Symantec Access Management

Expand all | Collapse all

Some extra help with SiteMinder expression attribute

  • 1.  Some extra help with SiteMinder expression attribute

    Posted Jun 23, 2018 02:39 PM

    Hello Everyone,

     

    I had been monkeying around the past week tweaking all different possible ways of trying to accomplish this and folks here had helped gotten quite far but I am just about there.

     

    What I need is to pass one SAML attribute which will contain only one of several possible user role values.

     

    A) pass a SAML attribute name "UserRole"

    B) Evaluate the user's "memberOf" AD attribute to see which of those three AD groups that the user belongs to and pass a corresponding role name:

    (1) if user is member of AD group "org_manager"  - - - > pass this role name value:  "admin-user"

    (2) if user is member of AD group "org_developer"  - - - >  pass this role value:  "power-user"

    (3) if user is member of AD group "org_employee"  - - - >  pass this role value: "user"

     

    This expression works for me - - > GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : ""

     

    So with that expression I can pass the role value of "admin-user" in the SAML attribute if the user is a member of the "org_manager" AD group, but what if the user is a member of the "org_developer" of which I would need to pass the corresponding role value of "power-user" instead, and like wise if the user is a member of "org_employee" then I would need to pass the role value of "user".

     

    I need to add onto this expression - - >  GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : "" so that it will evaluate the two other possible AD groups from memberOf, something like this:

     

    GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : "" + CONTAINS ('org_developer') ? "power-user" : "" + CONTAINS ('org_employee') ? "user" : ""

     

     

    Would very much appreciate any help on figuring this out.

     

    Thank you!



  • 2.  Re: Some extra help with SiteMinder expression attribute

    Broadcom Employee
    Posted Jun 25, 2018 08:54 AM

    Hi ,

     

    What if the user belongs to all three groups, or 2 groups, what would you want to return in this situation ? 

     

    One thing I can think of is  virtual attrAttribute Mapping.

    you can create 3 Attribute Mapping as follows 

     

    (1) if user is member of AD group "org_manager"  - - - > pass this role name value:  "admin-user"

     

    orgmanager   --> FILTER(GET('memberOf'),'*org_manager*')

     

    (2) if user is member of AD group "org_developer"  - - - >  pass this role value:  "power-user"

     

    poweruser   --> FILTER(GET('memberOf'),'*power-user*')

    (3) if user is member of AD group "org_employee"  - - - >  pass this role value: "user"

     

    user  --> FILTER(GET('memberOf'),'*user*')

     

    The above Attributes will return the GROUP DN if the user belongs to it 

     

    Then , use these Attributes in the Expression under the partnership which will check if the first Attribute is null then check the second and if it has a value return  .....

     

    Just a thought 

     

    Thank you 

    Joe 



  • 3.  Re: Some extra help with SiteMinder expression attribute

    Posted Jun 25, 2018 11:57 AM

    Hi Joe,

     

    Very much appreciate your suggestion.  Unfortunately our SP partner expects to digest the user's role/permission from only one specific SAML attribute so we would need an elaborate expression that would combine all of that into one attribute.

     

    Again, thank you for the suggestion!



  • 4.  Re: Some extra help with SiteMinder expression attribute

    Posted Jun 25, 2018 09:32 AM

    Duc (dmt953)

     

    My apologies on the late revert, very busy on a current engagement. Hence trying to keep up on communities. 

     

    Joe suggested an approach above.

     

    If we need it within one expression, here is a crude example using ONLY OPERATORS. I hate to invoke multiple code spaces within the Product feature set e.g. OPERATORS Expression under UD and JUEL Expression under Partnership; to achieve a single purpose. I prefer as far as possible to keep everything under one code space within the Product and try to achieve it as best as I could.

     

    I haven't tested this (Ideally I'd test it to some extent, but really busy elsewhere). Hence kindly try this and let know your feedback.

     

    Expression (Attribute Mapping in User Directory).

    Create an Attribute Mapping within this Expression e.g. STATUS=<Expression>

    GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : "0" + "^" + GET('memberOf') CONTAINS ('org_developer') ? "power-user" : "0" + "^" + GET('memberOf') CONTAINS ('org_employee') ? "user" : "0"

    If a User belongs to all three groups, it'd return 

     

    admin-user^power-user^user

     

    If a User belongs to only one group e.g. org-developer, it'd return

     

    0^power-user^0

     

    NOTE : I prefer some value (e.g. 0) rather than null or blank, hence I added "0" as failure condition. As it helps me better identify the conditions. Service Provider can always check for static values e.g. "0" means user does not belong to something specific.

     

    Let me try to take this a step further for you.

     

    In SAML world, the tendancy is to prefer multi-valued attributes in different lines rather than a single line (separated by "^"). Thus the beauty of using a single expression outside SAML Partnership, is that within SAML partnership assertion attribute, I could focus my effort on using reserved KEYWORDS with User Attributes, rather than using another layer JUEL expression.

     

    This means in the SAML Partnership assertion attributes, I can define FMATTR:AttributeMapping_AttributeNameFromUD e.g. FMATTR:STATUS. What FMATTR would do is, it'd look at "^" and put each value in a separate line within the SAML Assertion Attribute. If we don't mention FMATTR everything appears in a single line separated by "^"; this is OOB behavior.

     

    Hope this helps!

     

    Regards

    Hubert



  • 5.  Re: Some extra help with SiteMinder expression attribute

    Posted Jun 25, 2018 12:19 PM

    Hello Hubert,

     

    No need for apology, you have helped us immensely since we discovered CA Community as alternative for CA Support  

     

    Yes, one single expression is what we need and your example above should do exactly what our SAML SP requires. 

     

    This is the original expression that you had helped me with in the past - - >  GET('memberOf') CONTAINS ('org_manager') ? "admin-user" : ""

     

    So with that expression I tried extending it and at one point had it like this - - > GET('memberOf') CONTAINS ('jira-team123-Team-Web') ? "Jira" : "" + GET('memberOf') CONTAINS ('Fusion_User') ? "Fusion" : "" + GET('memberOf') CONTAINS ('confluence-dev-teams') ? "Confluence" : ""

     

    But when I tried to save and submit then I get the following error from the Admin UI:

     

    ErrorError:

    Task failed.

     

    Failed to execute ModifyAttributeMappingEvent. ERROR MESSAGE: SmApiWrappedException:The second and third clauses of a conditional expression must be the same type (not and ).



  • 6.  Re: Some extra help with SiteMinder expression attribute
    Best Answer

    Posted Jun 25, 2018 04:00 PM

    Duc dmt953

     

    This one worked on SAVE in WAMUI.

     

    Expression
    (GET('memberOf') CONTAINS ('org_manager') ? 'admin-user' : '0') + '^' + (GET('memberOf') CONTAINS ('org_developer') ? 'power-user' : '0') + '^' + (GET('memberOf') CONTAINS ('org_employee') ? 'user' : '0')

     

    Kindly test and suggest back. Looking forward to hear of how the test went.

     

    Regards

    Hubert



  • 7.  Re: Some extra help with SiteMinder expression attribute

    Posted Jun 25, 2018 04:35 PM

    This worked perfectly.. thank you!!



  • 8.  Re: Some extra help with SiteMinder expression attribute

    Posted Oct 24, 2018 11:25 AM

    Hubert,

    I am also working on a similar use case.User is a part of 4 groups and SP needs the group name value in a single attribute. I used the xpression mentioned above but get 0^0^0^0 in the outgoing assertion.

    We have OUD as the user directory. Do I need to change 'memberof' ti 'isMemberOf'.

    Thanks in advance.



  • 9.  Re: Some extra help with SiteMinder expression attribute

    Posted Oct 24, 2018 12:04 PM

    idamguy

     

    Looking at the OUD specific, it does seem to be "IsMemberOf".

     

    Oracle Unified Directory - Is Member Of Virtual Attribute 

    Oracle Unified Directory - Member Virtual Attribute 

    Oracle Unified Directory - Virtual Attribute 

     

    Step-1 : Create a simple response in a Policy Domain and check if IsMemberOf works. If this works and returns all the groups, we can then proceed to use IsMemberOf within an expression for further processing.

     

     

    If the requirement is "User is a part of 4 groups and SP needs the group name value in a single attribute". Then we need not create a expression. This is OOB functionality. To return all groups that a User belongs to in a single attribute, we can simply use "IsMemberOf" or "SM_USERGROUPS" or SM_USERNESTEDGROUPS". Below are some examples (especially the first link).

     

    saml asserting party assertion with multi-valued attribute syntax 

    Nested group based authorization 

    Nested Groups in Response and in Policies 

     

     

    Regards

    Hubert



  • 10.  Re: Some extra help with SiteMinder expression attribute

    Posted Oct 24, 2018 12:17 PM

    Hubert,

    I think I did not explain the requirement clearly. SP needs 2 attributes.

    1. UserGroup : There are 4 grps for the app. Now depending on what grp user is a member of they need a value which is not same as the actual grp name. If a user is a member of ABC group they are expecting "Admin"

     in the attribute and so forth.

    2. UserType : Same thing for this attribute. If a user is a part of ABC grp value for user type should be "Test".

    This expression you gave above looked like a perfect fit for this use case. I am going to try what you suggested and share the results.

     

    Thanks



  • 11.  Re: Some extra help with SiteMinder expression attribute

    Posted Oct 24, 2018 01:23 PM

    Makes sense now idamguy

     

    We can use either "IsMemberOf" or "SM_USERGROUPS" or SM_USERNESTEDGROUPS" to return all the groups that the user belongs to and then use that within the expression. Looking to hear how the test went. Thank You.



  • 12.  Re: Some extra help with SiteMinder expression attribute

    Posted Oct 24, 2018 05:19 PM

    Hubert,

    it is working with "isMemberOf". I am doing some more testing for a couple of days with these and update this thread later.