AnsweredAssumed Answered

Federation-Filter users by assertion attributes

Question asked by hapagola on Apr 11, 2014
Latest reply on Apr 22, 2014 by hapagola
Hi everybody,
We have a question about a problem we have:
We are federating two companies: Company1 is the IdP, Company2 is the SP with two apps (app1, app2).
The IdP sends an attribute in the assertion: "memberof".
We need that in the SP app1 and app2 can restrict their users by the assertion attribute "memberof".
Theare are two companies that are willing to make two independent SiteMinder federation connections (the two companies use SiteMinder), where:
  •   Company1: 
    •     Is the Identity Provider (IdP)
    •     Uses an AD as a user directory in the federation
    •     Filters the users by "memberof" AD field, during the federation process.
  •   Company2: 
    •     Is the Service provider (SP)
    •     Uses an LDAP as a user directory in the federation.
    •     The LDAP user directory has the user basic attributes sincronized, but doesn't have any group/permissions in it. We need that the app permissions can be handled by the assertion attributes.
    •     Has two applications (app1, app2) that each one will consume the identities of each federation.
  •   In each individual federation: 
    •     The IdP sends, in the assertion, the user attribute "memberof".
    •     The SP gets the assertion attribute and then passes it to the target application (app1 or app2) with the Redirect Mode: Persist Attributes.
  •   app1 and app2: 
    •     Does not share their users
    •     There is an attribute (memberof) in the Company1 AD that is used to know if a user can connect to app1 OR app2.
    •     A user connected to app1, should not connect to app2 via SSO once the federation is done.
    •     Are protected via a SM-Application (resource: /app1 and /app2)
    •     The protected target application (app1 or app2):   
      •       We can retrieve the assertion attributes. In the Responses tab -> a response with:     
        •         Attribute WebAgent-HTTP-Header-Variable
        •         Attribute Kind Session Variable
  •   A user1 initiates the federation to connect to app1.
  •   If user1 is not in the correct AD group, the IdP will reject the authentication.
  •   If user1 is in the correct AD group, the federation will continue, and the SP will be redirected to the target application (app1).
  •   When the user1 is connected to app1: if user1 paste the url of app2 in his browser, he could access, because the restriction
The problem
  •   In the SM-Application of app1 or app2, we cannot use the submitted assertion attribute (memberof) to filter a user (for example, in the Role tab we cannot use the assertion attribute "memberof").
  •   A user, that is authenticated/authorizated in the fedetation and redirected to app1, can access to app2 because we can't filter users by assertion attribute "memberof". 
  •   Basically, if a user is authorized to app1 via federation, and paste the URL of app2 in the browser, he can access the application because app1 and app2 will do SSO with the SiteMinder cookie.
What we need
  •   In the SM-Applications (app1 and app2), we need to filter/restrict users using the assertion attribute "memberof".


Thanks in advance for any help you could bring us,

Kind regards