Previous Topic: How to Create a Web Agent Response That Generates an Open Format CookieNext Topic: Response Groups


CA SiteMinder®-Generated User Attributes

The following list contains user attributes that CA SiteMinder® generates automatically. These attributes can be specified as response attributes for Web Agent responses and are available to named expressions.

%SM_USER

The web agent places the username in an SM_USER http header variable for all requests. The web agent does not set the value of the SM_USER header variable when one fo the following items are true:

%SM_USER_CONFIDENCE_LEVEL

If a user is authenticated with an authentication scheme and the authentication scheme generates a confidence level, this attribute holds an integer (0–1000). The authentication scheme inserts the integer in to the session ticket of the user. A higher confidence level corresponds to a higher level of credential assurance. A confidence level of zero represents no credential assurance. No credential assurance results in CA SiteMinder® denying access to the requested resource.

Note: For more information, see Confidence Levels Introduced.

%SM_USERDN

For an authenticated user, the web agent populates this http header variable with the DN that the Policy Server determines. For certificate-based authentication, this attribute can be used to identify a user.

%SM_USERNAME

For an authenticated user, this attribute holds the user DN that CA SiteMinder® disambiguates. For an unauthenticated user, this attribute holds the user ID that a user specifies during a login attempt.

%SM_USERIMPERSONATORNAME

If the authentication scheme performs impersonation, this attribute holds the user DN that CA SiteMinder® that authenticates.

%SM_USERLOGINNAME

This attribute holds the user ID that a user specifies during a login attempt.

%SM_USERIPADDRESS

This attribute holds the IP address of the user at the time of authentication or authorization.

%SM_USERPATH

For an authenticated user, this attribute holds a string that represents the directory namespace and directory server (both as specified in the user directory definition), and user DN (as CA SiteMinder® disambiguates). For example:

“LDAP://123.123.0.1/uid=scarter,ou=people,o=airius.com”

For an unauthenticated user, this attribute holds the same value as SM_USERNAME.

%SM_USERPASSWORD

This attribute holds the password that the user specifies in the login attempt. This attribute is only available after a successful authentication through the OnAuthAccept event. The value is returned only on authentication, not on authorization.

%SM_TRANSACTIONID

This attribute holds the transaction ID that the agent generates.

%SM_USERSESSIONSPEC

The session ticket of the user.

%SM_USERSESSIONID

This attribute holds the session ID of a user who has already been authenticated, or the session ID that CA SiteMinder® is to assign to the user upon successful authentication.

%SM_USERSESSIONIP

This attribute holds the IP address that was used during the original user authentication (upon establishment of a session).

%SM_USERSESSIONUNIVID

This attribute holds the universal ID of the user. If no universal ID directory attribute is specified in the user directory definition, the value defaults to the DN of the user.

%SM_USERSESSIONDIRNAME

This attribute holds the name of the user directory that the Policy Server is configured to use.

%SM_USERSESSIONDIROID

This attribute holds the object ID of the user directory that the Policy server is configured to use.

%SM_USERSESSIONTYPE

This attribute holds the session type of the user. The value is one of the following values:

%SM_USERLASTLOGINTIME

This attribute holds the time, using GMT, that the user last logged in and was authenticated. This response attribute is only available for an OnAuthAccept authentication event. This attribute has value only when both of the following conditions are true:

%SM_USERPREVIOUSLOGINTIME

This attribute holds the time, using GMT, of the successful login before the last. This response attribute is only available for an OnAuthAccept authentication event. This attribute has a value only when Password Services is enabled.

%SM_USERGROUPS

This attribute holds the groups to which the user belongs. If the user belongs to a nested group, this attribute contains the group furthest down in the hierarchy. For all nested groups to which the user belongs, use SM_USERNESTEDGROUPS.

Example:

If a user belongs to the group Accounts Payable and Accounts Payable is contained in the group Accounting, SM_USERGROUPS contains Accounts Payable. If you want both Accounting and Accounts Payable, use SM_USERNESTEDGROUPS.

%SM_USERNESTEDGROUPS

This attribute holds the nested groups to which the user belongs. For only the group furthest down in the hierarchy, use SM_USERGROUPS[.

Example:

If a user belongs to the group Accounts Payable and Accounts Payable is contained in the group Accounting, SM_USERNESTEDGROUPS contains Accounting and Accounts Payable. If you want only Accounting, use SM_USERGROUPS.

%SM_USERSCHEMAATTRIBUTES

This attribute holds the user attributes associated with the DN or properties that are associated with the user. If the user directory is a SQL database, then SM_USERSCHEMAATTRIBUTES holds the names of the columns in the table where the user data is stored. For example, using the SmSampleUsers schema, SM_USERSCHEMAATTRIBUTES holds the names of the columns in the SmUser table.

%SM_USERPOLICIES

When a user is authorized for a resource and there are policies exist to give the user authorization, this attribute holds the names of the policies.

Example: To purchase an item, you are required to be a user that is associated with the Buyer policy. If the Policy Server authorizes me to buy an item, then SM_USERPOLICIES contains Buyer.

%SM_USERPRIVS

When a user is authenticated or a user is authorized for a resource, SM_USERPRIVS holds all of the response attributes for all policies that apply to that user, in all policy domains.

%SM_USERREALMPRIVS

When a user is authenticated or a user is authorized for a resource under a realm, SM_USERREALMPRIVS holds all the response attributes for all rules under that realm.

Example:

A realm exists named Equipment Purchasing. Under that realm, there is a rule named CheckCredit. The rule is associated with a response that returns the credit limit of the buyer, as a response attribute such as:

limit = $15000

If the buyer attempts to purchase equipment worth $5000, rule fires. SM_USERREALMPRIVS would contain all of the response attributes for all of the rules under the Equipment Purchasing realm.

%SM_AUTHENTICATIONLEVEL

When a user is authenticated for a resource, this attribute holds an integer number (of 0 to 1000) that represents the protection level of the authentication scheme under which the user was authenticated.

%SM_USERDISABLEDSTATE

This attribute holds a decimal number that represents a bit mask of reasons that a user is disabled. The bits are defined in SmApi.h under the Sm_Api_DisabledReason_t data structure, which is part of the SDK.

For example, a user may be disabled as a result of inactivity, Sm_Api_Disabled_Inactivity. In Sm_Api_DisabledReason_t, the reason Sm_Api_Disabled_Inactivity, corresponds to the value 0x00000004. So, in this case, SM_USERDISABLEDSTATE is 4.

A user can be disabled for multiple reasons.

%SM_USER_APPLICATION_ROLES

If you have purchased CA Identity Manager, this attribute may be used in responses. It contains a list of all roles assigned or delegated to a user. If an application name is specified, only the roles associated with the application are returned in the response attribute.

The response attribute name is typed in the Variable Name field on the Response Attribute pane. The response attribute name has the following syntax:

SM_USER_APPLICATION_ROLES[:application_name]

where application_name is an optional name of an application defined in Identity Manager.

The value for application_name must be communicated to the Policy Server administrator. Application names are not automatically passed to the Administrative UI.

Note: For more information about Identity Manager roles, see the CA Identity Manager Operations Guide.

%SM_USER_APPLICATION TASKS

If you have purchased CA Identity Manager (Identity Manager ), this attribute may be used in responses. It contains a list of all tasks assigned or delegated to a user. If an application name is specified, only the tasks associated with the application are returned in the response attribute.

The response attribute name is typed in the Variable Name field on the Response Attribute pane. The response attribute name has the following syntax:

SM_USER_APPLICATION_TASKS[:application_name]

where application_name is an optional name of an application defined in Identity Manager .

The value for application_name must be communicated to the Policy Server administrator. Application names are not automatically passed to the Administrative UI.

Note: For more information about Identity Manager tasks, see the CA Identity Manager Operations Guide.

More information:

Configure a Web Agent Response Attribute

Availability of CA SiteMinder®-generated Response Attributes

The following table shows the availability of CA SiteMinder® generated response attributes during authentication, authorization and impersonation events:

Response Attribute

Authentication and Authorization Events

Impersonation
Events

GET/PUT

On
Auth
Accept

On
Auth
Reject

On
Access
Accept

On
Access
Reject

Impersonate
Start User

SM_USER_CONFIDENCE_LEVEL

Yes

Yes

Yes

Yes

Yes

No

SM_USERNAME

Yes

Yes

Yes

Yes

Yes

No

SM_USERPATH

Yes

Yes

Yes

Yes

Yes

No

SM_USERIPADDRESS

Yes

Yes

Yes

Yes

Yes

No

SM_USERPASSWORD

No

Yes

Yes

No

No

No

SM_TRANSACTIONID

Yes

No

No

Yes

Yes

No

SM_USERSESSIONID

Yes

Yes

No

Yes

Yes

No

SM_USERSESSIONSPEC

Yes

No

No

Yes

Yes

No

SM_USERSESSIONIP

Yes

Yes

Yes

Yes

Yes

No

SM_USERSESSIONUNIVID

Yes

Yes

No

Yes

Yes

No

SM_USERSESSIONDIRNAME

Yes

Yes

No

Yes

Yes

No

SM_USERSESSIONDIROID

Yes

Yes

No

Yes

Yes

No

SM_USERSESSIONTYPE

Yes

Yes

No

Yes

Yes

No

SM_USERLASTLOGINTIME

No

Yes

No

No

No

No

SM_USERGROUPS[

Yes

Yes

No

Yes

Yes

No

SM_USERNESTEDGROUPS

Yes

Yes

No

Yes

Yes

No

SM_USERSCHEMAATTRIBUTES

Yes

Yes

Yes

Yes

Yes

No

SM_USERLOGINNAME

No

Yes

Yes

No

No

No

SM_USERIMPERSONATORNAME

No

No

No

No

No

Yes

SM_USERDISABLEDSTATE

Yes

Yes

No

Yes

Yes

No

SM_USERPOLICIES

No

No

No

Yes

No

No

SM_USERREALMPRIVS

Yes

No

No

No

No

No

SM_USERPRIVS

Yes

No

No

No

No

No