Blog Viewer

Tech Tip : CA Single Sign-On :Policy Server:How to access CA SSO generated response attributes in ActiveResponse

By Ujwol posted 08-06-2017 10:39 PM

  

Summary

It is often required to access the default CA SSO generated response attributes in the custom active response/rules to evaluate custom logic.

Some sample CA SSO generated attributes are :

  • SM_USERSESSIONIP
  • SM_USERDN
  • SM_USERPASSWORD

The full list of default CA SSO generated attributes can be found by searching for keyword "CA SiteMinder®-Generated User Attributes" in CA SSO documentation

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/responses-and-response-groups/ca-siteminder-generated-user-attributes

Environment

PS : r12.5 and above

Instructions

To default CA SSO generated user attributes can be accessed using the SmUserContext.getProp(java.lang.String propName) API call as below.

In the example below, we are accessing the default CA SSO response attribute : SM_USERIPADDRESS

 

 

    public String
    invoke(ActiveExpressionContext context,
           String param)
        throws Exception
    {

        if (context == null)
        {
           // should never happen
           throw new IllegalArgumentException("ActiveResponseSample invoked without context");
        }

        // the User Context is required to use the methods like getProp, setProp..
        UserContext theUserContext = context.getUserContext();

        if (theUserContext == null)
        {
            context.setErrorText("No User Context.");
            return null;
        }

     return theUserContext.getProp("SM_USERIPADDRESS");
    }

 

Step 1: Create an active response as shown below :

Step 2 : Configure the Active Response with either OnAuthAccept or OnAccessAccept rule.

Step 3 : Compile the attached sample ActiveResponseSample.java class by running java-build.bat (windows) /java-build.sh (unix).

Note: Prior to running you will need to update the path to the JDK install directory in the JAVA_HOME variable by editing the java-build.bat (windows) /java-build.sh (unix) files.

 

Step 4. Once compiled, copy the ActiveResponseSample.class and copy it to the <Policy server>/config/properties directory.

 

Note: This "properties" directory is by default in the classpath of Policy server so you don't need to modify JVMOptions.txt.

 

If you choose to deploy the class in any other directory, then you will need to add the path to that directory as a classpath in the JVMOptions.txt file.

 

Test:

 

Policy server Trace Log :

 

[08/07/2017][01:30:07][2908][1564][][SmAuthUser.cpp:700][ServerTrace][][][][][][][][][][][][][][ActiveResponseSample: ActiveResponseSample:: returning ClientIP= ['10.129.160.255']][01:30:07.792][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][ActiveResponseSample:: returning ClientIP= ['10.129.160.255']][][][][][][][][][][][][][] 

Additional Information

1) Not all response attributes are available at all events (OnAuthAccept, OnAuthReject, OnAccessAccept etc.) 

So before implementation please verify if the response attribute you are interested is available for the event that you require it in :

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/responses-and-response-groups/ca-siteminder-generated-user-attributes

 

2) Active Response are by default cached. If you need the active response to evaluate every time on the Policy server , disable attribute caching for this active response.( In the active response creation screen in Administrative UI)