Can not see user Groups in HTTP headers

book

Article ID: 4578

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

When configuring the default Siteminder variables :  %SM_USERGROUPS or %SM_USERNESTEDGROUPS, the value returned is empty. What could be the problem ?

Environment

Policy Server 12.52SP1 on windows 2008 R2Web Agent 12.52SP1 on windows 2008 R2 / IIS 7.5

Resolution

Check the LDAP Search done when evaluating the response. We can find the query results in the Policy Server traces (enabling all component/data) during the Authorization stage when response is evaluated:

 

[Start of call GetGroups.][SmDsUser.cpp:313][CSmDsUser::GetGroups][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][User ='cn=u1,dc=ca,dc=com'][][][][][][][][][]

[search filter is : (|(&(objectclass=groupOfNames)(member=cn=u1,dc=ca,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=u1,dc=ca,dc=com))(&(objectclass=group)(member=cn=u1,dc=ca,dc=com)))][SmDsLdapProvider.cpp:1783][CSmDsLdapProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[LDAP search of (|(&(objectclass=groupOfNames)(member=cn=u1,dc=ca,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=u1,dc=ca,dc=com))(&(objectclass=group)(member=cn=u1,dc=ca,dc=com))) took 0 seconds and 15600 microseconds][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[Ldap Search callout succeeds.][SmDsLdapProvider.cpp:2311][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][(Search) Base: 'dc=pstore,dc=com', Filter: '(|(&(objectclass=groupOfNames)(member=cn=u1,dc=pstore,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=u1,dc=pstore,dc=com))(&(objectclass=group)(member=cn=u1,dc=pstore,dc=com)))'. Status: 2 entries][][][][][][][][][]

 

Based on the LDAP results, we can see the number of groups associated with the user, and we can check with an external LDAP client the LDAP query executed if this can be due to a bad RootDN (base DN) definition in the User Directory setup.

 

 

Additional Information

To use the default Siteminder variables %SM_USERGROUPS or %SM_USERNESTEDGROUPS :


Generated User Attributes


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/configuring/policy-server-configuration/responses-and-response-groups/generated-user-attributes.html


Use those variables and associate them a response like :

WebAgent-HTTP-Header-Variable, SM_PROFILE=<% userattr="SM_USERNESTEDGROUPS" %>

 

To test responses/policy on Windows Server, you can use the SiteMinder Test tool (provided on PS/SDK installation for windows)


Start and Configure the Test Tool


https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8/using/test-tool/start-and-configure-the-test-tool.html