Issue:
We're running a CA Access Gateway (SPS), and when a user successfully login in
the SPS, then the backend server application return error message :
Your Not a Authorised User, Please Contact System Admin
User log in by Windows Authentication Scheme. The SM_USER header has
the value with the domain with it as :
DOMAIN\myuser
We have configured a response to produce the header HTTP_SM_USER for
which the user hasn't the DOMAIN prefixed
But we cannot modify the application code to look at HTTP_SM_USER
variable that has the user id without the preceeding Domain name. The
application can only read the default header SM_USER.
How can we get the SM_USER value without the DOMAIN\ as prefix ?
Environment:
Policy server 12.7SP0CR00 on windows 2012;
Access Gateway Server 12.7SP0CR00 on Windows 2012;
Resolution:
You can :
1 - Use a CA Access Gateway (SPS) post filter.
You might work around this out of the box behavior by setting a filter
on the CA Access Gateway (SPS) to modify the Header name and its value :
ProxyResponse Interface
setHeader(java.lang.String name, java.lang.String value)
Sets a header with the specified name and value. If a header with
the same name exists it will be overwritten.
Parameters:
name - a String specifying the header name
value - a String specifying the header value
https://docops.ca.com/ca-single-sign-on/12-7/en/programming/ca-access-gateway-apis#CAAccessGatewayAPIs-ImplementaFilter
2 - Use the GD SmOverrideAuth module to modify the value of the
SM_USER value.
The out of the box SM_USER value may be also overriden by using the GD
module "SmOverrideAuth" as described here :
Remove <domain>\ from user name when using IWA
There is another option. If you really need the value stored in the
SiteMinder SMSESSION cookie modifed to be just the loginID, without
the domain prefix, there is a CA Services, Global Deployment
Pre-built PWP (aka module) called SmOverrideAuth that will meet this
requirement. It actually allows you to set SM_USER to the value of
any attribute in the user's record, although normally the loginID is
used. Note however that this is a separately priced item, it is not
part of core SiteMinder. You can contact Sid Mautte
(Sid.MautteIII@ca.com) if you would like to find out more about this
module, or you can contact your CA Sales Representative and ask them
to open a Service Request for SmOverrideAuth.
https://communities.ca.com/thread/241754143
CA Global Delivery Packaged Work Product Download Index
Override Authentication Login for CA Single Sign-On
https://support.ca.com/us/product-content/recommended-reading/technical-document-index/ca-global-delivery-packaged-work-product-module-index.html?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D
KB : KB000117269