Symantec Access Management

  • Private Community

  • 1.  Assertion Configuration help

    Posted Oct 22, 2018 03:31 AM

    I am setting up a IDP -- > SP partnership the SMSESSION is generated at CA API gateway and then we are using this SMSESSION to authenticate the user during federation, the issue now is i have two data store the user is in a LDAP session store and the NAMEID attribute is located in a oracle datastore, my problem is how do i define the Assertion Configuration that the NAMEID value is fetched from the oracle datastore for the authenticated store at runtime, both LDAP and oracle have a unique attribute in common.



  • 2.  Re: Assertion Configuration help

    Broadcom Employee
    Posted Oct 23, 2018 01:50 PM

    Akshat, I'm not following you completely. But, let me try answering. If you have partnership, NameID can be anything to be searched on; e.g. uid or email. The user should be in user store where the user got authenticated from. If you want to pick NameID value from another store, the mapping of attributes (between directories) for a user can be done using identity mapping (IDENTITY_MAP feature).

     

    See this, for example, in R12.52:

    Directory Mapping Examples - CA Single Sign-On - 12.52 SP2 - CA Technologies Documentation 

    Identity Mapping by Complex User Search Criterion

     

    Or, can be done with custom code in AGP (Assertion Generator Plugin). 

    Customize SAML Assertion in Java - CA Single Sign-On - 12.52 SP2 - CA Technologies Documentation 

     

    Also, please see this discussion in the Community for the above:

    Identity mapping for Federation 

     

    Rgds. - Vijay



  • 3.  Re: Assertion Configuration help

    Posted Oct 23, 2018 03:22 PM

    Akshat Akshat12

     

    Directory Mapping is not supported in Federation Partnership in any version of the Product. There is an ideation in place to deliver this feature in Federation OOB. It is still not delivered. But customers have hacked it by making a change using XPSExplorer to get it work. It is explained here. https://communities.ca.com/ideas/235714647-identity-mapping-for-federation#comment-233967380 

     

    You do not needed Directory Mapping for what you are intending to do i.e. LDAP is the only user directory linked to SMSESSION and UStore being used in Federation Partnership. But you want to read the NameID from a different Store i.e. Oracle (which is neither an authentication store NOR an authorization store in your partnership / policy domain).

     

    Hence for your requirement, you can use a feature which is OOB available in Product starting R12.5. It is called IDENTITY_MAP. You can read more about this feature and its caveats here. Please read the caveats very carefully, right until the end of the blog. https://communities.ca.com/people/HubertDennis/blog/2018/05/14/ca-sso-identitymap-expression-reserve-word-usage-configuration 

     

    Hope this helps!

     

    Regards

    Hubert