Layer7 Identity Management

additional logic on authorization response for IDM ?

  • 1.  additional logic on authorization response for IDM ?

    Posted 01-29-2015 10:41 AM

    We received the following question from a customer:




    "Is there a way to provide additional logic, if the user attempts to access a task that the user is not entitled to?

    I was looking at the confirmation folders on the file system and I don't see a way to add conditions if the user has a bookmark link that lands on task that they are not entitled to. "




    The best way to do that is using Site Minder integration with IDM and then applying Site Minder's active responses to the 'Unauthorized' or 'Rejected' event.


    Basically from IDM standpoint alone a user that's logged on will then only have access to the tasks they can execute which will be put on their task menu, then when executed then all info will be kept within the scope defined on the tasks etc. So, IDM itself is not allowing a user to access an unauthorized task and isn't providing more info on that. There is no event for IDM such as 'not authorized' where IDM can add more info and that's why the confirmation pages folder you looked at isn't helpful since these are all coming into play after user already submits tasks (which

    means they are authorized for).


    Site Minder, however, is more powerful and is absolutely designed to control access. Therefore, Site Minder has events to handle authorization acceptance as well as rejection. You can capture and use these events in Site Minder and forward to your own pages where you can display any further info you'd like. Since I'm on the IDM support group I might not know the

    EXACT site minder event name that you should capture but it should be quite easy to find out if you will look into the SM user interface, you should find the SM events for authorization then link then with a response object and possibly redirect to your own page.





    Sagi Gabay,

    CA Technologies.