The bulk of our SAML applications require the capability to map an identity from one user store to another for attribute returns. Currently, the federation does not support identity mapping for Federation partnerships (like it does for Web Agents). This appears to be a very large gap in the product which is holding up moving over many applications to SiteMinder.
We request that the Identity Mapping can be applied to Federation partnerships as well for returning user attributes to Service Providers.
- Partnership is configured with:
(1) Oracle DSEE - attributes needed to be returned: mail, cn
(2) Active Directory - attributes needed to be returned: uid, telephoneNumber, ou
- An identity mapping is configured for mapping uid between the two directories
I want to have the partnership return the full set of attributes between the two directories (mail, cn, uid, telephoneNumber, ou), no matter which one the user logs in with.
- User accesses the SP and is redirected to the IdP
- User selects to log in at IdP with their Oracle DSEE account
- Authentication passes, SiteMinder maps the user based on uid to Active Directory
- SiteMinder generates the assertion including all the user information (mail, cn, uid, telephoneNumber, ou)
- User POSTs the data back to the SP
- SP processes response which includes all the attributes required
- User successfully accesses application at SP
Note: Using a virtual directory or custom assertion plug-in is not an option, this functionality needs to be built into SiteMinder.