How to access CA SSO generated user attributes in ActiveResponse ?

Document ID : KB000010590
Last Modified Date : 14/02/2018
Show Technical Document Details

It is often required to access the default CA SSO generated response attributes in the custom active response/rules to evaluate custom logic.

Some sample CA SSO generated attributes are :


The full list of default CA SSO generated attributes can be found by searching for keyword "CA SiteMinder®-Generated User Attributes" in CA SSO documentation

PS : r12.5 and above

To default CA SSO generated user attributes can be accessed using the SmUserContext.getProp(java.lang.String propName) API call as below.


public String invoke(ActiveExpressionContext context, String param)

throws Exception


if (context == null)


  // should never happen

  throw new IllegalArgumentException("ActiveResponseSample invoked without context");


// the User Context is required to use the methods like getProp, setProp..

UserContext theUserContext = context.getUserContext();

if (theUserContext == null)


context.setErrorText("No User Context.");

return null;


context.getAPIContext().trace(getClass().getSimpleName(), "ActiveResponseSample:: returning ClientIP= ['" + theUserContext.getProp("SM_USERIPADDRESS") +"']");

     return theUserContext.getProp("SM_USERIPADDRESS");



Step 1: Create an active response as shown below :


Step 2 : Configure the Active Response with either OnAuthAccept or OnAccessAccept rule.


Step 3 : Compile the attached sample class by running java-build.bat (windows) / (unix).

Download :

Note: Prior to running you will need to update the path to the JDK install directory in the JAVA_HOME variable by editing the java-build.bat (windows) / (unix) files.



Step 4. Once compiled, copy the ActiveResponseSample.class and copy it to the <Policy server>/config/properties directory.


Note: This "properties" directory is by default in the classpath of Policy server so you don't need to modify JVMOptions.txt.


If you choose to deploy the class in any other directory, then you will need to add the path to that directory as a classpath in the JVMOptions.txt file.






Policy server Trace Log :


[08/07/2017][01:30:07][2908][1564][][SmAuthUser.cpp:700][ServerTrace][][][][][][][][][][][][][][ActiveResponseSample: ActiveResponseSample:: returning ClientIP= ['']][01:30:07.792][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][ActiveResponseSample:: returning ClientIP= ['']][][][][][][][][][][][][][]




Additional Information:

1) Not all response attributes are available at all events (OnAuthAccept, OnAuthReject, OnAccessAccept etc.) 

So before implementation please verify if the response attribute you are interested is available for the event that you require it in :


2) Active Response are by default cached. If you need the active response to evaluate every time on the Policy server , disable attribute caching for this active response.( In the active response creation screen in Administrative UI)


File Attachments: