Symantec Access Management

Dear All,

Wish you all a Very Happy and Prosperous New Year 2019.

HubertDennis

Here is my question.

I am trying to add a string "@xyz.com" after uid.

1. I have created a expression and used that expression in user directory as suggested in various threads.

2. I have used the expression name from user directory in the federation Assertion Attribute as below.

but still i am not able to get what i am looking for. that is (uid@xyz.com).

How can i get this manipulated and passed into the assertion.

and below is the log i see, which is empty.

</ds:Signature>
<ns2:Subject>
<ns2:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">josch@****.**</ns2:NameID>
<ns2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<ns2:SubjectConfirmationData NotOnOrAfter="2019-01-03T08:19:48Z" Recipient="https://login.microsoftonline.com/login.srf"/>
</ns2:SubjectConfirmation>
</ns2:Subject>
<ns2:Conditions NotBefore="2019-01-03T08:17:48Z" NotOnOrAfter="2019-01-03T08:19:48Z">
<ns2:OneTimeUse/>
<ns2:AudienceRestriction>
<ns2:Audience>urn:federation:MicrosoftOnline</ns2:Audience>
</ns2:AudienceRestriction>
</ns2:Conditions>
<ns2:AuthnStatement AuthnInstant="2019-01-03T08:18:18Z" SessionIndex="6DlqRYL6Ct0N6mkpMsQ5lZX1FcY=5GZC9A==" SessionNotOnOrAfter="2019-01-03T08:19:48Z">
<ns2:AuthnContext>
<ns2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</ns2:AuthnContextClassRef>
</ns2:AuthnContext>
</ns2:AuthnStatement>
<ns2:AttributeStatement>
<ns2:Attribute Name="EmailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>josch@***.xx</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue/>
</ns2:Attribute>
<ns2:Attribute Name="ImmutableID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>josch</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="First name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>Joseph</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="Last name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>Christie</ns2:AttributeValue>
</ns2:Attribute>
<ns2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
<ns2:AttributeValue>josch</ns2:AttributeValue>
</ns2:Attribute>
</ns2:AttributeStatement>
</ns2:Assertion>

in the logs, UPN value is empty and nothing is passed to the assertion.

any clue or suggestion will be really great.

PS: I have referred to following threads, before posting this question here.

https://communities.ca.com/thread/241738164

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/attributes-and-expressions-reference/

https://communities.ca.com/thread/241751620
https://communities.ca.com/thread/241782406-using-expression-in-a-federation-partnership
https://communities.ca.com/thread/100045213
https://communities.ca.com/thread/241738111

Patrick-Dussault Chris_Hackett

Patrick, 

Any suggestions on the above would be appreciated.

Wish you and your family a Happy and Prosperous New Year 2019.

Hi ChristJs,

I believe this is what you are looking for.

Creating expression at directory level will not help in federation scenario as the attribute values are fetched at run time from listed user directories in partnership level. Hence you need to create expression within the partnership Assertion Attributes.

Output:

</ns2:AuthnStatement>

<ns2:AttributeStatement>

<ns2:Attribute Name="departmentnumber"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">

<ns2:AttributeValue>AdminDept</ns2:AttributeValue>

</ns2:Attribute>

<ns2:Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >

<ns2:AttributeValue>Jones</ns2:AttributeValue>

</ns2:Attribute>

<ns2:Attribute Name="uidtest" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" >

<ns2:AttributeValue>bjones@demo.com</ns2:AttributeValue>

</ns2:Attribute>

</ns2:AttributeStatement>

Regards

Ashok

ChristieJS

I see in your Expression you are using

Return_value=Get('uid')+'@cartoonnet.com'

Please change the expression to only

Get('uid')+'@cartoonnet.com'

The remainder of the configuration looks good. Albeit I'd directly paste the Expression within Attribute Mapping (Expression Radio Button selected) in User Directory; just to avoid a clutter of linked objects (e.g Named Expression --> Attribute Mapping --> Federation Partnership VS Attribute Mapping --> Federation Partnership).

Regards

Hubert

HubertDennis,

I tried what you have suggested. but the value from the attibute mapping isn't passed to assetion. where as later suggested by you and mutas02 did work. when I tried this expression, I didn't add #{attr[uid]} in the expression.

Thank you HubertDennis and mutas02

Regards,

Joseph Christie