Skip to content
CA Single Sign-On - 12.52 SP1
Documentation powered by DocOps

CA SiteMinder®-Generated User Attributes

Last update December 11, 2014

 The following list contains user attributes that CA Single Sign-On generates automatically. These attributes can be specified as response attributes for Web Agent responses and are available to named expressions.

  • %SM_USER
    The web agent places the username in an SM_USER http header variable for all requests. The web agent does not set the value of the SM_USER header variable when one fo the following items are true:
    • A user does not provide a user name, such as with certificate–based authentication.
    • A user name is not known.
  • %SM_USER_CONFIDENCE_LEVEL
    If a user is authenticated with an authentication scheme and the authentication scheme generates a confidence level, this attribute holds an integer (0–1000). The authentication scheme inserts the integer in to the session ticket of the user. A higher confidence level corresponds to a higher level of credential assurance. A confidence level of zero represents no credential assurance. No credential assurance results in CA Single Sign-On denying access to the requested resource.

    Note: For more information, see Confidence Levels Introduced.
  • %SM_USERDN
    For an authenticated user, the web agent populates this http header variable with the DN that the Policy Server determines. For certificate-based authentication, this attribute can be used to identify a user.
  • %SM_USERNAME
    For an authenticated user, this attribute holds the user DN that CA Single Sign-On disambiguates. For an unauthenticated user, this attribute holds the user ID that a user specifies during a login attempt.
  • %SM_USERIMPERSONATORNAME
    If the authentication scheme performs impersonation, this attribute holds the user DN that CA Single Sign-On that authenticates.
  • %SM_USERLOGINNAME
    This attribute holds the user ID that a user specifies during a login attempt.
  • %SM_USERIPADDRESS
    This attribute holds the IP address of the user at the time of authentication or authorization.
  • %SM_USERPATH
    For an authenticated user, this attribute holds a string that represents the directory namespace and directory server (both as specified in the user directory definition), and user DN (as CA Single Sign-On disambiguates). For example:

    "LDAP://123.123.0.1/uid=scarter,ou=people,o=airius.com"
    

    For an unauthenticated user, this attribute holds the same value as SM_USERNAME.

  • %SM_USERPASSWORD
    This attribute holds the password that the user specifies in the login attempt. This attribute is only available after a successful authentication through the OnAuthAccept event. The value is returned only on authentication, not on authorization.
  • %SM_TRANSACTIONID

This attribute holds the transaction ID that the agent generates.

  • %SM_USERSESSIONSPEC
    The session ticket of the user.
  • %SM_USERSESSIONID
    This attribute holds the session ID of a user who has already been authenticated, or the session ID that CA Single Sign-On is to assign to the user upon successful authentication.
  • %SM_USERSESSIONIP
    This attribute holds the IP address that was used during the original user authentication (upon establishment of a session).
  • %SM_USERSESSIONUNIVID
    This attribute holds the universal ID of the user. If no universal ID directory attribute is specified in the user directory definition, the value defaults to the DN of the user.
  • %SM_USERSESSIONDIRNAME
    This attribute holds the name of the user directory that the Policy Server is configured to use.
  • %SM_USERSESSIONDIROID
    This attribute holds the object ID of the user directory that the Policy server is configured to use.
  • %SM_USERSESSIONTYPE
    This attribute holds the session type of the user. The value is one of the following values:
    • 2 - session
    • 1 - identity
  • %SM_USERLASTLOGINTIME
    This attribute holds the time, using GMT, that the user last logged in and was authenticated. This response attribute is only available for an OnAuthAccept authentication event. This attribute has value only when both of the following conditions are true:
    • Password Services is enabled.
    • The user has logged in through CA Single Sign-On at least once.
  • %SM_USERPREVIOUSLOGINTIME
    This attribute holds the time, using GMT, of the successful login before the last. This response attribute is only available for an OnAuthAccept authentication event. This attribute has a value only when Password Services is enabled.
  • %SM_USERGROUPS
    This attribute holds the groups to which the user belongs. If the user belongs to a nested group, this attribute contains the group furthest down in the hierarchy. For all nested groups to which the user belongs, use SM_USERNESTEDGROUPS.
    Example:
    If a user belongs to the group Accounts Payable and Accounts Payable is contained in the group Accounting, SM_USERGROUPS contains Accounts Payable. If you want both Accounting and Accounts Payable, use SM_USERNESTEDGROUPS.
  • %SM_USERNESTEDGROUPS
    This attribute holds the nested groups to which the user belongs. For only the group furthest down in the hierarchy, use SM_USERGROUPS[.
    Example:
    If a user belongs to the group Accounts Payable and Accounts Payable is contained in the group Accounting, SM_USERNESTEDGROUPS contains Accounting and Accounts Payable. If you want only Accounting, use SM_USERGROUPS.
  • %SM_USERSCHEMAATTRIBUTES
    This attribute holds the user attributes associated with the DN or properties that are associated with the user. If the user directory is a SQL database, then SM_USERSCHEMAATTRIBUTES holds the names of the columns in the table where the user data is stored. For example, using the SmSampleUsers schema, SM_USERSCHEMAATTRIBUTES holds the names of the columns in the SmUser table.
  • %SM_USERPOLICIES
    When a user is authorized for a resource and there are policies exist to give the user authorization, this attribute holds the names of the policies.
    Example: To purchase an item, you are required to be a user that is associated with the Buyer policy. If the Policy Server authorizes me to buy an item, then SM_USERPOLICIES contains Buyer.
  • %SM_USERPRIVS
    When a user is authenticated or a user is authorized for a resource, SM_USERPRIVS holds all of the response attributes for all policies that apply to that user, in all policy domains.
  • %SM_USERREALMPRIVS
    When a user is authenticated or a user is authorized for a resource under a realm, SM_USERREALMPRIVS holds all the response attributes for all rules under that realm.
    Example:
    A realm exists named Equipment Purchasing. Under that realm, there is a rule named CheckCredit. The rule is associated with a response that returns the credit limit of the buyer, as a response attribute such as:

    limit = $15000
    

    If the buyer attempts to purchase equipment worth $5000, rule fires. SM_USERREALMPRIVS would contain all of the response attributes for all of the rules under the Equipment Purchasing realm.

  • %SM_AUTHENTICATIONLEVEL
    When a user is authenticated for a resource, this attribute holds an integer number (of 0 to 1000) that represents the protection level of the authentication scheme under which the user was authenticated.
  • %SM_USERDISABLEDSTATE
    This attribute holds a decimal number that represents a bit mask of reasons that a user is disabled. The bits are defined in SmApi.h under the Sm_Api_DisabledReason_t data structure, which is part of the SDK.
    For example, a user may be disabled as a result of inactivity, Sm_Api_Disabled_Inactivity. In Sm_Api_DisabledReason_t, the reason Sm_Api_Disabled_Inactivity, corresponds to the value 0x00000004. So, in this case, SM_USERDISABLEDSTATE is 4.
    A user can be disabled for multiple reasons.
  • %SM_USER_APPLICATION_ROLES
    If you have purchased CA Identity Manager, this attribute may be used in responses. It contains a list of all roles assigned or delegated to a user. If an application name is specified, only the roles associated with the application are returned in the response attribute.
    The response attribute name is typed in the Variable Name field on the Response Attribute pane. The response attribute name has the following syntax:
    SM_USER_APPLICATION_ROLES[:application_name]
    where application_name is an optional name of an application defined in Identity Manager.

    The value for application_name must be communicated to the Policy Server administrator. Application names are not automatically passed to the Administrative UI.
  • %SM_USER_APPLICATION TASKS
    If you have purchased CA Identity Manager (Identity Manager ), this attribute may be used in responses. It contains a list of all tasks assigned or delegated to a user. If an application name is specified, only the tasks associated with the application are returned in the response attribute.
    The response attribute name is typed in the Variable Name field on the Response Attribute pane. The response attribute name has the following syntax:
    SM_USER_APPLICATION_TASKS[:application_name]
    where application_name is an optional name of an application defined in Identity Manager .
    The value for application_name must be communicated to the Policy Server administrator. Application names are not automatically passed to the Administrative UI.

Availability of CA Single Sign-On-generated Response Attributes

The following table shows the availability of CA Single Sign-On generated response attributes during authentication, authorization and impersonation events:

Response Attribute Authentication and Authorization Events ImpersonationEvents
GET/PUT OnAuthAccept OnAuthReject OnAccessAccept OnAccessReject ImpersonateStart User
SM_USER_CONFIDENCE_LEVEL Yes Yes Yes Yes Yes No
SM_USERNAME Yes Yes Yes Yes Yes No
SM_USERPATH Yes Yes Yes Yes Yes No
SM_USERIPADDRESS Yes Yes Yes Yes Yes No
SM_USERPASSWORD No Yes Yes No No No
SM_TRANSACTIONID Yes No No Yes Yes No
SM_USERSESSIONID Yes Yes No Yes Yes No
SM_USERSESSIONSPEC Yes No No Yes Yes No
SM_USERSESSIONIP Yes Yes Yes Yes Yes No
SM_USERSESSIONUNIVID Yes Yes No Yes Yes No
SM_USERSESSIONDIRNAME Yes Yes No Yes Yes No
SM_USERSESSIONDIROID Yes Yes No Yes Yes No
SM_USERSESSIONTYPE Yes Yes No Yes Yes No
SM_USERLASTLOGINTIME No Yes No No No No
SM_USERGROUPS Yes Yes No Yes Yes No
SM_USERNESTEDGROUPS Yes Yes No Yes Yes No
SM_USERSCHEMAATTRIBUTES Yes Yes Yes Yes Yes No
SM_USERLOGINNAME No Yes Yes No No No
SM_USERIMPERSONATORNAME No No No No No Yes
SM_USERDISABLEDSTATE Yes Yes No Yes Yes No
SM_USERPOLICIES No No No Yes No No
SM_USERREALMPRIVS Yes No No No No No
SM_USERPRIVS Yes No No No No No
Was this helpful?

Please log in to post comments.