Symantec Access Management

Hello All,

We are acting as SP and are consuming the SAML assertion generated by IDP. We are authentication/authorizing against a directory for the user present in SAML assertion. Now we have a scenario where we don't have to do authentication/authorization check against this directory for any incoming user for which we receive the SAML assertion and forward the traffic to the application/load the application without any check. 

Any suggestion? how this can be done? 

Thanks

Ankur Taneja

Hi Ankur,

You can request IDP to send some static value to the NameID field in the assertion, So that SP can validate this static value for all the users and once the validation is successful, user will be authenticated and authorized and finally redirected to the target.

Thanks,

Sharan 

Hello Sharan,

Yes, we can do that. But this would involve creation of a new attribute/field in the directory and have that corresponding static value attached to it and then we do authorization against it ( which seems to be compulsory ).

How can we avoid this authorization all together? 

FYI, we are using NameID right now and fetching the nameID and connecting to the userdirectory for authenticating/authorizing .

Thanks

Ankur

Hi Ankur,

As you know, There is no option to skip the disambiguation/Authentication/authorization.
In order to achieve the use case, You would need to use the SiteMinder Java MessageConsumerPlugin API which implements the SAML 1.x, SAML 2.0 and WS-Federation Message Consumer Extension interface. This API allows you to perform your own processing for user disambiguation and authentication. After you customize code for your own requirements, you can integrate the custom plug-in into SiteMinder to further process and manipulate the SAML 2.0 assertion response or the WS-Federation security token response.

The message consumer plug-in is a Java program that implements the Message Consumer Plug–in. The plug-in lets you implement your own business logic for processing assertions, such as rejecting an assertion and returning a status code. This additional processing works together with the standard processing of an assertion.
During authentication, CA Single Sign-On first tries to process the assertion by mapping a user to its local user store. If CA Single Sign-On cannot find the user, it calls the postDisambiguateUser method of the message consumer plug-in.

Hence you would need to make the initial disambiguation to fail, then it will call the postDisambiguateUser method of the message consumer plug-in. Based on your requirements, you can customize the postDisambiguateUser method (something like returning the success response for both failure and success scenario) and finally redirectung to the Target resource.

Please refer below link for message consumer plug-in.
https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/legacy-federation/configure-a-saml-2-0-service-provider/customize-assertion-processing-with-the-saml-2-0-message-consumer-plug-in

Thanks,

Sharan

Hello,

Trying to bypass authorization ( as we are SP ) at our end and looking at the option that Sharana  mentioned i.e. "You can request IDP to send some static value to the NameID field in the assertion, So that SP can validate this static value for all the users and once the validation is successful, user will be authenticated and authorized and finally redirected to the target."  i am trying to find out which SQL query is used to authorize the user at the ODBC database?

We have number of SQL queries configured, which one of the below are used for authorization?

Enumerate

SELECT Name, 'Group' AS Class FROM SmGroup ORDER BY Class

Lookup

SELECT Distinct Signum FROM [user] u JOIN [Space] s ON u.SpaceId = s.Id JOIN HostAddress h ON h.TenantId = s.TenantId WHERE %s AND h.Hostname = 'abc.com'

Lookup Users

SELECT Signum, 'User' AS Class FROM [user] u JOIN [Space] s ON u.SpaceId = s.Id JOIN HostAddress h ON h.TenantId = s.TenantId WHERE %s AND h.Hostname = 'abc.com'

Lookup Groups

SELECT Name, 'Group' AS Class FROM [user] WHERE %s

Get User/Group Info

SELECT Signum, 'User' FROM [user] u JOIN [Space] s ON u.SpaceId = s.Id JOIN HostAddress h ON h.TenantId = s.TenantId WHERE Signum = '%s' AND h.Hostname = 'abc.com'

Init user

SELECT Signum FROM [user] u JOIN [Space] s ON u.SpaceId = s.Id JOIN HostAddress h ON h.TenantId = s.TenantId WHERE Signum = '%s' AND h.Hostname = 'abc.com'

Authenticate User

SELECT Signum FROM [user] WHERE Signum = '%s'

Is Group Member

SELECT ID FROM SmUserGroup WHERE UserID = (SELECT UserID FROM SmUser WHERE Name = '%s') AND GroupID = (SELECT GroupID FROM SmGroup WHERE Name = '%s')

Get User Groups

SELECT SmGroup.Name from SmGroup, SmUser, SmUserGroup where SmUser.Name = '%s' and SmUser.UserID = SmUserGroup.UserID and SmGroup.GroupID = SmUserGroup.GroupID

Get User Properties

Signum

Get User Property

SELECT %s FROM [user] WHERE Signum = '%s'

Set User Property

UPDATE Person SET %s = '%s' WHERE Signum = '%s'

Set User Password

UPDATE Person SET Password = '%s' WHERE Signum = '%s'

Get Group Properties

Name, GroupID

Get Group Property

SELECT %s FROM SmGroup WHERE Name = '%s'

Set Group Property

UPDATE SmGroup SET %s = '%s' WHERE Name = '%s'

which one of the below are used for authorization which i can edit at my end to bypass the authorization? and session is generated for all the user and we can forward the traffic to the Target.

Hello All,

To avoid authorization i can map all incoming users to the same account, but how can i do that? Any suggestions?

I tried to give manual entry in the SQL query to database but still i am not able to authorize the user that is not present in DB.

Hi Ankur,

What is the attribute name you have given under ODBC search specification?

For ex: if the attribute name is "Name", if you are using NameID for assertion validation then you would need to create a dummy profile and update static value for the "Name" attribute. So that policy server will try to fetch the static value and match with the NameID for the assertion validation.

Thanks,

Sharan

Hello Sharana,

Yes, that's how it is configured Signum=%s . But instead of changing the nameID, i am trying to change the SQL queries mentioned above i.e. change %s with a static value. So as IDP doesn't have to change the SAML assertion at their end.

But somehow even after changing the SQL queries to manual entry of %s , still facing unauthorized error.

Hi Ankur,

At the relying party, the partner must be able to locate a user in the local user directory. Locating the user in the user directory is the process of disambiguation. Configure the identity attribute for user disambiguation in the User Identification dialog.

The Policy Server can use one of the following methods for the disambiguation process:

Extract the Name ID value from the assertion.
Use the value of a specific attribute from the assertion.
Use the value that the Xpath query obtains.
The Xpath query locates and extracts an attribute other than the Name ID from the assertion.

After you determine which attribute is extracted from the assertion, include this attribute in a search specification. After a successful disambiguation process, the Policy Server generates a session for the user.
Sample logs for your reference.
[03/13/2017][21:29:35.912][21:29:35][5728][5428][SmAuthSaml.cpp:538][handleSingleUseDataViaSDC][][][][][][][][][][][][][][][][][][][][][Assertion expiration date is 0 - skipping write of data to expiry data table.][][][][][][][]
[03/13/2017][21:29:35.912][21:29:35][5728][5428][SmAuthSaml.cpp:1349][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][SmAuthenticateJNI() found Attribute in Assertion. Looking for search string...][][][][][][][]
[03/13/2017][21:29:35.912][21:29:35][5728][5428][SmAuthSaml.cpp:1362][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Directory namespace to find in search string: ODBC:][][][][][][][]
[03/13/2017][21:29:35.912][21:29:35][5728][5428][SmAuthSaml.cpp:1377][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][AttributeValue = ODBC:=name=%s][][][][][][][]
[03/13/2017][21:29:35.912][21:29:35][5728][5428][SmAuthSaml.cpp:1427][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Beginning to invoke Domain OId interface][][][][][][][]
[03/13/2017][21:29:35.913][21:29:35][5728][5428][SmDomainOIDProvider.cpp:40][SmDomainOIDProvider::GetInterface][][][][][][][][][][][][][][][][][][][][][Enter function SmDomainOIDProvider::GetInterface][][][][][][][]
[03/13/2017][21:29:35.913][21:29:35][5728][5428][SmDomainOIDProvider.cpp:78][SmDomainOIDProvider::GetInterface][][][][][][][][][][][][][true][][][][][][][][Leave function SmDomainOIDProvider::GetInterface][][][][][][][]
[03/13/2017][21:29:35.913][21:29:35][5728][5428][SmDomainOIDProvider.cpp:87][SmDomainOIDProvider::GetDomainOID][][][][][][][][][][][][][][][][][][][][][Enter function SmDomainOIDProvider::GetDomainOID][][][][][][][]
[03/13/2017][21:29:35.913][21:29:35][5728][5428][SmDomainOIDProvider.cpp:101][SmDomainOIDProvider::GetDomainOID][][][][][][][][][][][][][][][][][][][][][Request Domain OID: 03-96706de9-c506-4bbe-ba0f-3f2bbe13f5db][][][][][][][]
[03/13/2017][21:29:35.913][21:29:35][5728][5428][SmDomainOIDProvider.cpp:104][SmDomainOIDProvider::GetDomainOID][][][][][][][][][][][][][-1][][][][][][][][Leave function SmDomainOIDProvider::GetDomainOID][][][][][][][]
[03/13/2017][21:29:35.913][21:29:35][5728][5428][SmAuthSaml.cpp:1454][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Domain OID: 03-96706de9-c506-4bbe-ba0f-3f2bbe13f5db][][][][][][][]
[03/13/2017][21:29:35.913][21:29:35][5728][5428][SmAuthSaml.cpp:1462][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][UserName: Mikel][][][][][][][]
[03/13/2017][21:29:35.913][21:29:35][5728][5428][SmAuthSaml.cpp:1482][SmAuthenticate][][][][][][][][][][][][][][][][][][][][][Search Pattern: =name=Mikel][][][][][][][]

So you can not skip the user disambiguation process, your SQL query schema will not come into picture during disambiguation process.

As suggested before, You have below two options:
1) You can request IDP to send some static value to the NameID field in the assertion, So that SP can validate this static value for all the users and once the validation is successful, user will be authenticated and authorized and finally redirected to the target.
2) You would need to use the SiteMinder Java MessageConsumerPlugin API which implements the SAML 1.x, SAML 2.0 and WS-Federation Message Consumer Extension interface. This API allows you to perform your own processing for user disambiguation and authentication. After you customize code for your own requirements, you can integrate the custom plug-in into SiteMinder to further process and manipulate the SAML 2.0 assertion response or the WS-Federation security token response.

Thanks,

Sharan