Attribute based access Authorization

book

Article ID: 40097

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

 

How can we configure Siteminder to Authorize user based on an Attribute
value ?

To illustrate, if user A has attribute "type=supplier", it should be
Authorized. If the same user A has a value in attribute "type"
different then supplier, the user should not be Authorized. 

How can we do this ?

 

Resolution

 

**** Solution 1 --> Applies for User Policy Authorization 

1) From the Adminui, under User Policy ,you can choose the "Add Entry"
   where you can customize the "search Users" to be used for
   Authorization .

   Add Entry:

   Opens the LDAP Search Expression Editor dialog, where you can use
   an LDAP search expression to locate users to associate with a
   policy.

   For example ,you can have an Expression such as
   (&(cn=Eric)(type=supplier))

   The above will search for Kevin in the directory and if found ,it
   will also verify if attribute type=supplier. If yes, user will be
   Authorized, if not, user will be rejected.

**** Solution 2 --> Applies for Legacy Federation 

1) From the Adminui, Edit the SAML Service Provider in question and
   from the User tab, you can choose the "Add Entry" where you can
   customize the "search Users" to be used for Authorization.

   Add Entry: 

   Opens the User Directory Search Expression Editor. The User
   Directory Search Expression Editor lets you use search expressions
   to locate users for authentication so the asserting party can
   generate assertions. Search expressions can bind users to a policy
   based on attributes that appear in user, group, and organization
   profiles.

   For example ,you can have an Expression such as
   (&(cn=Eric)(type=supplier))

   The above will search for Kevin in the directory and if found, it
   will also verify if attribute type=supplier. If yes, user will be
   Authorized, if not, user will be rejected.

**** Solution 3 --> Applies for Partnership Federation 

1) Edit the partnership in question;

2) Go under "Federation Users" tab and select "Filter Any" from the
   "User Class" drop down

   Filter Any:

   LDAP filter. The current user gets authorized if they match the
   filter.

3) Examples listed below (For additional details, click on the help
   button in the upper right corner of your Adminui to open the manual
   on how to use the available options);

   Filter Any LDAP filter. The current user gets authorized if they
   match the filter.

   Example 1: To authorize users with a department of "CA Support",
   enter: department=CA Support

   Example 2: To authorize users who are members of the group
   "Administrators" and have a department number of "123" or "789",
   enter:
   (&(memberof=cn=Administrators,ou=Groups,dc=example,dc=com)(|(departmentNumber=123)(departmentNumber=789)))