Layer7 Access Management

Expand all | Collapse all

Authorization based on condition verified post authentication

Jump to Best Answer
  • 1.  Authorization based on condition verified post authentication

    Posted 01-06-2017 07:40 AM



    We are in the process of implementing a system where post authentication user is verified with OTP for each new session.  We want to restrict user access to application (except for OTP verification page) till SiteMinder gets confirmation of OTP verification from application. Please note OTP generation and validation are handled by application.

    We know SiteMinder does not intercept any POST data from the application except the one directly posted to .fcc files (login.fcc/smpwservices.fcc etc) fromUjwol on the discussionPass form variable from jsp to Siteminder.

    We want to explore possible OOTB SiteMinder solution that can be implemented where application can provide some trigger based on which SiteMinder provides access to resources. This access should be valid for single session and should be revoked once the session ends.


    Thank you

    Sachin Hegde

  • 2.  Re: Authorization based on condition verified post authentication
    Best Answer

    Posted 01-09-2017 01:06 AM

    Hi Sachin,


    If I understand this currently, what you are looking is actually a 2FA (Two factor authentication ) with the 1st factor being FORM (or any other OOTB authentication provided by CA SSO) and 2nd factor being the OTP provided by 3rd party APP.



    However, as your OTP authentication is actually done by a third party product, you will have to utilise a custom authentication scheme for this.


    Few references :

    Multi authentication schemes on a realm (or within a scheme) 

    How to implement Two Factor auth using siteminder with one factor as presistent token. 

    One Time Password  in Siteminder 




    Ujwol's Single Sign-On Blog 

  • 3.  Re: Authorization based on condition verified post authentication

    Posted 01-09-2017 07:09 AM

    Hi Ujwol,


    Thank you for the reply. we are trying to explore the option where post OTP verification application sets custom session variable by calling setSessionVariables() API.Which then can be retrieved in domain by setting Variable in Domain->Variable.We can use this variable in Domain->policy->expression to set Authorization rules.User Context variableExpression

    This would help us easily manage session for the user and we dont have to worry about cleanup as all session variables are deleted when session ends.

    Please let me know if this approach would work in our case.


    Few Reference.  Page 46: How Information Is Bound to a Session 

    SessionVariableContext (CA SiteMinder SDK r12.52sp1) 

  • 4.  Re: Authorization based on condition verified post authentication

    Posted 01-12-2017 11:23 PM

    Hi Sachin,


    As discussed the other day, the setSessionVariables() API can only be called from within the custom authentication scheme, it can't be called from your application, so this approach may not work for you.