An Online Community for Identity & Access Management Professionals

Siteminder and LDAP Groups

Hi, new member here. We use Siteminder for most of our applications and we are starting to run into some issue with group membership, nested groups and http headers. Some of our apps get group membership for the authorized user in an http header and some of our users are members of a large number of groups. How do you deal with situations like that? Stop returning groups in a header and make direct calls to the user directory from the app? Any other options in Siteminder?

Thanks,
Ramon

▶ Reply to This

Replies to This Discussion

Permalink Reply by Darren Spach on September 10, 2009 at 1:01pm

Hi Ramon,

The problem you are seeing is quite common. Quite often SM_USERGROUPS and SM_USERNESTEDGROUPS grow to a size where the header becomes too large, and even worse, the expense on your LDAP becomes unacceptable. But most customers do not like the idea of their application speaking directly to the LDAP. There is nothing directly built into SiteMinder to easily get you around this, but here are the options we have exercised before:

1) Setup responses that only fire if the user is a member of a specific group. Normally, your application is only concerned with a small number of the groups that the user might be a member of. What some people don’t know is that you can setup a response to fire only when a user is a member of a group. And you can fire this response after the user has been authorized for the page. We’ll call your groups “Group A, Group B, etc” for the steps below.
a. In the same realm, setup a new OnAccessAccept rule.
b. Create a static header response with a name of IsInGroupA and a value of YES.
c. Create a new policy, in the user tab put Group A, in the rules tab, put the OnAccessAccept rule, and tie in the response you just created.
d. Repeat a-c for any other groups that your application might be concerned with, of course changing the name of the static response to IsInGroupB, IsInGroupC, etc.
So now, when the user hits the application, the policy server will do a few much more direct searches against the LDAP to setup a few very concise and specific headers. Instead of the policy server saying “go through every group and tell me if this guy is in there”, it says “if this guy is in group A, then setup a static header response IsInGroupA=YES, and if this guy is in group B, then setup a static header response IsInGroupB=YES, etc. As long as the user authorizes successfully, then the policy server will fire every policy that contains an OnAccessAccept rule from the realm he is accessing.
Pros: All done with basic SiteMinder functionality, no custom coding.
Cons: You now have multiple headers that the application needs to read. And if you have numerous realms, the setup in the UI can be long and tedious.

2) Create an active response in SiteMinder that does very specific ldap search(es) to check if the user is in the groups that the application is concerned with. It basically does what SM_USERGROUPS does, but only checks a few explicit groups, rather than checking every group in the LDAP.
Pros: You can put them all in a single header, just like SM_USERGROUPS does.
Cons: You have to write code with the SiteMinder API.

Hope this helps.
Darren

▶ Reply

Permalink Reply by Dhruv on August 25, 2011 at 2:48am

Hi Darren

I'm experiencing the same issue here, my plan was to create an active expression in siteminder get the SM_USERGROUPS values and then browse thru the groups and only select the groups which the application requires and set that in a separate header.

but what i;m seeing when i run the code is, the return value( string) from the userContext.getProp("SM_USERGROUPS") is truncated. it is not able to give me the full list of groups.

I'm not sure what went wrong? could this be some kind of bug?

Thanks,

Dhruv

▶ Reply

Permalink Reply by Trever M. Shick on October 25, 2011 at 1:28pm

Did you get an answer to this. I think it's happening to me as well (the truncation of SM_USERGROUPS)

▶ Reply

Permalink Reply by Darren Spach on October 26, 2011 at 1:07am

Dhruv, I'm sorry I missed your post, I just saw it now as I was reading Trever's.

Dhruv, the first thing I think of when it's an Active Expression is the buffer size. Are you sure you set it large enough? Increase it, and see if it helps.

Trever, are you using an Active Expression as well? Or just the standard SM_USERGROUPS response?

For both of you, my suggestion would be to follow it through the logs. On the policy server in the Profiler log, you will see the search being done, and the result it got:

[00:40:00][Ldap Search callout succeeds.][][][][SmDsLdapProvider.cpp:2125][3396][1336][10/26/2011][00:40:00.267][CSmDsLdapProvider::Search][(Search) Base: 'CN=Users,dc=coreblox,dc=com', Filter: '(|(&(objectclass=groupOfNames)(member=CN=jdoe,CN=Users,dc=coreblox,dc=com))(&(objectclass=groupOfUniqueNames)(uniqueMember=CN=jdoe,CN=Users,dc=coreblox,dc=com))(&(objectclass=group)(member=CN=jdoe,CN=Users,dc=coreblox,dc=com)))'. Status: 1 entries]
[00:40:00][Leave function CSmAuthUser::GetProp][][][][SmAuthUser.cpp:1772][3396][1336][10/26/2011][00:40:00.267][CSmAuthUser::GetProp][true]
[00:40:00][Leave function CSmActiveExprLibrary::GetActiveValue][][][][SmActiveExpr.cpp:419][3396][1336][10/26/2011][00:40:00.267][CSmActiveExprLibrary::GetActiveValue][mygroups=CN=cooldudes,ou=groups,dc=coreblox,dc=com]

See if the whole thing is there. If it is, that means that the policy server is not chopping it off.

Then go check the agent trace log, you will see the header that the agent is setting:

[10/26/2011][00:40:00][3120][3596][CSmHttpPlugin::ProcessResponses][Setting custom HTTP header variable: 'HTTP_mygroups=CN=cooldudes,CN=Users,dc=coreblox,dc=com' from Policy Server]

If that looks ok, then the agent is setting the whole thing. You might be running into a header space limitation on the webserver. If that's the case, there are things you can do to help, like turning off some of siteminders other default headers, Disable*Vars settings in the agent conf object.

Let me know what you find guys.

regards,

Darren

▶ Reply

Permalink Reply by Trever M. Shick on October 26, 2011 at 7:11am

This was definitely the problem. I was using an active expression and calling UserContext.getProp(String). Apparently the default buffer size is 100.

The API on this is really bad I have to say. If SM is going to truncate data it should be throwing an exception (like java.sql does) or provide some other means of feedback to let you know the data was truncated.

As it stands I have to get the data with an increased buffer size, if the length of the data == the buffer size I have to double the buffer and try again. I don't like it but their API leaves me no alternative that I can see.

Thanks for your help!

▶ Reply

Permalink Reply by Dhruv on January 13, 2012 at 6:59pm

Agreed!!, in fact I had the same problem and took some time to figure it out.

Thanks Darren and Trever for your help!!

▶ Reply

Permalink Reply by Ramon Garcia on September 10, 2009 at 1:15pm

Darren,

Thank you for the reply. I think option 1 is out of the question because of the large number of groups involved and the way the application itself authorizes the user for specific resources based on group membership. Having to create 50 responses or more for each app and configured all the corresponding policies won't make me happy either :)
And making the developers change the way the application consumes those headers could take months...

Option 2 sounds better. In fact, this was my response to the developers yesterday when they asked if we could restrict the groups beign sent back in the header:

"Not with the default headers. With those SM will return all the groups. You may be able to do it with an active response but that requires code and a way to link groups to specific apps."

So I think our two options are direct calls to our user directory or create an active response. We haven't implemented any active responses before so that may be a bit of a challenge.

Thanks,
Ramon