributes they require.
- Snippets for reference:
Attachments
Feedback
