Layer 7 Access Management

Tech Tip : CA Single Sign-On : RFI-Siteminder policy Filter

  • 1.  Tech Tip : CA Single Sign-On : RFI-Siteminder policy Filter

    Posted 11-29-2018 10:22 AM

    Question:

     

    We'd like to know how the ldap searches are processed when selecting
    those option in a User Directory Search Expression Editor :

     

    Search Users
    Search Groups
    Search Organizations
    Search AnyEntry

     

    How are the LDAP requests done ?

     

    Answer:

     

    At first glance, according the documentation, the meaning of each of
    these options are :

     

    Search Users

    Indicates that the search is limited to matches in user entries.

     

    Search Groups

    Indicates that the search is limited to matches in group entries.

     

    Search Organizations

    Indicates that the search is limited to matches in organization
    entries (organizations and organizational units).

     

    Search Any Entry

    Indicates that the search includes all entries in the directory.

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/using/administrative-ui/policy-and-related-dialogs-reference/users-screen/user-directory-search-expression-editor

     

    Obviously, the behavior will depend the way you configure each of them
    as this functionality allows to manually set the filter.

     

    As you request samples, I've configured dummy entry for each and here
    are the results :

     

    Test :

     

    If you configure the Users in the Policy as :

     

    | Name                  | User Class           |
    |-----------------------+----------------------|
    | (businessCategory=ok) | Search Any Entry     |
    | (description=ok)      | Search Users         |
    | (initials=toto)       | Search Groups        |
    | (manager=ok)          | Search Organizations |

     

    and here's what the Policy Server 12.8 will trace :

     

    (businessCategory=ok), filter is '(businessCategory=ok)'

     

    [11/13/2018][11:56:44.755][11:56:44][6586][140283421386496]
    [SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][]
    [][][][][][][][][][][][][][][Policy
    resolution for user: 'cn=jsmith,dc=training,dc=com', filter:
    '(businessCategory=ok)', type: 10, recursive: No][][Start of call
    HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][][][][]

     

    [11/13/2018][11:56:44.918][11:56:44][6586][140283421386496]
    [SmDsLdapProvider.cpp:2344][CSmDsLdapProvider::Search][][]
    [][][][][][][][][][][][][][][][][(Search)
    Base: 'dc=training,dc=com', Filter: '(businessCategory=ok)'. Status:
    0 entries.][][Ldap Search callout
    succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][][]

     

    (description=ok), filter is '(description=ok)'

     

    [11/13/2018][11:56:44.919][11:56:44][6586][140283421386496]
    [SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][][][]
    [][][][][][][][][][][][][Policy
    resolution for user: 'cn=jsmith,dc=training,dc=com', filter:
    '(description=ok)', type: 3, recursive: No][][Start of call
    HasRelationship.][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][][][][][][]

    [11/13/2018][11:56:44.946][11:56:44][6586][140283421386496]
    [SmDsLdapProvider.cpp:2624][CSmDsLdapProvider::SearchCount]
    [][][][][][][][][][][][][][][][][][][(SearchCount)
    Base: 'cn=jsmith,dc=training,dc=com', Filter:

    '(description=ok)'. Status: 0 entries][][Ldap SearchCount callout
    succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][][][]

     

    (initials=toto), filter is '(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(initials=toto))'

     

    [11/13/2018][11:56:44.947][11:56:44][6586][140283421386496]
    [SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][][][][]
    [][][][][][][][][][][][Policy
    resolution for user: 'cn=jsmith,dc=training,dc=com', filter:
    '(initials=toto)', type: 8, recursive: No][][Start of call
    HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][][][][][]

    [11/13/2018][11:56:44.948][11:56:44][6586][140283421386496]
    [SmDsLdapProvider.cpp:2344][CSmDsLdapProvider::Search][][][][][]
    [][][][][][][][][][][][][][(Search)
    Base: 'dc=training,dc=com', Filter:
    '(&(|(objectclass=groupOfNames)(objectclass=groupOfUniqueNames)(objectclass=group))(initials=toto))'
    . Status: 0 entries.][][Ldap Search callout
    succeeds.][][][][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][][]

     

    (manager=ok), filter is '(&(|(objectclass=organization)(objectclass=organizationalUnit))(manager=ok))'

     

    [11/13/2018][11:56:44.949][11:56:44][6586][140283421386496] 

    [SmDsUser.cpp:899][CSmDsUser::ResolvePolicyObject][][][][][][][]
    [][][][][][][][][][][][Policy
    resolution for user: 'cn=jsmith,dc=training,dc=com', filter:
    '(manager=ok)', type: 9, recursive: No][][Start of call
    HasRelationship.][][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][][][][]

    [11/13/2018][11:56:44.952][11:56:44][6586][140283421386496]
    [SmDsLdapConnMgr.cpp:1218][CSmDsLdapConn::SearchExts][][][][][]
    [][][][][][][][][][][][][][][][LDAP
    search of
    (&(|(objectclass=organization)(objectclass=organizationalUnit))(manager=ok))
    took 0 seconds and 3332
    microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][]
    [][][][][][][][][][][][]

     

    You should consider the following documentation section concerning the

    Policies configuration and performances :

     

    Policy Membership and Authorization Performance

     

    Policy membership is the part of a CA Single Sign-On policy that
    specifies which users apply to the policy. Policies are stored in
    domains, and as a result, you use filters to apply policy membership
    to any or all users stored in the user directories bound to the
    domain. The type of filter you define determines how the Policy Server
    evaluates policy membership.

     

    The following filters are listed in the order in which they have the smallest affect on performance:

     

    All—"All" has the smallest affect on performance. When CA Single
    Sign-On authenticates a user, the Policy Server issues a session
    ticket. The session ticket identifies the user directory in which
    the user is stored. The Policy Server only has to compare the
    session ticket with the directory bound to the policy to determine
    that the policy applies to the user.

    Distinguished name—A distinguished name (dn) has a greater affect on
    performance than "All". The organization or organizational unit,
    which contains the dn of the authenticated user, is stored in the
    session ticket. The Policy Server has to compare the session ticket
    information with the policy membership filter to determine if the
    policy applies to the user.

     

    Group membership or search expressions—These types of filters have a
    greater affect on performance than distinguished names. Group
    membership and search expressions consume additional system
    resources and result in a user directory search. The Policy Server
    must: Resolve the group membership or search expression Search the
    user directory to determine if the policy applies to the user.

     

    Nested groups—Defining policy membership with a nested group has the
    greatest affect on performance. The Policy Server must search each
    user group and all sub–groups in the directory to determine if the
    policy applies to the user.

     

    Important! Directories with deep group hierarchies can have a
    significant effect on the time it takes the Policy Server to
    evaluate policy membership.

     

    Note: You can enable the User Authorization cache to reduce the number
    of requests the Policy Server makes to user directories to resolve
    policy membership.

     

    https://docops.ca.com/ca-single-sign-on/12-8/en/implementing/implementing-ca-single-sign-on/performance-tuning/application-tier-performance

     

    KB : KB000121698