The following list contains user attributes that CA SiteMinder® generates automatically. These attributes can be specified as response attributes for Web Agent responses and are available to named expressions.
The web agent places the username in an SM_USER http header variable for all requests. The web agent does not set the value of the SM_USER header variable when one fo the following items are true:
If a user is authenticated with an authentication scheme and the authentication scheme generates a confidence level, this attribute holds an integer (0–1000). The authentication scheme inserts the integer in to the session ticket of the user. A higher confidence level corresponds to a higher level of credential assurance. A confidence level of zero represents no credential assurance. No credential assurance results in CA SiteMinder® denying access to the requested resource.
Note: For more information, see Confidence Levels Introduced.
For an authenticated user, the web agent populates this http header variable with the DN that the Policy Server determines. For certificate-based authentication, this attribute can be used to identify a user.
For an authenticated user, this attribute holds the user DN that CA SiteMinder® disambiguates. For an unauthenticated user, this attribute holds the user ID that a user specifies during a login attempt.
If the authentication scheme performs impersonation, this attribute holds the user DN that CA SiteMinder® that authenticates.
This attribute holds the user ID that a user specifies during a login attempt.
This attribute holds the IP address of the user at the time of authentication or authorization.
For an authenticated user, this attribute holds a string that represents the directory namespace and directory server (both as specified in the user directory definition), and user DN (as CA SiteMinder® disambiguates). For example:
“LDAP://123.123.0.1/uid=scarter,ou=people,o=airius.com”
For an unauthenticated user, this attribute holds the same value as SM_USERNAME.
This attribute holds the password that the user specifies in the login attempt. This attribute is only available after a successful authentication through the OnAuthAccept event. The value is returned only on authentication, not on authorization.
This attribute holds the transaction ID that the agent generates.
The session ticket of the user.
This attribute holds the session ID of a user who has already been authenticated, or the session ID that CA SiteMinder® is to assign to the user upon successful authentication.
This attribute holds the IP address that was used during the original user authentication (upon establishment of a session).
This attribute holds the universal ID of the user. If no universal ID directory attribute is specified in the user directory definition, the value defaults to the DN of the user.
This attribute holds the name of the user directory that the Policy Server is configured to use.
This attribute holds the object ID of the user directory that the Policy server is configured to use.
This attribute holds the session type of the user. The value is one of the following values:
This attribute holds the time, using GMT, that the user last logged in and was authenticated. This response attribute is only available for an OnAuthAccept authentication event. This attribute has value only when both of the following conditions are true:
This attribute holds the time, using GMT, of the successful login before the last. This response attribute is only available for an OnAuthAccept authentication event. This attribute has a value only when Password Services is enabled.
This attribute holds the groups to which the user belongs. If the user belongs to a nested group, this attribute contains the group furthest down in the hierarchy. For all nested groups to which the user belongs, use SM_USERNESTEDGROUPS.
Example:
If a user belongs to the group Accounts Payable and Accounts Payable is contained in the group Accounting, SM_USERGROUPS contains Accounts Payable. If you want both Accounting and Accounts Payable, use SM_USERNESTEDGROUPS.
This attribute holds the nested groups to which the user belongs. For only the group furthest down in the hierarchy, use SM_USERGROUPS[.
Example:
If a user belongs to the group Accounts Payable and Accounts Payable is contained in the group Accounting, SM_USERNESTEDGROUPS contains Accounting and Accounts Payable. If you want only Accounting, use SM_USERGROUPS.
This attribute holds the user attributes associated with the DN or properties that are associated with the user. If the user directory is a SQL database, then SM_USERSCHEMAATTRIBUTES holds the names of the columns in the table where the user data is stored. For example, using the SmSampleUsers schema, SM_USERSCHEMAATTRIBUTES holds the names of the columns in the SmUser table.
When a user is authorized for a resource and there are policies exist to give the user authorization, this attribute holds the names of the policies.
Example: To purchase an item, you are required to be a user that is associated with the Buyer policy. If the Policy Server authorizes me to buy an item, then SM_USERPOLICIES contains Buyer.
When a user is authenticated or a user is authorized for a resource, SM_USERPRIVS holds all of the response attributes for all policies that apply to that user, in all policy domains.
When a user is authenticated or a user is authorized for a resource under a realm, SM_USERREALMPRIVS holds all the response attributes for all rules under that realm.
Example:
A realm exists named Equipment Purchasing. Under that realm, there is a rule named CheckCredit. The rule is associated with a response that returns the credit limit of the buyer, as a response attribute such as:
limit = $15000
If the buyer attempts to purchase equipment worth $5000, rule fires. SM_USERREALMPRIVS would contain all of the response attributes for all of the rules under the Equipment Purchasing realm.
When a user is authenticated for a resource, this attribute holds an integer number (of 0 to 1000) that represents the protection level of the authentication scheme under which the user was authenticated.
This attribute holds a decimal number that represents a bit mask of reasons that a user is disabled. The bits are defined in SmApi.h under the Sm_Api_DisabledReason_t data structure, which is part of the SDK.
For example, a user may be disabled as a result of inactivity, Sm_Api_Disabled_Inactivity. In Sm_Api_DisabledReason_t, the reason Sm_Api_Disabled_Inactivity, corresponds to the value 0x00000004. So, in this case, SM_USERDISABLEDSTATE is 4.
A user can be disabled for multiple reasons.
If you have purchased CA Identity Manager, this attribute may be used in responses. It contains a list of all roles assigned or delegated to a user. If an application name is specified, only the roles associated with the application are returned in the response attribute.
The response attribute name is typed in the Variable Name field on the Response Attribute pane. The response attribute name has the following syntax:
SM_USER_APPLICATION_ROLES[:application_name]
where application_name is an optional name of an application defined in Identity Manager.
The value for application_name must be communicated to the Policy Server administrator. Application names are not automatically passed to the Administrative UI.
Note: For more information about Identity Manager roles, see the CA Identity Manager Operations Guide.
If you have purchased CA Identity Manager (Identity Manager ), this attribute may be used in responses. It contains a list of all tasks assigned or delegated to a user. If an application name is specified, only the tasks associated with the application are returned in the response attribute.
The response attribute name is typed in the Variable Name field on the Response Attribute pane. The response attribute name has the following syntax:
SM_USER_APPLICATION_TASKS[:application_name]
where application_name is an optional name of an application defined in Identity Manager .
The value for application_name must be communicated to the Policy Server administrator. Application names are not automatically passed to the Administrative UI.
Note: For more information about Identity Manager tasks, see the CA Identity Manager Operations Guide.
The following table shows the availability of CA SiteMinder® generated response attributes during authentication, authorization and impersonation events:
Response Attribute |
Authentication and Authorization Events |
Impersonation |
||||
---|---|---|---|---|---|---|
GET/PUT |
On |
On |
On |
On |
Impersonate |
|
SM_USER_CONFIDENCE_LEVEL |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
SM_USERNAME |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
SM_USERPATH |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
SM_USERIPADDRESS |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
SM_USERPASSWORD |
No |
Yes |
Yes |
No |
No |
No |
SM_TRANSACTIONID |
Yes |
No |
No |
Yes |
Yes |
No |
SM_USERSESSIONID |
Yes |
Yes |
No |
Yes |
Yes |
No |
SM_USERSESSIONSPEC |
Yes |
No |
No |
Yes |
Yes |
No |
SM_USERSESSIONIP |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
SM_USERSESSIONUNIVID |
Yes |
Yes |
No |
Yes |
Yes |
No |
SM_USERSESSIONDIRNAME |
Yes |
Yes |
No |
Yes |
Yes |
No |
SM_USERSESSIONDIROID |
Yes |
Yes |
No |
Yes |
Yes |
No |
SM_USERSESSIONTYPE |
Yes |
Yes |
No |
Yes |
Yes |
No |
SM_USERLASTLOGINTIME |
No |
Yes |
No |
No |
No |
No |
SM_USERGROUPS[ |
Yes |
Yes |
No |
Yes |
Yes |
No |
SM_USERNESTEDGROUPS |
Yes |
Yes |
No |
Yes |
Yes |
No |
SM_USERSCHEMAATTRIBUTES |
Yes |
Yes |
Yes |
Yes |
Yes |
No |
SM_USERLOGINNAME |
No |
Yes |
Yes |
No |
No |
No |
SM_USERIMPERSONATORNAME |
No |
No |
No |
No |
No |
Yes |
SM_USERDISABLEDSTATE |
Yes |
Yes |
No |
Yes |
Yes |
No |
SM_USERPOLICIES |
No |
No |
No |
Yes |
No |
No |
SM_USERREALMPRIVS |
Yes |
No |
No |
No |
No |
No |
SM_USERPRIVS |
Yes |
No |
No |
No |
No |
No |
Copyright © 2014 CA.
All rights reserved.
|
|