How to enable SM_USERGROUPS

Document ID : KB000009911
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

SM_USERGROUPS is an user attributes that CA Single Sign-On generates automatically. However, it will not set to header unless you create response for it.

Background:

%SM_USERGROUPS
This attribute holds the groups to which the user belongs. If the user belongs to a nested group, this attribute contains the group furthest down in the hierarchy.

Environment:
Policy server: R12.52
Instructions:

1. Create Response for SM_USERGROUPS. This can be created in two ways (Choose one)

a) Attribute: WebAgent-HTTP-Header-Variable

Attribute Kind: User Attribute

Attribute Name: SM_USERGROUPS

 response_user_attribute.png

 

b) Attribute: WebAgent-HTTP-Header-Variable

Attribute Kind: Expression

Expression: %SM_USERGROUPS

sm_usergroups_response1.png

 

2. Create Rule to tie to response. SM_USERGROUPS generate after authentication.

Therefore OnAuthAccept or OnAccessAccept can be used to tie to the response. In my case, I use OnAuthAccept:

 Policy1.png

 

3. User belongs to user group login and get SM_USERGROUP populate

user4_and_response_after_login.png

 

How policy server trace log looks like: (enable all components and data for profiler template)

[SmDsLdapConnMgr.cpp:1191][CSmDsLdapConn::SearchExts][][][][LDAP search of (|(&(objectclass=groupOfNames)(member=uid=user4,ou=support,o=userstore))(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=user4,ou=support,o=userstore))(&(objectclass=group)(member=uid=user4,ou=support,o=userstore))) took 0 seconds and 0 microseconds][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

[SmDsLdapProvider.cpp:2183][CSmDsLdapProvider::Search][][][][Ldap Search callout succeeds.][][][][][][][][][][][][][][][(Search) Base: 'o=userstore', Filter: '(|(&(objectclass=groupOfNames)(member=uid=user4,ou=support,o=userstore))(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=user4,ou=support,o=userstore))(&(objectclass=group)(member=uid=user4,ou=support,o=userstore)))'. Status: 1 entries][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][]

 

Additional Information:

https://communities.ca.com/message/241902261