Expression Use Case

CA SiteMinder® Federation Standalone Guide › User Directory Connections for Authentication › Create a Common View of the Same User Information Across Directories › Establish Connections to User Directories › Expression Use Case

Expression Use Case

This use case shows how you can use an expression attribute mapping to simplify references to multiple user attributes in one directory. A protected resource needs the sort name of each user (last name,first name). The user directory does not uniquely reference this attribute. Instead, the directory does store the last name of each user as surname and the first name of each user as givenname.

The following illustration details how an expression attribute mapping can create a common view of the same user information.

Illustation showing an attribute-mapping expression

In the single user directory, a common name is mapped to an expression that creates the sort name using the user attribute names in the directory.

Directory A contains all user records.
The name of the mapping is SortName.
The expression that defines SortName is:
```
{surname + "," + givenname}
```
Note: The expression conforms to the syntax rules of a CA SiteMinder® expression. For complete syntax information, see the Attributes and Expression Reference appendix in the SiteMinder Policy Server Configuration Guide in the SiteMinder bookshelf.
SortName is the common name that is mapped to the expression that includes the surname and the givenname attributes.

Reference SortName when defining assertion attributes or NameID attributes that require the sort name of users without concern for the directory-specific schema.

More information:

Advanced User Attribute Mapping Examples

The following examples show more complex user attribute mapping configurations.

The example deployment is a retail clothing company that uses two user directories of different types:

Directory A: An internal LDAP user directory for employees only.
Directory B: An ODBC user directory for customers only.

Each user attribute mapping is specific to the user directory for which it is defined.

The following table details how Directory A and Directory B identify the same user information. The accompanying use cases explain how to use different attribute mappings to define a common view of the same user information. The common view serves as a universal schema, which makes the directories operationally identical.

Attribute Description	Directory A Attributes (LDAP)	Directory B Attributes (ODBC)
First name of each user	givenname	u_first_name
Last name of each user	surname	u_last_name
Sort name of each user (last name, first name)	The user directory does not uniquely store the user attribute.	sort_name
User as a customer	group:cn=customer,ou=groups,o=acme.com	Users are always customers.
Status of a user account	AccountStatus attribute (a set of flags). Second bit is a disabled account.	u_disabled

Map a First Name Attribute with an Alias Mapping Type

Use two alias attribute mappings to represent the first name user attribute in Directory A and Directory B.

Deployment

User Directory A identifies the first name of users with givenname. Directory B identifies the first name of users with u_first_name.

Solution

Create an alias attribute mapping for Directory A.

Name

FirstName

Mapping Type

Alias

Definition

givenname
Create an alias attribute mapping for Directory B.

Name

FirstName

Mapping Type

Alias

Definition

u_first_name

When referencing users in Directory A, the FirstName is mapped to givenname. When referencing users in Directory B, the FirstName maps to u_first_name.

Map a Last Name Attribute with an Alias Mapping Type

Use two alias attribute mappings to represent the last name user attribute in Directory A and Directory B.

Deployment

User Directory A identifies the last name of users with surname. Directory B identifies the last name of users with u_last_name.

Solution

Create an alias attribute mapping for Directory A.

Name

LastName

Mapping Type

Alias

Definition

surname
Create an alias attribute mapping for Directory B.

Name

LastName

Mapping Type

Alias

Definition

u_last_name

When referencing users in Directory A, the common view determines that the last name of users is identified by surname. When referencing users in Directory B, the common view determines that the last name is identified by u_last_name.

Map a Sort Name Attribute with Expression and Alias Mapping Types

Use an expression attribute mapping and an alias attribute mapping to represent the sort name of a user in Directory A and Directory B.

Deployment

Directory A does not uniquely identify a the sort name for each user. For each user, Directory A stores the first name as givenname and a last name as surname for each user.
Directory B identifies a sort name using sort_name.

Solution

Create an expression attribute mapping for Directory A:
Name

SortName

Mapping Type

Expression

Definition
```
(surname + "," + givenname)
```
Note: The expression must conform to the syntax rules of an expression.
Create an alias attribute mapping for Directory B:

Name

SortName

Mapping Type

Alias

Definition

sort_name

When referencing users in Directory A, the sort name is calculated based on the specified expression. When referencing users in Directory B, the sort name is represented by the attribute sort_name.

Map Customers with Group and Constant Mapping Types

Use a group and a constant attribute mapping to identify customers in Directory A and Directory B.

Deployment

Directory A stores employee. An employee of the company can also be a customer, so Directory A identifies customers as those employees that belong to the following group:
```
cn=Customers,ou=Groups,o=acme.com
```
Directory B only stores customers. Directory B does not have a user attribute that identifies customers because to store a user in Directory B implies that the user is a customer.

Solution

Create a group attribute mapping for Directory A.
Name

IsCustomer

Mapping Type

Group

Definition
```
cn=Customers,ou=Groups,o=acme.com
```
Create a constant attribute mapping for Directory B.

Name

IsCustomer

Mapping Type

Constant

Definition

TRUE

When referencing Directory A, a user is considered a customer if they belong to cn=Customers,ou=Groups,o=acme.com. When referencing Directory B, every user is a customer.

Map the Account Status with the Mask and Expression Mapping Types

Use a mask attribute mapping and an expression attribute mapping to identify user accounts that are disabled in Directory A and Directory B.

Deployment

Directory A identifies disabled accounts with a user attribute named AccountStatus, which is a set of flags. The second bit indicates a disabled account.
Directory B identifies disabled accounts with a user attribute named u_disabled. When u_disabled is equal to "y", the account is disabled. When u_disabled is equal to "n", the account is active.

Solution

Create a mask attribute mapping for Directory A.

Name

IsDisabled

Mapping Type

Mask

Definition

AccountStatus:2

The definition indicates that the bit pattern is stored in AccountStatus, and the bit mask is 2 (decimal).
Create a expression attribute mapping for Directory B.
Name

IsDisabled

Mapping Type

Expression

Definition
```
(u_disabled = "y")
```
u_disabled is a Boolean expression.

When referencing Directory A, the bit pattern determines if a user is disabled. When referencing Directory B, the expression determines if a user is disabled.