Attribute based access Authorization

Article Id: 40097
Status: Published
Updated On: 14-02-2018 07:36
Legacy Id: TEC1928817
Products:
CA Single Sign On Secure Proxy Server (SiteMinder) , AXIOMATICS POLICY SERVER , CA Single Sign On SOA Security Manager (SiteMinder) , CA Single Sign-On , CA Single Sign-On
Issue/Introduction:

Issue/Problem/Symptoms: 

How to configure Siteminder to Authorize user based on an Attribute value.

For example ,if user A has attribute "type=supplier" ,it should be Authorized . If the same user A has a value in attribute "type" different then supplier, the user should not be Authorized.

Environment:  

N/A

Cause: 

N/A

Resolution/Workaround:

**** Solution 1 --> Applies for User Policy Authorization 

1) From the Adminui ,under User Policy ,you can choose the "Add Entry" where you can customize the "search Users" to be used for Authorization . 

Add Entry:

Opens the LDAP Search Expression Editor dialog, where you can use an LDAP search expression to locate users to associate with a policy.

For example ,you can have an Expression such as (&(cn=Eric)(type=supplier)) 

The above will search for Kevin in the directory and if found ,it will also verify if attribute type=supplier . If yes ,user will be Authorized ,if not ,user will be rejected . 

 

**** Solution 2 --> Applies for Legacy Federation 

1) From the Adminui ,Edit the SAML Service Provider  in question and from the User tab ,you can choose the "Add Entry" where you can customize the "search Users" to be used for Authorization . 

Add Entry: 

Opens the User Directory Search Expression Editor. The User Directory Search Expression Editor lets you use search expressions to locate users for authentication so the asserting party can generate assertions. Search expressions can bind users to a policy based on attributes that appear in user, group, and organization profiles.

For example ,you can have an Expression such as (&(cn=Eric)(type=supplier)) 

The above will search for Kevin in the directory and if found ,it will also verify if attribute type=supplier . If yes ,user will be Authorized ,if not ,user will be rejected . 

 

**** Solution 3 --> Applies for Partnership Federation 

1) Edit the partnership In question

2) Go under "Federation Users" tab and select "Filter Any" from the "User Class" drop down

Filter Any:

LDAP filter. The current user gets authorized if they match the filter.

3) Examples listed below (For additional details ,click on the help button in the upper right corner of your Adminui to open the manual on how to use the available options)

Filter Any LDAP filter. The current user gets authorized if they match the filter.

Example 1: To authorize users with a department of "CA Support", enter: department=CA Support

Example 2: To authorize users who are members of the group "Administrators" and have a department number of "123" or "789", enter: (&(memberof=cn=Administrators,ou=Groups,dc=example,dc=com)(|(departmentNumber=123)(departmentNumber=789))) 

 

Additional Information:

For additional details ,click on the help button in the upper right corner of your Adminui to open the manual on how to use the available options

 

Environment:

Release: SOASMU99000-12.5-SOA Security Manager-Upgrade
Component: