How can we configure Siteminder to Authorize user based on an Attribute
value ?
To illustrate, if user A has attribute "type=supplier", it should be
Authorized. If the same user A has a value in attribute "type"
different then supplier, the user should not be Authorized.
How can we do this ?
**** Solution 1 --> Applies for User Policy Authorization
1) From the Adminui, under User Policy ,you can choose the "Add Entry"
where you can customize the "search Users" to be used for
Authorization .
Add Entry:
Opens the LDAP Search Expression Editor dialog, where you can use
an LDAP search expression to locate users to associate with a
policy.
For example ,you can have an Expression such as
(&(cn=Eric)(type=supplier))
The above will search for Kevin in the directory and if found ,it
will also verify if attribute type=supplier. If yes, user will be
Authorized, if not, user will be rejected.
**** Solution 2 --> Applies for Legacy Federation
1) From the Adminui, Edit the SAML Service Provider in question and
from the User tab, you can choose the "Add Entry" where you can
customize the "search Users" to be used for Authorization.
Add Entry:
Opens the User Directory Search Expression Editor. The User
Directory Search Expression Editor lets you use search expressions
to locate users for authentication so the asserting party can
generate assertions. Search expressions can bind users to a policy
based on attributes that appear in user, group, and organization
profiles.
For example ,you can have an Expression such as
(&(cn=Eric)(type=supplier))
The above will search for Kevin in the directory and if found, it
will also verify if attribute type=supplier. If yes, user will be
Authorized, if not, user will be rejected.
**** Solution 3 --> Applies for Partnership Federation
1) Edit the partnership in question;
2) Go under "Federation Users" tab and select "Filter Any" from the
"User Class" drop down
Filter Any:
LDAP filter. The current user gets authorized if they match the
filter.
3) Examples listed below (For additional details, click on the help
button in the upper right corner of your Adminui to open the manual
on how to use the available options);
Filter Any LDAP filter. The current user gets authorized if they
match the filter.
Example 1: To authorize users with a department of "CA Support",
enter: department=CA Support
Example 2: To authorize users who are members of the group
"Administrators" and have a department number of "123" or "789",
enter:
(&(memberof=cn=Administrators,ou=Groups,dc=example,dc=com)(|(departmentNumber=123)(departmentNumber=789)))