Patrick-Dussault

Tech Tip : CA Single Sign-On : SM_USERGROUPS and webagents

Discussion created by Patrick-Dussault Employee on Apr 15, 2019

Question:

 

We're running Web Agent and we'd like to know under which conditions
the SM_USERGROUPS header gets populated ?

 

Answer:

 

User attributes SM_USERGROUPS and SM_USERNESTEDGROUPS are generated
when the user is authenticated and is stored in policy server user
cache. This data is fetched again only if one of the below mentioned
scenario's happen.

 

1. User log off and login again
2. When the session expires

 

https://communities.ca.com/thread/241696878

 

Following two registry defines the LDAP query for SM_USERGROUPS:

 

HKEY_LOCAL_MACHINE\software\wow6432node\netegrity\SiteMinder\CurrentVersion\Ds\GroupClassFilters

HKEY_LOCAL_MACHINE\software\wow6432node\netegrity\SiteMinder\CurrentVersion\Ds\LdapMatchUserDN

https://communities.ca.com/message/241902261

 

You can make SM_USERGROUPS available for the browser by setting a response :

 

https://communities.ca.com/community/ca-security/ca-single-sign-on/blog/2017/04/03/tech-tip-ca-single-sign-onpolicy-server-how-to-check-if-user-is-a-member-of-a-group

 

Documentations :

 

%SM_USERGROUPS

 

This attribute holds the groups to which the user belongs. If the user
belongs to a nested group, this attribute contains the group furthest
down in the hierarchy. For all nested groups to which the user
belongs, use SM_USERNESTEDGROUPS.

 

Example:

If a user belongs to the group Accounts Payable and Accounts Payable
is contained in the group Accounting, SM_USERGROUPS contains Accounts
Payable. If you want both Accounting and Accounts Payable, use
SM_USERNESTEDGROUPS.

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/responses-and-response-groups/ca-siteminder-generated-user-attributes

 

You won't see the SM_USERGROUPS in the browser, it is sent only to the
accessed page. In order to see them, you have to put a test page in
which you'll run code to read all the headers and display them in the
html page. Here's a sample in php :

 

<?php

foreach (getallheaders() as $name => $value) {
echo "$name: $value\n";
echo "<br />";
}

?>

 

The Directory Mapping is used at authorization time. The SM_USERGROUPS
is set at authentication time, and as such it won't be used.

 

KB : KB000130878

Outcomes