Authorization Policy to determine if user is member of AD group

We would like to create an authorization policy to limit access to a SAML2 resource if the user is a member of an AD group. Our primary data source is eDir so we created an additional data source for AD and a virtual attribute called adGroupMembership mapping the memberOf attribute in AD. We've tried the following in NAM 5.0.4.0 to determine if the user is a member of AD group "cn=AD Group,..."

However, even though the test user is a member of this group, NAM fails with an authorization error.

Any guidance on where our error is with the above condition? Is there a way to debug condition groups? There is a test button for virtual attributes but I do not see anything similar for condition groups.

Lastly, if the authorization fails, is there a way to display a web page explaining the failure to the user?

  • 0  

    HI Albert!

    I needed to read few times through your post, since some things do not add up for me, but let me ask few questions.

    We would like to create an authorization policy to limit access to a SAML2 resource if the user is a member of an AD group

    Your SAML2 resource is behind Access Gateway, right? Since authorization policy can only be applied on AGW protected resource.

    Any guidance on where our error is with the above condition? Is there a way to debug condition groups? There is a test button for virtual attributes but I do not see anything similar for condition groups.

    Rule might also fail because of values in adGroupMembership not being properly populated.

    As a test, I would suggest set up rule with using LDAP attribute only (from eDir), just to see that policy behaves properly, then change it to use virtual attribute from data source.

    Lastly, if the authorization fails, is there a way to display a web page explaining the failure to the user?

    When I set up authorization policy I have two rules:

    - first rule evaluates conditions to allow access with action Permit

    - second rule has no conditions and action Deny. When selecting Deny you can also set custom text (by choosing "Deny Message" option instead of "Display Default Deny Page")

    Kind regards,

    Sebastijan

    Kind regards,

    Sebastijan

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

  • 0 in reply to   

    Your SAML2 resource is behind Access Gateway, right? Since authorization policy can only be applied on AGW protected resource.

    The SAML2 resource is not behind AG. My reading of https://www.microfocus.com/documentation/access-manager/5.0/admin/b1apw51e.html leads me to believe we can do authorization for a SAML2 resource. Am I reading this wrong? And, if I am reading it wrong, why does setting up an authorization policy force an authorization failure when authenticating to the SAML2 resource?

    Rule might also fail because of values in adGroupMembership not being properly populated.

    Possible. Unfortunately, catalina.out doesn't print these values so it's hard to say what the value of this attribute is.

    As a test, I would suggest set up rule with using LDAP attribute only (from eDir), just to see that policy behaves properly, then change it to use virtual attribute from data source.

    Ok, will try something simple.

    When I set up authorization policy I have two rules:

    - first rule evaluates conditions to allow access with action Permit

    - second rule has no conditions and action Deny. When selecting Deny you can also set custom text (by choosing "Deny Message" option instead of "Display Default Deny Page")

    So you are doing something like this:

    Unfortunately, as our SAML2 SP is not being AG, this is not an option as it is an "Access Gateway: Authorization" policy. We are setting up an "Identity Server: roles" policy:

    And, for such a policy, I don't see an option to define a message for authorization denials.