SiteMinder Policy Server is unable to retrieve specific attributes, such as extensionAttribute7, from Active Directory (AD) for inclusion in SAML responses. While standard attributes like cn, sn, mail, and memberOf are retrieved successfully, the custom attribute returns a NULL or empty value.

Policy Server: All Versions

The issue typically stems from environment-specific factors rather than SiteMinder product defects. Common causes include:

• Attribute Value Presence: The attribute exists in the schema but does not contain a value for the specific user being authenticated.
• LDAP Permissions: The SiteMinder BIND account lacks sufficient permissions to read the attribute, especially if Active Directory hardening (e.g., the Confidentiality Bit) is enabled.
• Directory Reachability: The LDAP server is not returning the attribute to the Policy Server during the search request.

Confirm extensionAttribute7 has value and external tools are able to fetch the value successfully.

1. Verify Attribute Value via LDAPSearch

Test whether the attribute is retrievable using standard LDAP tools from the Policy Server or an AD-connected machine. This confirms if the issue is with SiteMinder or the underlying directory service.

⚠️ Review this command with your administrator before running it.

ldapsearch -h [IP_ADDRESS] -p 389 -D "[BIND_DN]" -w [PASSWORD] -b "[BASE_DN]" -s sub "(sAMAccountName=[USER_ID])" cn extensionAttribute7

• cn is added to confirm the ldapsearch works. If cn returns value but extensionAttribute7 does not, the attribute is not being provided by the directory (either the permission is not satisfied to fetch or it is possible it does not have value to return).

2. Check Attribute via PowerShell

On a domain-joined machine, use PowerShell to confirm the attribute existence and its properties in the schema.

Get-ADObject -SearchBase (Get-ADRootDSE).schemaNamingContext -Filter "ldapDisplayName -eq 'extensionAttribute7'" -Properties attributeSyntax, oMSyntax

3. Validate BIND Account Permissions

Ensure the account configured in the SiteMinder User Directory object has Read Access to the targeted attribute.

• If your organization uses the Confidentiality Bit (a search flag in the schema), the BIND account must be granted CONTROL_ACCESS rights to view the attribute.
• Verify if there are any Secure Channel requirements or specific DC security policies restricting access to extended schema attributes.

4. Enable Policy Server Tracing

If LDAP tools return the value but SiteMinder does not, enable SAML Federation Traces with full "LDAP" component, and Query + ReturnValue,Returns,Result,CallDetail in the Data to get more detail.