Symantec Access Management

  • 1.  SiteMinder Federation - how to retrieve attributes from 2 user directories for a single assertion

    Posted Aug 07, 2014 03:11 PM

    I'm using SiteMinder 12.51. I've created a SAML 2.0 federation partnership between the local IdP and the remote SP. I have configured connections to two separate user directories which also happen to be different types of directories. These two directories do not share a common schema. So far my use case is covered in the product documentation. Where I need help, and where my use case does not seem to be clearly covered in the documentation, is that for a given assertion, I must use "directory A" to authenticate using local authentication mode, while retrieving an attribute (lets say "attribute X") that only exists in "directory B". I must use directory A for authentication as it has the password used for authenticating the user, while directory B does not have this password for authentication. I must retrieve "attribute X" from directory B because this attribute does not exist in any other directory. During my testing it seems that the user directories are queried by order of precedence until a record is found matching the Universal ID. How can I configure my federation partnership to perform the authentication against directory A, which does not contain attribute X, while for the same assertion retrieving attribute X from directory B?

     

    Unless I'm not following the documentation correctly, then, it seems that simple attribute mapping does not meet my needs as I'm not simply trying to create a common schema "view".

     

    Any assistance would be greatly appreciated.



  • 2.  Re: SiteMinder Federation - how to retrieve attributes from 2 user directories for a single assertion

    Posted Aug 11, 2014 04:14 AM

    I am not sure if this is possible out of the box.  But can be done via  custom assertion generator plug-in.

     

    -- Regards



  • 3.  Re: SiteMinder Federation - how to retrieve attributes from 2 user directories for a single assertion

    Posted Aug 14, 2014 08:55 AM

    Hello,

     

        This is not possible with out of the box functionality, probably this can be an enhancement request.



  • 4.  Re: SiteMinder Federation - how to retrieve attributes from 2 user directories for a single assertion

    Posted Aug 14, 2014 08:58 AM

    I did similar thing using AuthN/AuthZ directory mapping:

    1. authenticate user against 1st directory (AD) using IWA,

    2. then search for sammacountname in 2nd directory (oracle DB table),

    3. from where I picked "attribute X" for that user and

    4. pass it to web app as a http request header.

    Also it was SM12.0SP3.

    But I have never done such a thing in federation.

     

    Regards



  • 5.  Re: SiteMinder Federation - how to retrieve attributes from 2 user directories for a single assertion

    Posted Aug 25, 2014 03:37 PM

    Look into the 12.52 documentation for FSS.  I thought I saw it has built in capability to retrieve multiple attributes from your User Directory.



  • 6.  Re: SiteMinder Federation - how to retrieve attributes from 2 user directories for a single assertion

    Posted Aug 26, 2014 03:10 AM

    Hello, In Federation you can not use Directory Mapping as you could use for A standard SiteMinder integration (Authenticate in directory A and authorize in directory B). You can not retrieve attributes from multiple user directories. You can retrieve attributes from the directory where you have been authenticated. As krish04 told you, you can maybe archive that by using a custom assertion plug-in generator. Hope it helps, Julien.



  • 7.  Re: SiteMinder Federation - how to retrieve attributes from 2 user directories for a single assertion

    Posted Sep 10, 2014 09:49 AM

    @jsjohnson - Were you able to get past this? We've run into the same problem and it's a pretty big product gap (other free products out there even do it...).