How to enable SM_USERGROUPS

book

Article ID: 9911

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On

Issue/Introduction

SM_USERGROUPS is an user attributes that CA Single Sign-On generates automatically. However, it will not set to header unless you create response for it.



%SM_USERGROUPS
This attribute holds the groups to which the user belongs. If the user belongs to a nested group, this attribute contains the group furthest down in the hierarchy.

Environment

Policy server: R12.52

Resolution

1. Create Response for SM_USERGROUPS. This can be created in two ways (Choose one)

a) Attribute: WebAgent-HTTP-Header-Variable

Attribute Kind: User Attribute

Attribute Name: SM_USERGROUPS

 

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AJt7AAG" alt="response_user_attribute.png" width="1327" height="892">

 

b) Attribute: WebAgent-HTTP-Header-Variable

Attribute Kind: Expression

Expression: %SM_USERGROUPS

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AJt9AAG" alt="sm_usergroups_response1.png" width="1327" height="892">

 

2. Create Rule to tie to response. SM_USERGROUPS generate after authentication.

Therefore OnAuthAccept or OnAccessAccept can be used to tie to the response. In my case, I use OnAuthAccept:

 

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AJt6AAG" alt="Policy1.png" width="1327" height="892">

 

3. User belongs to user group login and get SM_USERGROUP populate

<Please see attached file for image>

src="/servlet/servlet.FileDownload?file=0150c000004AJtAAAW" alt="user4_and_response_after_login.png" width="1327" height="892">

 

How policy server trace log looks like: (enable all components and data for profiler template)

[SmDsLdapConnMgr.cpp:1191][CSmDsLdapConn::SearchExts][][][][LDAP search of (|(&(objectclass=groupOfNames)(member=uid=user4,ou=support,o=userstore))(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=user4,ou=support,o=userstore))(&(objectclass=group)(member=uid=user4,ou=support,o=userstore))) took 0 seconds and 0 microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[SmDsLdapProvider.cpp:2183][CSmDsLdapProvider::Search][][][][Ldap Search callout succeeds.][][][][][][][][][][][][][][][(Search) Base: 'o=userstore', Filter: '(|(&(objectclass=groupOfNames)(member=uid=user4,ou=support,o=userstore))(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=user4,ou=support,o=userstore))(&(objectclass=group)(member=uid=user4,ou=support,o=userstore)))'. Status: 1 entries][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 

Additional Information

https://communities.ca.com/message/241902261

Attachments

1558708723387000009911_sktwi1f5rjvs16r6l.png get_app
1558708721519000009911_sktwi1f5rjvs16r6k.png get_app
1558708719538000009911_sktwi1f5rjvs16r6j.png get_app
1558708717544000009911_sktwi1f5rjvs16r6i.png get_app
Powered by Wolken Software