Layer7 Access Management

Expand all | Collapse all

SM_USER in case of Federation

Jump to Best Answer
  • 1.  SM_USER in case of Federation

    Posted 09-05-2017 10:57 AM

    What will be the value of SM_USER in case of Federation where SiteMinder is SP.

    we have users coming in from ADFS with login name in the assertion say ***.

    But the SM_USER is set to UniversalID.

    Is there any way to set the SM_USER to the login value?

    User Store is ODBC.



  • 2.  Re: SM_USER in case of Federation
    Best Answer

    Posted 09-05-2017 02:41 PM

    Hi Rajesh,

    SM_USER is determined during Authentication stage. Since you are SP, it is likely by the time request comes to SP side, SM_USER is already populated. In order to map to the application, you need follow configuration steps for "Map to Application Attributes (SAML, WSFED)" under

    Federation Partnerships ReferenceApplication Integration (Relying Party)

    Map to Application Attributes (SAML, WSFED)

    The Map to Application Attributes section dictates how to map assertion attributes to attributes that the target application uses.

    Map to Application Attributes

    Indicates that attribute mapping is enabled. If you select the Enable Application Attributes check box, the Application Attribute Definition table displays. This table lets you specify how application attributes are mapped to assertion attributes.

    The following columns in the table require entries:

    Application Attribute

    Lists the attribute that the target application uses. By default, the application attribute name is the same as the assertion attribute name. You can change the application attribute name to whatever name the application requires.

    Assertion Attribute(s)

    Specifies the attributes from the assertion that you want to use as the basis for mapping an application attribute.

    If you select the << button, an Append field displays. From the Append pull-down list, you can select available assertion attributes and special characters to include in the mapping rule.

     

    If these above did no help much due to some config option limitation. Remember you can always request IDP to send whatever attribute your application desire during Federation transaction. This does not limit to single SM_USER attribute, it can be multiple including (login value) you asked for, then SP can pick and choose.

     

    Last, assertion consumer plugin as custom code can be your last option as well in further customizing this.

     

    Thanks,

     

    Hongxu