We have a use case where we need to disambiguate a user by the department attribute before authentication in Siteminder (12.52sp1). These users' uids are not unique in the back-end and can only be identified via the department attribute. So we are required to collect the department attribute in addition to username + password in our login form and use the department attribute in our lookup filter.
We initially tried setting this up as an additional attribute in the HTML forms authentication scheme but realized that the department attribute is not being used as a part of the lookup filter but only as a further check after the user is authenticated via username + password. This does not help us identify a user in our case where there are multiple users with the same uid.
Appreciate any thoughts on how we can do this.
Check the below
Tech Tip : CA Single Sign-On :Policy Server:How to authenticate user using multiple attribute beside password using HTML Form Auth Scheme
Based on his description, I think he has already tried this. This will not be sufficient for his use case.
What is your user store?
This may need custom authentication scheme to fulfill.
I will give it a try and let you know.
Thank you Ujwol - userstore is ldap (odsee). I am hoping to avoid a custom auth. scheme. However, please do let me know anything you can find.
Leo - thank you for the suggestion - we tried this but it does not help our use case.
The only thing I can think of without using a custom authentication scheme is to create a new attribute in odsee called something like uidDept, that is meant to contain the user's login ID and Dept concatenated together. Then run a batch script to populate the new attribute and modify your account creation process to populate/modify this field when the account is created and whenever the uid or Dept fields are changed.
Then you could change the login page or the FCC that the login page posts to in order to concatenate the uid and Dept data input by the user into the username field of the FCC, and change your user directory START field to use uidDept instead of uid for disambiguation.
To do a custom auth scheme you would either need to create your own pool of LDAP connections in order to locate the unique user's DN based on a search filter containing both uid and dept during disambiguation, or write the code in C++ and use the Policy Management API's Sm_PolicyApi_LookupDirectoryEntry() method to perform the search with the search filter based on both uid and dept.
Either way, it is not a trivial custom auth scheme to write, although CA Services Global Deployment Software Engineers and possibly some other 3rd party consulting companies have the expertise to do this.
Richard - this is exactly the solution that we arrived at and are testing currently. I was hoping that there would have been a workaround in Siteminder that would allow us to do this without having to create a custom attribute in the back-end. Thank you for validating this approach.
Have you explored Virtual Directory Servers to assist with this?
Yes we are using a VDS solution - wanted to confirm that there are no easy ways to do this from Siteminder before proceeding with alternate routes.