Symantec IGA

Expand all | Collapse all

SM_USER_APPLICATION_ROLES response attribute is empty

Jump to Best Answer
  • 1.  SM_USER_APPLICATION_ROLES response attribute is empty

    Posted 03-22-2018 10:12 AM

    CA Identity Manager 14.1 Virtual Application integrated with CA Single Sign-On 12.7

     

    We would like to pass the list of Access Roles of the authenticated user to a protected web application.

    For this reason, we configure the environment as described here, but the in the resulted HTTP Header the related variable (SM_USER_APPLICATION_ROLES ) is created empty instead of the user is a member of many Access Roles.

     

     

    CA Single Sign-On configuration

    • I added both AD and IM UserStore as  User Directory of the CA Single Sign-On Domain in addition to the IM Environment

    • I created and configured an Identity Mapping of type "Authentication-Authorization"

     

    Test Case:

    • OK: When I access the protected resource with an IM UserStore account credentials the SM_USER_APPLICATION_ROLES is successfully filled.

    • KO (ISSUE): When I access the protected resource with an AD account credentials the SM_USER_APPLICATION_ROLES response attribute is empty because the session directory is AD  and the authorization directory mapping seems to be ignored.



  • 2.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Broadcom Employee
    Posted 03-23-2018 10:14 PM

    With your setup and access flow, directory mapping is not utilized at all. Only the Auth directory needs to be tied to the domain and realm. The Az directory does not. I cannot vouch for the IM SM_APPLICATION_ROLES, but once so configured, you should be able to set attributes from Az directory as a response.



  • 3.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Posted 03-26-2018 03:13 AM

    I tried to remove the IM UserStore because the desired Authorization Directory is AD but, before saving, the system said: 

     

     

    this is because the SiteMinder Domain must contains the IM Environment to be aware about Access Roles objects and use them for authorization purposes and, consequently, the related UserStore Directory must be included into the Domain.

     

    Any additional suggestion?

     

    Thanks,

    Gabriele



  • 4.  Re: SM_USER_APPLICATION_ROLES response attribute is empty
    Best Answer

    Broadcom Employee
    Posted 03-26-2018 11:00 AM

    You have competing requirements:

    - AD as authorization store

    - IMEnv for authorization (headers and roles)



  • 5.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Posted 03-27-2018 09:48 AM

    Hi,

    thanks for the hint, I fixed the wrong configuration by modifying the policy as following:

     

    So, the requirement is matched:

    • AD as authentication (AUTH) directory
    • IM UserStore as authorization (AZ) directory

    But now the issue is that nobody is authrized...it seems the Directory Mapping does not work:

     

     

    May you help further?

     

    Regards,

    Gabriele



  • 6.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Broadcom Employee
    Posted 03-29-2018 11:13 PM

    - You have to specify a directory mapping for the realm (Protected) from ITDomain to UserStore



  • 7.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Posted 03-30-2018 03:29 AM

    Hi mulvi07,

    thanks for the confirmation. This is exactly what I did

    Auth/Az Mapping

    Realm

    but it does not works: authentication ok but authorization is denied.

     

    The user "g.rusconi" exixts in both AD and UserStore with the same Universal ID:



  • 8.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Broadcom Employee
    Posted 03-30-2018 10:45 AM

    Check your smaccess log. It should tell you what the reason for Az failure was: AzReject or ValidateAccept or something else



  • 9.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Posted 04-03-2018 03:28 AM

    smaccess.log says "AzReject ITTSPOSSO01 [03/Apr/2018:09:22:32 +0200] "::1 CN=GUEST Rusconi Gabriele,OU=***,OU=***,OU=***,OU=***,DC=itdomain,DC=local" "a_ced3webarp01 GET /protected/headers.jsp" [] [0] [] []."

    My understanding is: the Directory Mapping does not work as expected because the AD User (sAMAccountName=g.rusconi with DN= CN=GUEST Rusconi Gabriele,OU=***,OU=***,OU=***,OU=***,DC=itdomain,DC=local) is not mapped against IM UserStore.



  • 10.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Broadcom Employee
    Posted 04-03-2018 01:27 PM

    Yes, that's right.

    Set UniversalID for AD to be sAMAccountName

    Set UniversaIID for IMUserStore to be the attribute with a matching value.



  • 11.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Posted 04-04-2018 02:38 AM

    It is already configured as you suggested but still does not work as expected.

     

     



  • 12.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Broadcom Employee
    Posted 04-04-2018 09:01 AM

    - I would pursue this through a support ticket then.

    - Create a separate SM user directory (outside of IM env) and try Directory mapping



  • 13.  Re: SM_USER_APPLICATION_ROLES response attribute is empty

    Broadcom Employee
    Posted 05-22-2018 07:03 PM

    This issue is not actually related to Authentication and Authorization mapping rather there is a limitation of IDM and SM integration.

    We need to use a field in a member policy which is common (attribute reference name wise) in both the user store. If you use the user attribute "Access Role attribute" which doesn't exist in AD.

     

    I believe you need to take care of two points

    1-  Pick up an attribute which has a common reference name to hold the access role information in both the user store (AD and IDM related user store)

    2-  Sync this attribute between these two stores whenever there is a change in access role information.

     

    Please check the following documentation for more information:

    https://docops.ca.com/ca-identity-manager/14-0/EN/configuring/ca-single-sign-on-integration/ca-sso-operations/how-to-configure-access-roles

     

    check the following note on this link

     Note: Define member policies that use only directory attributes, for example: title=Manager. If you define member policies referencing to those objects not stored in the user directory such as admin roles, SiteMinder cannot be able to resolve the reference.