Symantec IGA

CA Identity Manager 14.1 Virtual Application integrated with CA Single Sign-On 12.7

We would like to pass the list of Access Roles of the authenticated user to a protected web application.

For this reason, we configure the environment as described here, but the in the resulted HTTP Header the related variable (SM_USER_APPLICATION_ROLES ) is created empty instead of the user is a member of many Access Roles.

CA Single Sign-On configuration

• I added both AD and IM UserStore as  User Directory of the CA Single Sign-On Domain in addition to the IM Environment

• I created and configured an Identity Mapping of type "Authentication-Authorization"

Test Case:

• OK: When I access the protected resource with an IM UserStore account credentials the SM_USER_APPLICATION_ROLES is successfully filled.

• KO (ISSUE): When I access the protected resource with an AD account credentials the SM_USER_APPLICATION_ROLES response attribute is empty because the session directory is AD  and the authorization directory mapping seems to be ignored.

With your setup and access flow, directory mapping is not utilized at all. Only the Auth directory needs to be tied to the domain and realm. The Az directory does not. I cannot vouch for the IM SM_APPLICATION_ROLES, but once so configured, you should be able to set attributes from Az directory as a response.

I tried to remove the IM UserStore because the desired Authorization Directory is AD but, before saving, the system said: 

this is because the SiteMinder Domain must contains the IM Environment to be aware about Access Roles objects and use them for authorization purposes and, consequently, the related UserStore Directory must be included into the Domain.

Any additional suggestion?

Thanks,

Gabriele

You have competing requirements:

- AD as authorization store

- IMEnv for authorization (headers and roles)

Hi,

thanks for the hint, I fixed the wrong configuration by modifying the policy as following:

So, the requirement is matched:

• AD as authentication (AUTH) directory
• IM UserStore as authorization (AZ) directory

But now the issue is that nobody is authrized...it seems the Directory Mapping does not work:

May you help further?

Regards,

Gabriele

- You have to specify a directory mapping for the realm (Protected) from ITDomain to UserStore

Hi mulvi07,

thanks for the confirmation. This is exactly what I did

Auth/Az Mapping

Realm

but it does not works: authentication ok but authorization is denied.

The user "g.rusconi" exixts in both AD and UserStore with the same Universal ID:

Check your smaccess log. It should tell you what the reason for Az failure was: AzReject or ValidateAccept or something else

smaccess.log says "AzReject ITTSPOSSO01 [03/Apr/2018:09:22:32 +0200] "::1 CN=GUEST Rusconi Gabriele,OU=***,OU=***,OU=***,OU=***,DC=itdomain,DC=local" "a_ced3webarp01 GET /protected/headers.jsp" [] [0] [] []."

My understanding is: the Directory Mapping does not work as expected because the AD User (sAMAccountName=g.rusconi with DN= CN=GUEST Rusconi Gabriele,OU=***,OU=***,OU=***,OU=***,DC=itdomain,DC=local) is not mapped against IM UserStore.

Yes, that's right.

Set UniversalID for AD to be sAMAccountName

Set UniversaIID for IMUserStore to be the attribute with a matching value.

It is already configured as you suggested but still does not work as expected.

- I would pursue this through a support ticket then.

- Create a separate SM user directory (outside of IM env) and try Directory mapping

This issue is not actually related to Authentication and Authorization mapping rather there is a limitation of IDM and SM integration.

We need to use a field in a member policy which is common (attribute reference name wise) in both the user store. If you use the user attribute "Access Role attribute" which doesn't exist in AD.

I believe you need to take care of two points

1-  Pick up an attribute which has a common reference name to hold the access role information in both the user store (AD and IDM related user store)

2-  Sync this attribute between these two stores whenever there is a change in access role information.

Please check the following documentation for more information:

https://docops.ca.com/ca-identity-manager/14-0/EN/configuring/ca-single-sign-on-integration/ca-sso-operations/how-to-configure-access-roles

check the following note on this link

 Note: Define member policies that use only directory attributes, for example: title=Manager. If you define member policies referencing to those objects not stored in the user directory such as admin roles, SiteMinder cannot be able to resolve the reference.