Attr User Expression not working
search cancel

Attr User Expression not working


Article ID: 93250


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


- We have configured a custom User Directory attribute as such 
testAttribute  = FILTER(GET('memberOf'),'*Admin Group*') 

- We then Used the testAttribute in JUEL expression in the Partnership as follows 

AssertionAttribute =  #{attr["testAttribute  "] == 'Admin Group' ? 'Full_Admin' : 'User'} 

We are testing with a user that belongs to  'Admin Group' group, however, we can see the AssertionAttribute returned as  'User'



SSO 12.52 ,12.6, 12.7, 12.8 


1) you have a Custom user Attribute defined in the user Directory. your Expression is as follows 
FILTER(GET('memberOf'),'*Admin Group*') 

2) The above Expression when Calculated will Return the Full DN of the Group in Question as such 
testAttribute =CN=Admin Group,DC=smtestenv,DC=com 

3) In your Partnership configuration your setup is as Follows 

AssertionAttribute =  #{attr["testAttribute  "] == 'Admin Group' ? 'Full_Admin' : 'User'} 

What the above mean is that Policy Server will take the calculated Value of "testAttribute" and perform a String compare to see if it matches your condition 'Admin Group'
If it matches, then 'Full_Admin' will be returned in the Attribute and if not , 'User' will be Returned 

4) Now having said so, the calculated Value of your Custom user Attribute is "CN=Admin Group,DC=smtestenv,DC=com" which does not match the Condition 'Admin Group' when String compare is performed hence the issue you are having 

To resolve the issue , you will need to Modify your Assertion Attribute Expression to have the Full DN of the Group as such 

#{attr["testAttribute  "] == 'CN=Admin Group,DC=smtestenv,DC=com' ? 'Full_Admin' : 'User'} 

Once done, if the user belongs to the Group "Admin Group", then the calculated Value for testAttribute  will be  'CN=Admin Group,DC=smtestenv,DC=com' , if not, it will be empty 
The policy server will then perform a String compare and if it matches the condition, the Full_Admin will be returned otherwise User will be returned