Symantec Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

Site Minder Policy server configuration for User disambiguation

  • 1.  Site Minder Policy server configuration for User disambiguation

    Posted Nov 24, 2017 05:58 AM

    Hello Team,

     

    We have use case like this.

     

    End user will login using domain user id (example: abcd03)  or end user will use empid(12345) with login.fcc or shim.fcc.

    CA SSO should do LDAP/AD Authentication and when it redirects for  User disambiguation and re-directs to CA Adv Auth , it should send always domain user id : What is the configuration we need to make in Policy server. Please let me know.  Thanks. 

     

    example:

     

    like if SSO is authenticating against abcd03, it is sending DN=CN=abcd03, etc

    and if like if SSO is authenticating against 12345 , it is sending DN=CN=12345  , etc

     

    We want to send always DN=CN=abcd03 , etc.



  • 2.  Re: Site Minder Policy server configuration for User disambiguation
    Best Answer

    Posted Nov 24, 2017 08:11 AM

    Hi Mahabaleshwara,

     

    Siteminder will set the UserID/UserPath based on the field which is used for disambiguation. 

    For ex: here we passed "jhunter" as user ID and siteminder is able to disambiguate and set the user path as userID.

     

    Fri Nov 24 17:24:58.662 2017 INFO: pid 4160 tid 6040: 0 Start ShimController::authenticate
    Fri Nov 24 17:24:58.662 2017 INFO: pid 4160 tid 6040: 0 Password field is JSON. Get TokenId...
    Fri Nov 24 17:24:58.662 2017 INFO: pid 4160 tid 6040: 0 Start ShimController::processPreRiskOnePage
    Fri Nov 24 17:24:58.662 2017 INFO: pid 4160 tid 6040: 0 Disambiguating user : jhunter
    Fri Nov 24 17:24:58.662 2017 LOW: pid 4160 tid 6040: 0 Start ShimController::disambiguate
    Fri Nov 24 17:24:58.662 2017 LOW: pid 4160 tid 6040: 0 Allow SiteMinder to do user-disambiguation
    Fri Nov 24 17:24:58.662 2017 LOW: pid 4160 tid 6040: 0 End ShimController::disambiguate


    Fri Nov 24 17:24:58.669 2017 LOW: pid 4160 tid 6040: 0 Start ShimController::createToken
    Fri Nov 24 17:24:58.669 2017 LOW: pid 4160 tid 6040: 0 Creating token with attributes...
    Fri Nov 24 17:24:58.669 2017 LOW: pid 4160 tid 6040: 0 LoginId = jhunter
    Fri Nov 24 17:24:58.669 2017 LOW: pid 4160 tid 6040: 0 UserId = uid=jhunter, ou=People, dc=example,dc=com
    Fri Nov 24 17:24:58.669 2017 LOW: pid 4160 tid 6040: 0 AuthStatus = Authenticated
    Fri Nov 24 17:24:58.669 2017 LOW: pid 4160 tid 6040: 0 ShimReturnFCCURL = http://sharanI169966.ca.com:80/arcotlogin/shimfinal.fcc
    Fri Nov 24 17:24:58.669 2017 LOW: pid 4160 tid 6040: 0 LogMsgFromShim = Authentication successful

     

    I dont think we can set to same value irrespective of disambiguation ID with the OOTB.


    [11/24/2017][17:24:58.751][17:24:58][4160][6040][Sm_Auth_Message.cpp:5178][CSm_Auth_Message::FormatAttribute][s5/r7][sanre01-I169966_webagent][][jhunter][][PostAuthRisk_realm][Arcot_with_Risk][Oracle_UD][][][][][][][][][][][][....][Send response attribute 212, data size is 4][][][Arcot_auth_postauth][][][00 00 00 1b ][][][][][uid=jhunter, ou=People, dc=example,dc=com][06-38af90db-b044-4d4f-bf62-57800d80dda3][][Login][][][][][][][][][][][][][][][][][][][][]
    [11/24/2017][17:24:58.751][17:24:58][4160][6040][Sm_Auth_Message.cpp:5178][CSm_Auth_Message::FormatAttribute][s5/r7][sanre01-I169966_webagent][][jhunter][][PostAuthRisk_realm][Arcot_with_Risk][Oracle_UD][][][][][][][][][][][][http://sharan-i3859.ca.com:8080/arcotafm/master.jsp?profile=postauthrisk&tokenID=a475e7f67d9d22d5fb2eb985e031cc1578f233cc][Send response attribute 227, data size is 122][][][Arcot_auth_postauth][][][68 74 74 70 3a 2f 2f 6b 61 72 73 68 30 37 2d 69 33 38 35 39 2e 63 61 2e 63 6f 6d 3a 38 30 38 30 2f 61 72 63 6f 74 61 66 6d 2f 6d 61 73 74 65 72 2e 6a 73 70 3f 70 72 6f 66 69 6c 65 3d 70 6f 73 74 61 75 74 68 72 69 73 6b 26 74 6f 6b 65 6e 49 44 3d 61 34 37 35 65 37 66 36 37 64 39 64 32 32 64 35 66 62 32 65 62 39 38 35 65 30 33 31 63 63 31 35 37 38 66 32 33 33 63 63 ][][][][][uid=jhunter, ou=People, dc=example,dc=com][06-38af90db-b044-4d4f-bf62-57800d80dda3][][Login][][][][][][][][][][][][][][][][][][][][]
    [11/24/2017][17:24:58.751][17:24:58][4160][6040][Sm_Auth_Message.cpp:4675][CSm_Auth_Message::SendReply][s5/r7][sanre01-i169966_webagent][][jhunter][][PostAuthRisk_realm][Arcot_with_Risk][Oracle_UD][][][][][][][][][][][][][** Status: Authentication Challenged. ][][][Arcot_auth_postauth][][][][][][][][uid=jhunter, ou=People, dc=example,dc=com][06-38af90db-b044-4d4f-bf62-57800d80dda3][][][][][][][][][][][][][][][][][][][][][][]
    [11/24/2017][17:24:58.751][17:24:58][4160][6040][Sm_Auth_Message.cpp:4679][CSm_Auth_Message::SendReply][][][][][][][][][][][][][][][][][][][][][Leave function CSm_Auth_Message::SendReply][][][][][][][][00:00:00.001000][][][][][][][][][][][][][][][][][][][][][][][][][][]

     

    Thanks,
    Sharan



  • 3.  Re: Site Minder Policy server configuration for User disambiguation

    Posted Dec 03, 2017 09:26 AM

    Thanks Sharan