Symantec Access Management

  • Private Community
Back to discussions
Expand all | Collapse all

Tech Tip : Can not see user Groups in HTTP headers

  • 1.  Tech Tip : Can not see user Groups in HTTP headers

    Posted Nov 23, 2016 04:28 AM

    Problem:

    When configuring the default Siteminder variables :  %SM_USERGROUPS or %SM_USERNESTEDGROUPS, the value returned is empty. What could be the problem ?

    Environment:

    Policy Server 12.52SP1 on windows 2008 R2 Web Agent 12.52SP1 on windows 2008 R2 / IIS 7.5

    Resolution:

    Check the LDAP Search done when evaluating the response. We can find the query results in the Policy Server traces (enabling all component/data) during the Authorization stage when response is evaluated:

     

    [Start of call GetGroups.][SmDsUser.cpp:313][CSmDsUser::GetGroups][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][User ='cn=u1,dc=ca,dc=com'][][][][][][][][][]

    [search filter is : (|(&(objectclass=groupOfNames)(member=cn=u1,dc=ca,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=u1,dc=ca,dc=com))(&(objectclass=group)(member=cn=u1,dc=ca,dc=com)))][SmDsLdapProvider.cpp:1783][CSmDsLdapProvider::SearchImpl][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    [LDAP search of (|(&(objectclass=groupOfNames)(member=cn=u1,dc=ca,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=u1,dc=ca,dc=com))(&(objectclass=group)(member=cn=u1,dc=ca,dc=com))) took 0 seconds and 15600 microseconds][SmDsLdapConnMgr.cpp:1201][CSmDsLdapConn::SearchExts][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

    [Ldap Search callout succeeds.][SmDsLdapProvider.cpp:2311][CSmDsLdapProvider::Search][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][(Search) Base: 'dc=pstore,dc=com', Filter: '(|(&(objectclass=groupOfNames)(member=cn=u1,dc=pstore,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=cn=u1,dc=pstore,dc=com))(&(objectclass=group)(member=cn=u1,dc=pstore,dc=com)))'. Status: 2 entries][][][][][][][][][]

     

    Based on the LDAP results, we can see the number of groups associated with the user, and we can check with an external LDAP client the LDAP query executed if this can be due to a bad RootDN (base DN) definition in the User Directory setup.

     

     

    Additional Information:

    To use the default Siteminder variables %SM_USERGROUPS or %SM_USERNESTEDGROUPS :

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/responses-and-response-groups/ca-siteminder-generated-user-attributes

    Use those variables and associate them a response like :

    WebAgent-HTTP-Header-Variable, SM_PROFILE=<% userattr="SM_USERNESTEDGROUPS" %>

     

    To test responses/policy on Windows Server, you can use the SiteMinder Test tool (provided on PS/SDK installation for windows)

    https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/using/test-tool/start-and-configure-the-test-tool

     

    KB: TEC1726572