We have created an application in Siteminder protecting a resource and have LDAP as the user directory. In this LDAP UD, each user has a multivalued attribute called "initials" where we have values "a", "b" and "c".
We want to create a Role in this application to allow only users with the attribute "initials" equal to "a" to access, so we created a Role with "Selected Users" checkbox and "Member Attributes" like this:
((initials = "a"))
We see the PS doing below search:
LDAP search of initials=* took 0 seconds and 4829 microseconds
Property 'initials' for user 'XXXXXXXXXXX' added to cache[...]
[INTRANET_AGENT][** Status: Not Authorized. ]
So the user cannot access the application, but if I change the Role from:
((initials = "a"))
((initials CONTAINS "a"))
The user can access the application without problems.
So, the question is for multivalued attributes, how can we force SM to use a specific value instead of using the keyword "CONTAINS" that can result in wrong authorizations?
What you want can be achieved by using the IN operator instead of =.
The = operator works for the single valued attribute and not for multi-valued attributes. Multi-valued user attributes are retrieved from the user directory as a set of values delimited by '^'. e.g. if the directory has a multi-valued attribute "initials" with values a, b and c, they are retrieved from the directory as a^b^c and so the = operator will not work.
So, an expression (("a" IN initials)) will match one of the values in the set of values.
Now, even though in the UI when configuring the Role, the section under "Member Attributes" say Attribute, Operator, Attribute Value, please make sure that the value is specified under "Attribute" and the actual attribute in the "Attribute Value" to form an expression such as (("<value>" IN <attribute>)).
Attribute: "a" (this should be the attribute value, and it should in between quotes)
Attribute Value: initials (this should be the attribute name, and it should not be in between quotes)
(("a" IN initials))
Double quotes are required around the attribute value or else the expression is invalid.
Please check the "User Attributes" section in documentation. It talks about the multi valued attributes:
Please note that the Domain/Policy model is working as expected with the expression : ((initials = "a"))