Symantec Access Management

  • 1.  Federation Partnership Expressions... Any hope?

    Broadcom Employee
    Posted Feb 15, 2018 08:57 AM

    Reference:  Send only subset of the groups in the SAML assertions 

    HubertDennis, in July 2016, you posted in the above thread regarding the use of expressions to filter an attribute:

     

    However you have to do this using a workaround since Federation Partnership Expressions don't work [my emphasis]. So the hack is to do it via the Attribute Mapping in User Directory Object.

     

    Questions for any and all:

    • Do expressions work any better (at all?) in the versions of SiteMinder that have been released since Hubert posted his comment?
    • If not, is any work in progress to address this gap?

     

    I'm at a customer site where they're not particularly keen on the idea writing Java code for Assertion Generator Plugins, nor do they like the idea of adding a growing number of attribute mappings to their user directory configuration.  Using supported, out-of-the-box functionality in the WAMUI would be ideal.



  • 2.  Re: Federation Partnership Expressions... Any hope?
    Best Answer

    Posted Feb 15, 2018 09:58 AM

    Rich Rich_Faust

     

    Expressions in Partnership work. But (there is always a but!!!)...... review this blog and you'll get the picture of what is expression in Partnership.

     

    https://communities.ca.com/message/242041819-re-how-to-format-a-nameid-value-in-the-assertion-configuration-for-a-federa… 

     

     

    Addon information....

    Creating a Nested JUEL Expression to pass a Single role to the SP based on a hierarchy 

    https://communities.ca.com/message/241911261-re-juel-expressions-in-assertions?commentID=241911261#comment-241911261 

     

     

    Let know if you have further questions after reviewing these contents.

     

     

    Regards

    Hubert



  • 3.  Re: Federation Partnership Expressions... Any hope?

    Broadcom Employee
    Posted Feb 15, 2018 02:16 PM

    I had read all but one of those posts before starting this thread.  I went back and read them again, this time noticing that challenges persist in r12.7.  I'm in the camp that wants a fully functional solution in the partnership (i.e., not JUEL) rather than piling attribute mappings on the user directory. The customer is having a meeting tomorrow to discuss the pros and cons of attribute mappings vs. assert generator plugins (AGP); I think the end result will be me filing a Request for Enhancement (RFE) on their behalf.  If so, I'll come back here and post a cross-reference.



  • 4.  Re: Federation Partnership Expressions... Any hope?

    Posted Feb 15, 2018 02:51 PM

    Thanks Rich Rich_Faust

     

    When you do raise an ER, we'll need to take into consideration backward compatibility. That means we'll need to have two expressions in partnership

    A. Expression-JUEL

    B. Expression-Operators.

     

    I really hate having two different solutions and what is more frustrating is there is no way out of it unless if anyone using JUEL migrate to OPERATORs. From what we have seen JUEL cannot sustain by itself (still needs Attribute Mapping using Expression OPERATORs) and does not provide the same level of value as OPERATORs.



  • 5.  Re: Federation Partnership Expressions... Any hope?

    Broadcom Employee
    Posted Feb 27, 2018 11:14 AM

    Hmmm... maintaining backward compatibility could make the interface rather awkward, but your point is well taken.