Unable to use the SiteMinder generated response attribute %SM_USERDN in a response?

book

Article ID: 51116

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

Description:

You would like to return the user dn (returned in the default attribute SM_USERDN) in an attribute called DN.
You defined the user response DN=<%userattr="SM_USERDN"%> but it is not working; nothing is returned (not even an empty variable) even if properly bound.

Solution:

As described in the Policy Server Configuration Guide:

Chapter 15: Responses and Response Groups - Section - How SiteMinder Processes Responses - SiteMinder Generated User Attributes
Some attributes are generated at the policy server level and other at the Web agent level (which means that you can not use them in a response).

%SM_USERDN: is generated at the Web agent level and can not be used in a response
For an authenticated user, the Web Agent populates this http header variable with the DN as determined by the Policy Server. In the case of certificate-based authentication, this attribute can be used to identify a user.

%SM_USERNAME: is generated at the policy server level and can be used in a response
For an authenticated user, this attribute holds the user DN as disambiguated by SiteMinder. For an unauthenticated user, this attribute holds the user ID as specified by the user in the login attempt.

Moreover some attributes are not available for all Authentication/Authorization/Impersonation events, please check the Availability of SiteMinder-generated Response Attributes matrix in the Policy Server Configuration Guide for more information.

Environment

Release:
Component: SMPLC