Layer 7 Access Management

Hello all,

In a IDP-SP partnership, CA SiteMinder is acting as an IDP.

SP has requested to send a custom attribute with the name 'uid' in the SAML assertion.

IDP's authorizing user directory is ODBC, with one of the user attribute as 'company_id'.

How to send this custom attribute using out of the box feature of SiteMinder ?

Where can we define/configure this custom attribute 'uid' so that it corresponds to the 'company_id' and sends the same value (stored as 'company_id' in the ODBC) as just the name 'uid' in the assertion ?

You can use expressions to modify the id that is sent.  Is the ID in company_id = uid?

Sent from my iPhone

Yes, the value stored in as 'company_id' should be sent as 'uid' in SAML assertion,

Where, uid as a attribute has no existence in the authorizing user directory.

I was trying to get clarity if the ID portion of company_id is the same as the UID, so company_uid needs to just become uid?

Here are sample expressions.

username@region.company.com - (BEFORE(AFTER(userprincipalname,'@'),'.')+"-"+uid) becomes region-username
username@region.company.com - UCASE(BEFORE(AFTER(userprincipalname,'@'),'.')+"\"+samaccountname) becomes REGION\SAMACCOUNTNAME
sAmAccountName - (samaccountname+"_co") - becomes samaccountname_co

Here is a link to a comment where I provide some more detailed instructions.  You would use the AFTER operator to strip out the ID from company_id.

We were able to achieve this by defining the 'Assertion Attributes' option while creating a Partnership Federation via AdminUI.

We defined  'uid' (the custom assertion name requested by SP) under 'Assertion Attributes' with the 'Value' as 'company_id'. (In the Directory section, the SQL query scheme is defined to get the value from ODBC for company_id).