Claim as attribute of an authorization group in OIDC Authorization Provider CA Access Gateway (SPS)
search cancel

Claim as attribute of an authorization group in OIDC Authorization Provider CA Access Gateway (SPS)

book

Article ID: 423100

calendar_today

Updated On:

Products

SITEMINDER CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign-On

Issue/Introduction

Running AdminUI, when configuring an OIDC Authorization Provider and having configured Group for the authorization as

Select User Filters: X

OIDC Users

| Directory        | User Class | User Name / Filter By      |
|------------------+------------+----------------------------|
| <user_directory> | Group      | cn=<ldap_group>,dc=example,dc=com |

How to specify a claim which is an attribute of the LDAP directory?

Resolution

When working with values, add custom attributes to the User Directory definition, and then build the custom attributes using Expression.

Reference the custom attributes in the needed claims.

To illustrate:

Following this logic:

If <user> is a member of <ldap_group>, then the name of the claim has <value of the claim matched by filter>.

Having the user

cn=<user>,dc=example,dc=com

who is member of

cn=<ldap_group>,dc=example,dc=com

uniqueMember=cn=<user>,dc=example,dc=com

If user <user> is a member of <ldap_group>, then the claim <claim> has a value <claim-value>.

Policy Server traces:

[12/10/2025][11:26:00.057][11:26:00][3252][140315709142784][SmDsLdapProvider.cpp:2763][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=<ldap_group>,dc=example,dc=com', Filter: 'uniqueMember=cn=<user>,dc=example,dc=com'. Status: 1 entries][][Ldap SearchCount callout succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][SMTRACELOG]
[12/10/2025][11:28:07.972][11:28:07][3252][140315709142784][IDTokenGenerator.java][generateJWT][][][][][][][][][][][][][][][][][][][][][Generated Claims : {sub=cn=<user>,dc=example,dc=com, jti=<jti>, sid=<sid>, iat=Wed Dec 10 11:28:07 UTC 2025, auth_time=Wed Dec 10 11:28:06 UTC 2025, exp=Wed Dec 10 11:33:07 UTC 2025, iss=https://sps.example.net/affwebservices/CASSO/oidc/wa.example.net, aud=[<aud>], nonce=<nonce>, at_hash=<at_hast>, SessionToken=<sessiontokenvalue>, <claim>=<claim-value>, givenName=<user_givenname>, email=<user>@example.com}][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][SMTRACELOG]

The configuration:

  • User Directory:
    Attribute Mapping List
    Name       <anotherattribute>
    Expression x
    Definition (SM_USERGROUPS) ~= "cn=<ldap_group>,dc=example,dc=com" ? "<claim-value>" : "NO"
  • Authorization Provider:

    Claims Mapping
      <claim> <anotherattribute>
    Scope Mapping
      <claimscope> <claim>
  • Client:
    Scopes:  <claimscope>

After having this configured, implement the same way any other custom attributes, or play further with the expressions (1)(2).

Additional Information

  1. Examples of Expressions

  2. Operators

Powered by Wolken Software