I'm not finding a lot of information on the disambiguation phase in a custom authentication scheme made with the Java SDK. It appears that the Java SDK does not allow a search string result to be returned, so it would have to query the directory itself and return the full directory. Are any of the methods from the rest of the SDK able to handle the connection with the directory, or does it just need an entirely separate connect (password, etc)? It seems like an additional maintenance issue to add a separate LDAP connection, but I don't see any other way. Are there any examples that do not skip the disambiguation phase?
The C++ Authentication API allows a return code of Sm_AuthApi_SuccessUserFilter, which I am pretty sure will do what you want.
The following information is from the 12.5 Programming guide for C, but seems to be missing from later versions of the doc:
SiteMinder disambiguates the user based upon a standard LDAP search filter that the authentication scheme constructs and passes in lpszParam. When SiteMinder is passed this return code, it ignores the Start and End field values configured for the user directory.
While the above documentation is a little better than nothing, it doesn't provide enough information to allow someone to actually program against it. What I suspect is that you can construct an LDAP search expression and return it in the lspzUserMsg output buffer.
Unfortunately, I don't see any reference to any return status resembling Sm_AuthApi_SuccessUserFilter in the Javadoc for the authentication API, nor do I see it in the SmAuthStatus data type when viewing it in my IDE.
You could try opening a tech support case and asking if there is an equivalent in JAVA to Sm_AuthApi_SuccessUserFilter. If there isn't then you would have to write a C function and then create a JNI wrapper for it.
What GD has been doing for years (since long before Sm_AuthApi_SuccessUserFilter was introduced) is using the Policy Management API Sm_PolicyApi_LookupDirectoryEntry() method, but that is pretty complex to use, and again is only available in C (we have a JNI wrapper for it).
Unfortunately, I don't know of any relatively easy way of doing ldap searches from within an auth scheme. All the mechanisms available are somewhat painful. Unless you have some C/C++ skills and know how to use JNI, creating your own pool of LDAP connections to the user store is probably your best bet; unless you have enough clout to get CA Engineering to make an equivalent of Sm_AuthApi_SuccessUserFilter functionality available in Java in the near future.
Right; Sm_AuthApi_SuccessUserFilter would certainly do it... if it were available in Java. I did see a few questions posted to that affect, but no real sign of what anyone did without it. It seems an odd omission. Most of the things I can think of that would be useful to do via the authentication API would need that... if I could make the full DN directly from the user certificate, it could probably be done without custom code.
I don't mind spinning up an LDAP connection - that isn't terribly hard... except that it means the system would require any updates to the connection info be maintained in two places. Those sort of things tend to add up, or end up forgotten at some critical point... I'm not sure that a wrapper is significantly better in a Java shop. It's been a while since I've worked with C/C++... it might be possible, but certainly harder. I'm not positive if that is more or less maintainable. I'll have to consider that. Thanks.