SiteMinder : Unable to get data from identity mapping for a SAML Federation via API Gateway.
Article ID: 425876
Updated On:
Products
SITEMINDER
Issue/Introduction
Issue Description
Customer uses SAML federation for an application and this application should only be accessible to users with a certain role and SiteMinder is the IDP, the application acts as a SAML SP.
The user role is stored in an authorization directory (ODBC based), which is currently mapped to the identification directory, and is successfully passed as a SAML claim to the SP.
It is not desired that an unauthorized user, can initiate (SP initiated for internet incoming users), or see the application in the internal portal (IdP initiated federations). If the unauthorized user can initiate the federation, they wish to control it at the IdP level, and not allow the user to progress and reach the application.
Cause
On top of this they can not manipulate the protection to the redirect.jsp page as this is an APIfied flow, and the Layer7 API Gateway is the one making the requests. Also customer commented that the Layer7 API Gateway can not connect to the authorization store (ODBC).
Resolution
Suggested Workaround Solution
The proposed workaround that they seem to accept is that the Layer7 uses Authorization APIs (SOAP or REST) from SiteMinder to find out if the user has the expected authorization (having the correct role).
Feedback
Yes
No
Powered by
