Attr User Expression not working
Article ID: 93250
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
- We have configured a custom User Directory attribute as such
testAttribute = FILTER(GET('memberOf'),'*Admin Group*')
- We then Used the testAttribute in JUEL expression in the Partnership as follows
AssertionAttribute = #{attr["testAttribute "] == 'Admin Group' ? 'Full_Admin' : 'User'}
We are testing with a user that belongs to 'Admin Group' group, however, we can see the AssertionAttribute returned as 'User'
testAttribute = FILTER(GET('memberOf'),'*Admin Group*')
- We then Used the testAttribute in JUEL expression in the Partnership as follows
AssertionAttribute = #{attr["testAttribute "] == 'Admin Group' ? 'Full_Admin' : 'User'}
We are testing with a user that belongs to 'Admin Group' group, however, we can see the AssertionAttribute returned as 'User'
Environment
SSO 12.52 ,12.6, 12.7, 12.8
Resolution
1) you have a Custom user Attribute defined in the user Directory. your Expression is as follows
testAttribute
FILTER(GET('memberOf'),'*Admin Group*')
2) The above Expression when Calculated will Return the Full DN of the Group in Question as such
testAttribute =CN=Admin Group,DC=smtestenv,DC=com
3) In your Partnership configuration your setup is as Follows
AssertionAttribute = #{attr["testAttribute "] == 'Admin Group' ? 'Full_Admin' : 'User'}
What the above mean is that Policy Server will take the calculated Value of "testAttribute" and perform a String compare to see if it matches your condition 'Admin Group'
If it matches, then 'Full_Admin' will be returned in the Attribute and if not , 'User' will be Returned
4) Now having said so, the calculated Value of your Custom user Attribute is "CN=Admin Group,DC=smtestenv,DC=com" which does not match the Condition 'Admin Group' when String compare is performed hence the issue you are having
To resolve the issue , you will need to Modify your Assertion Attribute Expression to have the Full DN of the Group as such
#{attr["testAttribute "] == 'CN=Admin Group,DC=smtestenv,DC=com' ? 'Full_Admin' : 'User'}
Once done, if the user belongs to the Group "Admin Group", then the calculated Value for testAttribute will be 'CN=Admin Group,DC=smtestenv,DC=com' , if not, it will be empty
The policy server will then perform a String compare and if it matches the condition, the Full_Admin will be returned otherwise User will be returned
testAttribute
FILTER(GET('memberOf'),'*Admin Group*')
2) The above Expression when Calculated will Return the Full DN of the Group in Question as such
testAttribute =CN=Admin Group,DC=smtestenv,DC=com
3) In your Partnership configuration your setup is as Follows
AssertionAttribute = #{attr["testAttribute "] == 'Admin Group' ? 'Full_Admin' : 'User'}
What the above mean is that Policy Server will take the calculated Value of "testAttribute" and perform a String compare to see if it matches your condition 'Admin Group'
If it matches, then 'Full_Admin' will be returned in the Attribute and if not , 'User' will be Returned
4) Now having said so, the calculated Value of your Custom user Attribute is "CN=Admin Group,DC=smtestenv,DC=com" which does not match the Condition 'Admin Group' when String compare is performed hence the issue you are having
To resolve the issue , you will need to Modify your Assertion Attribute Expression to have the Full DN of the Group as such
#{attr["testAttribute "] == 'CN=Admin Group,DC=smtestenv,DC=com' ? 'Full_Admin' : 'User'}
Once done, if the user belongs to the Group "Admin Group", then the calculated Value for testAttribute will be 'CN=Admin Group,DC=smtestenv,DC=com' , if not, it will be empty
The policy server will then perform a String compare and if it matches the condition, the Full_Admin will be returned otherwise User will be returned
Feedback
Yes
No
Powered by
