Symantec Access Management

  • Private Community

  • 1.  How to create siteminder custom authentication scheme to collect token using string paramter?

    Posted Aug 31, 2016 05:34 AM

    I have created a custom authentication scheme to bypass the login page of an application . I would like to know , what values should be given for the following fields : Library and Parameter.

     

    As per the requirement, I need to collect browser request cookie ( eg : values of JSESSIONID ) and pass it as a parameter to the authenticate() function and also pass environment such as 'dev' , 'uat' etc as a parameter to init() function.

    Is this possible through custom authentication scheme ?



  • 2.  Re: How to create siteminder custom authentication scheme to collect token using string paramter?

    Broadcom Employee
    Posted Sep 01, 2016 02:15 AM

    Hi,

     

    Regarding the Library and Parameter,

     

    - The library name is always smjavaapi.
    - In the parameter field, the first item must be the name of the custom class you implemented with the Authentication API or Authorization API, as follows:

    With authentication schemes, specify the name of the class you implemented from the base interface SmAuthScheme. The class name should include the fully qualified package name, such as:
    com.myorg.sdk.myclass

     

    Reference:

     

    Java Authentication and Authorization Guidance - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Custom Authentication Scheme is tied w/ User directory and functioning on Policy Server side not on Web application/Web Agent side. So, passing such value of JSESSIONID to Policy Server might need more consideration or consultation… It would be better to look into SDK sample “javaauthapi” to see how Custom Authentication Scheme will work.

     

    Here is a diagram excerpted from “Programming Guide for Java”.

    As for Java Authentication Scheme, you may refer following as well.

    (1) Custom Authentication Scheme Creation Uisng Java - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

    (2) TEC559203 - How to run the java custom authentication scheme provided with the sample SDK.

    http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec559203.aspx

     

    I hope this would help.

    Regards,

    Koichi



  • 3.  Re: How to create siteminder custom authentication scheme to collect token using string paramter?

    Posted Sep 06, 2016 02:29 AM

    Hi Koichi ,

     

    Thank you for the valuable advice. I have attached here , a snapshot of the request cookie from the browser.

     

    We want to collect "ut_authn" from the request cookie and pass it to authenticate() method using custom authentication scheme.

     

    Could you please tell us , if there is any possibility to collect this ut_authn from browser or from web agent and pass it as a parameter in custom authentication scheme



  • 4.  Re: How to create siteminder custom authentication scheme to collect token using string paramter?

    Broadcom Employee
    Posted Sep 06, 2016 06:04 AM

    Hi,

     

    Regarding your collecting "ut_authn" and passing it to your Custom Authentication Scheme, the documentation on normal HTML Forms Authentication could help.

     

    Configure HTML Forms Authentication - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

     

    Especially, this also explains Custom Authentication Scheme as following.

     

    Custom Authentication Scheme Library Writing and Installation

    The user name and password data that the FCC collects are passed to the Policy Server, which passes them to the authentication scheme library.

    Unless back-end mapping is required, the SmAuthHTML authentication scheme library can be used. SmAuthHTML it is distributed with the Policy Server and already installed on the Policy Server system.

    Note: Back-end mapping requires a custom authentication scheme library (included in the the software development kit).

    If you write a custom authentication scheme and you want to gather more data than the user name and password, the FCC must pack that data into the user name and password fields. These fields must be fewer than 511 characters long. The custom authentication scheme library must then be able to unpack the data and map it to the user name and password.

    The FCC can be installed on the same system as the Policy Server.

     

    Regards,

    Koichi



  • 5.  Re: How to create siteminder custom authentication scheme to collect token using string paramter?

    Broadcom Employee
    Posted Sep 08, 2016 09:01 AM

    Hi, again,

     

    As per the above documentation, if you could pass your "ut_authn" data by packing it into password field in FCC, your Custom Authentication Scheme on Policy Server side could retrieve it by the method getPassword() of UserCredentialsContext Class and unpacking the data.

     

    It would also need:

    1. Custom Authentication Scheme will redirect to a certain page which will collect user credential,
    2. and then, it will POST them to FCC.

     

    The redirection URL can be set by setResponseBuffer() method in query().
    And, as for such custom login page, below document is really useful. 

     

    Custom Login Page 

     

    But, if they would not answer to you, as the question is regarding customization and development, it seems that you had better to contact appropriate person such as your Account manager or CA Services.

     

    I hope this would help.

     

    Regards,

    Koichi



  • 6.  Re: How to create siteminder custom authentication scheme to collect token using string paramter?

    Posted Sep 11, 2016 06:53 AM

    User requests /u/smtest and has not logged in yet. They do not have a SMSESSION and they do not have a ut_athn.

    Siteminder intercepts the request and checks for SMSESSION. No SMSESSION was found.

    So Siteminder checks for a ut_authn via custom authentication scheme.

    No ut_authn was found, so siteminder redirects to /ut/login.jsp with a TARGET parameter of smtest page.

    User is presented with the /ut/login.jsp page and submits username and password credentials.

    The login page validates the user against credentials against xldap and generates a ut_authn.

    he user is redirected back to /u/smtest and now has a ut_authn. siteminder intercepts the request and checks for SMSESSION.

    No  SMSESSION was found we are looking for and can we use two authentication schemes for same request.

    can we have few details.

    Regards,

    Nithin



  • 7.  Re: How to create siteminder custom authentication scheme to collect token using string paramter?
    Best Answer

    Posted Sep 11, 2016 11:24 PM

    Hi Nithin Chandra,

     

    Have a look at this new tech tip that I just published :Tech Tip : CA Single Sign-On :Policy Server:How to collect additional attribute using custom authentication 

     

    The only additional steps that you will need to perform to fulfill your use case is to write a javascript to read the cookies and set the hidden text field used for collecting additional attributes.

     

    Hope this helps.

     

    Regards,

    Ujwol 



  • 8.  Re: How to create siteminder custom authentication scheme to collect token using string paramter?

    Posted Sep 12, 2016 03:18 AM

    Hello Ujwol,

    I have few questions, I have gone through the provided Tech Tip, and right now in my case I am using login.jsp page and we want to use two authentication schemes, one to get the login.jsp page (ut_authn token) and a smsession cookie after we login in. right now we are stuck at the cookie as we are not seeing cookie.

    So can you provide me any information how we can achieve this.

     

    Regards,

    Nithin