How to send userDN as the "sub" value
Article ID: 397146
Updated On:
Products
Issue/Introduction
This is to demonstrate how to configure SiteMinder Authorization Provider to send userDN as "sub" value.
Environment
R12.8.x
R12.9.x
Resolution
AD is used as User Directory.
Logon to AdminUI and goto Federation --> OpenID Connect --> Authorization Provider.
Authorization Provider in this demo is "sample-azprovider".
Click "View/Edit" in the dropdown menu and scroll all the way down to find "Mappings" section.
By default, "openid" scope is used.
In the Claim Name, "sub" is created and associated with a user attribute name that will return the userDN.
In this demo, a virtual attribute called "nameid2" is used instead.
As long as this sub gets associated with the scope that will be requested by the Client, the sub:userDN will be sent.
If there are only 1 User Directory used for this OIDC Federation then you can actually map actual user attribute to "sub".
But if there are multiple User Directories then you should configure a virtual attribute (same virtual attribute name must be used in all user directories), such as the "nameid2" and configure alias to the actual userDN attribute.
Following is "IDP1-AD-Sample-Userstore" which is used for the OIDC Federation.
And the "nameid" virtual attribute is an alias to "distinguishedName" attribute in AD.
In the following sample OIDC Client, "openid" scope is selected by default.
And when the user authenticates and SSO to OIDC Client Application the "UserDN" value will be set in the "sub".
Copy the Access_Token value and post it in the https://jwt.io site to decode the token to see the "sub" : "{UserDN}"
Feedback
