Layer7 Access Management

Tech Tip : CA Single Sign-On : SM_USERGROUPS and webagents

  • 1.  Tech Tip : CA Single Sign-On : SM_USERGROUPS and webagents

    Posted 04-15-2019 03:08 AM

    Question:

     

    We're running Web Agent and we'd like to know under which conditions
    the SM_USERGROUPS header gets populated ?

     

    Answer:

     

    User attributes SM_USERGROUPS and SM_USERNESTEDGROUPS are generated
    when the user is authenticated and is stored in policy server user
    cache. This data is fetched again only if one of the below mentioned
    scenario's happen.

     

    1. User log off and login again
    2. When the session expires

     

    https://communities.ca.com/thread/241696878

     

    Following two registry defines the LDAP query for SM_USERGROUPS:

     

    HKEY_LOCAL_MACHINE\software\wow6432node\netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters

    HKEY_LOCAL_MACHINE\software\wow6432node\netegrity\SiteMinder\CurrentVersion\Ds\LdapMatchUserDN

    https://communities.ca.com/message/241902261

     

    You can make SM_USERGROUPS available for the browser by setting a response :

     

    https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2017/04/03/tech-tip-ca-single-sign-onpolicy-server-how-to-check-if-user-is-a-member-of-a-group

     

    Documentations :

     

    %SM_USERGROUPS

     

    This attribute holds the groups to which the user belongs. If the user
    belongs to a nested group, this attribute contains the group furthest
    down in the hierarchy. For all nested groups to which the user
    belongs, use SM_USERNESTEDGROUPS.

     

    Example:

    If a user belongs to the group Accounts Payable and Accounts Payable
    is contained in the group Accounting, SM_USERGROUPS contains Accounts
    Payable. If you want both Accounting and Accounts Payable, use
    SM_USERNESTEDGROUPS.

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/responses-and-response-groups/ca-siteminder-generated-user-attributes

     

    You won't see the SM_USERGROUPS in the browser, it is sent only to the
    accessed page. In order to see them, you have to put a test page in
    which you'll run code to read all the headers and display them in the
    html page. Here's a sample in php :

     

    <?php

    foreach (getallheaders() as $name => $value) {
    echo "$name: $value\n";
    echo "<br />";
    }

    ?>

     

    The Directory Mapping is used at authorization time. The SM_USERGROUPS
    is set at authentication time, and as such it won't be used.

     

    KB : KB000130878