Symantec Access Management

  • Private Community

  • 1.  Perl scripts failed to add attribute to SAML2.0 SP object

    Posted Dec 10, 2018 02:38 AM

    Hi,

     

    We're using custom perl scripts for creation of CA SiteMinder Federation objects. Recently, we've started seeing an issue with execution of scripts. The script create the SAML Service Provider correctly, however it doesn’t add attributes which is requested by third party applications(Required as part of assertion). I checked the syntax for AddAttribute method which adds an attribute to SAML 2.0 Service Provider and turned debug mode to see if there is any issue. I don't see anything wrong with syntax and values it passes.

     

    Please see below debug events -

     

    NOTE: New Service Provider has been created - please ensure you set the group constraint throught the Admin UI!

    Adding attributes Adding attribute: EMAIL="abc@test.com" 0 DEBUG: destroying Netegrity::PolicyMgtSAMLSPAttr=SCALAR(0xce461ec)

    Adding users Service Provider OID(SPOID): 21-0009edb6-364a-1c0a-b63a-7ad90e41f0e1

    Apply SP Group constraints

     

    I tried multiple things but couldn't spot what causing an issue.

    Could you please help with this?

     

    Infrastructure details -

    1. CA SiteMinder Policy Server version - R12.52 SP01 CR06 Build 2209

    2. CA SiteMinder Admin UI version - R12.52 SP01 CR06 Build 2209

    3. CA SiteMinder Policy & Admin UI server OS version - Red Hat Enterprise Linux Server release 6.4 (Santiago) 64 bit

    4. Policy Store version - CA Directory R12.0 SP18

     

     



  • 2.  Re: Perl scripts failed to add attribute to SAML2.0 SP object

    Broadcom Employee
    Posted Dec 13, 2018 01:08 PM

    No promises, but I'll see if I can lend any insight if you could share a copy of your script here.



  • 3.  Re: Perl scripts failed to add attribute to SAML2.0 SP object

    Posted Dec 25, 2018 04:40 AM

    Hi Richard,

     

    Sorry for delayed reply !

     

    I'll not be able to paste entire perl script, but here is a code snippet which adds attributes to SAML Service Provider.

    Script ==>

     

    $serviceprovider = $affdomain->CreateSAMLServiceProvider( \%spaffproperties );
    foreach my $aref ( @spattrs )
    {
    print "Adding attribute: ".$aref->[0]."\t".$aref->[1]."\n";
    $serviceprovider->AddAttribute( $aref->[1], $aref->[0], 0, SAMLSP_SSO );
    }

     

    It refers a property file to get required values for creation of Service Provider in SiteMinder and then add attributes by referring the Attribute property.

     

    Property file -

     

    IdPID XXXXXXXX
    NetegrityAffiliateMinderAuthURL XXXXXXXX
    DisableSignatureProcessing 0
    RequireSignedAuthnRequests 0
    Name XXXXXXXX
    Attribute givenName=<%userattr="givenName"%> 2
    Attribute telephoneNumber=<%userattr="telephoneNumber"%> 0


    The debug logs tell that it's fetching out the attributes value correctly like Attribute to be added with Attribute Type. 0 means SAMLSP_UNSPECIFIED and 2 for SAMLSP_BASIC.
    It also shows that's it added correctly, as it destroys the object later on -

     

    Adding attribute: givenName=<%userattr="givenName"%> 2
    DEBUG: destroying Netegrity::PolicyMgtSAMLSPAttr=SCALAR(0xc8c1688)
    Adding attribute: telephoneNumber=<%userattr="telephoneNumber"%> 0
    DEBUG: destroying Netegrity::PolicyMgtSAMLSPAttr=SCALAR(0xc8c1634)

     

    I tried hardcoding the values in AddAttribute method but no luck. Then run XPSSweeper, Policy server restart option but nothing worked. Are we missing any libraries or JARS for this method to work?

     

    Version in use -- R12.52 SP01 CR06
    Perl CLI version -- 5.8.4

     

    Appreciate if you can help with this.