|
|
|
The following list contains user attributes that SiteMinder generates automatically. These attributes can be specified as response attributes for Web Agent responses.
The Web Agent places the username in an SM_USER http header variable for all requests. In cases where the user does not provide a username, such as certificate-based authentication, or in the case where the username is not known, the value of the SM_USER header variable is not set.
For an authenticated user, the Web Agent populates this http header variable with the DN as determined by the Policy Server. In the case of certificate-based authentication, this attribute can be used to identify a user.
For an authenticated user, this attribute holds the user DN as disambiguated by SiteMinder. For an unauthenticated user, this attribute holds the user ID as specified by the user in the login attempt.
If the authentication scheme performs impersonation, this attribute holds the user DN that is authenticated by SiteMinder.
This attribute holds the user ID as specified by the user in the login attempt.
This attribute holds the user’s IP address at the time of authentication or authorization.
For an authenticated user, this attribute holds a string that represents the directory namespace and directory server (both as specified in the user directory definition), and user DN (as disambiguated by SiteMinder). For example:
“LDAP://123.123.0.1/uid=scarter,ou=people,o=airius.com”
For an unauthenticated user, this attribute holds the same value as SM_USERNAME.
This attribute holds the password as specified by the user in the login attempt. This attribute is only available after a successful authentication through the OnAuthAccept event. The value is returned only on authentication, not on authorization.
This attribute holds the transaction ID that is generated by the agent.
The user’s session ticket.
This attribute holds the session ID of a user who has already been authenticated, or the session ID that will be assigned to the user upon successful authentication.
This attribute holds the IP address that was used during the original user authentication (upon establishment of a session).
This attribute holds the user’s universal ID. If no universal ID directory attribute is specified in the user directory definition, the value defaults to the user’s DN.
This attribute holds the name of the user directory that the Policy Server is configured to use.
This attribute holds the object ID of the user directory that the Policy server is configured to use.
This attribute holds the user’s session type. The value is one of the following:
This attribute holds the time, using GMT, that the user last logged in and was authenticated. This response attribute is only available for an OnAuthAccept authentication event. For this attribute to be populated, both of the following conditions must be true:
This attribute holds the time, using GMT, of the successful login prior to the last (which is represented by SM_USERLASTLOGINTIME. This response attribute is only available for an OnAuthAccept authentication event. For this attribute to be populated Password Services must be enabled.
This attribute holds the groups to which the user belongs. If the user belongs to a nested group, this attribute contains the group furthest down in the hierarchy. For all nested groups to which the user belongs, use SM_USERNESTEDGROUPS.
For example, if user JSmith belongs to the group Accounts Payable, which is contained in group Accounting, SM_OUSERNESTEDGROUPS[ contains Accounts Payable. If you want both Accounting and Accounts Payable, use SM_USERNESTEDGROUPS.
This attribute holds the nested groups to which the user belongs. For only the group furthest down in the hierarchy, use SM_OUSERNESTEDGROUPS[.
For example, if user JSmith belongs to the group Accounts Payable, which is contained in group Accounting, SM_USERNESTEDGROUPS contains Accounting and Accounts Payable. If you want only Accounting, use SM_OUSERNESTEDGROUPS[.
This attribute holds the user attributes associated with the DN, or properties associated with the user. If the user directory is a SQL database, then SM_USERSCHEMAATTRIBUTES holds the names of the columns in the table where user data is stored. For example, using the SmSampleUsers schema, SM_USERSCHEMAATTRIBUTES holds the names of the columns in the SmUser table.
When a user is authorized for a resource, this attribute holds the names of the policies that give the user authorization. For example, suppose that to purchase an item, you must be one of the users associated with the Buyer policy. If the Policy Server authorizes me to buy an item, then SM_USERPOLICIES will contain Buyer.
When a user is authenticated or is authorized for a resource, SM_USERPRIVS holds all of the response attributes for all policies that apply to that user, in all policy domains.
When a user is authenticated or is authorized for a resource under a realm, SM_USERREALMPRIVS holds all the response attributes for all rules under that realm.
For example, suppose that there is a realm called Equipment Purchasing. Under that realm, there is a CheckCredit rule. Associated with the CheckCredit rule is a response that returns the buyer’s credit limit, such as limit = $15000, as a response attribute. If the buyer attempts to purchase equipment worth $5000, the CheckCredit rule fires. SM_USERREALMPRIVS would contain all of the response attributes for all of the rules under the Equipment Purchasing realm.
When a user is authenticated for a resource, this attribute holds an integer number (of 0 to 1000) that represents the protection level of the authentication scheme under which the user was authenticated.
This attribute holds a decimal number that represents a bit mask of reasons that a user is disabled. The bits are defined in SmApi.h under the Sm_Api_DisabledReason_t data structure, which is part of the SDK.
For example, a user may be disabled as a result of inactivity, Sm_Api_Disabled_Inactivity. In Sm_Api_DisabledReason_t, the reason Sm_Api_Disabled_Inactivity, corresponds to the value 0x00000004. So, in this case, SM_USERDISABLEDSTATE is 4.
A user can be disabled for multiple reasons.
For more information on Sm_Api_DisabledReason_t, see the Developer’s Guide for C (available only if the Software Development Kit is installed).
If you have purchased CA Identity Manager (Identity Manager ), this attribute may be used in responses. It contains a list of all roles assigned or delegated to a user. If an application name is specified, only the roles associated with the application are returned in the response attribute.
The syntax of the response attribute in the Attribute Name field of the Response Attribute Editor dialog is as follows:
SM_USER_APPLICATION_ROLES[:application_name]
where is an optional name of an application defined in Identity Manager .
Note: The value for application_name must be communicated to the Policy Server administrator. Application names are not automatically passed to the Policy Server User Interface.
For information about Identity Manager roles, see CA Identity Manager Operations Guide.
If you have purchased CA Identity Manager (Identity Manager ), this attribute may be used in responses. It contains a list of all tasks assigned or delegated to a user. If an application name is specified, only the tasks associated with the application are returned in the response attribute.
The syntax of the response attribute in the Attribute Name field of the Response Attribute Editor dialog is as follows:
SM_USER_APPLICATION_TASKS[:application_name]
where is an optional name of an application defined in Identity Manager .
Note: The value for application_name must be communicated to the Policy Server administrator. Application names are not automatically passed to the Policy Server User Interface.
For information about Identity Manager tasks, see CA Identity Manager Operations Guide.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |