Symantec Access Management

Expand all | Collapse all

can we configure a siteminder policy to only process authentication events

Jump to Best Answer
  • 1.  can we configure a siteminder policy to only process authentication events

    Posted 09-21-2016 05:50 PM

    Hello All, can we configure a siteminder policy to only authenticate the users and redirect them to the target application with our doing any authorization? Any help is appreciated, Thank You.



  • 2.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-21-2016 05:57 PM

    Yes you can disable authorization processing at realm level from admin ui.



  • 3.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-21-2016 05:58 PM

    Thank You for your quick response, I tried that and flushed the realm cache, restarted the webserver, but I still see AuthAccept and AzAccept events being triggered in the smaccess.log, so am assuming that policy server is doing both authentication and authorization events, Thank You.



  • 4.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-21-2016 06:11 PM

    can you try restarting ps?



  • 5.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-21-2016 06:22 PM

    I just did restart the policy server and still am seeing both auth and az events in the smaccess.log, Thank You.



  • 6.  Re: can we configure a siteminder policy to only process authentication events
    Best Answer

    Posted 09-21-2016 10:46 PM

    In the old days(Policy Server version 5.x) the Authentication, Authorization, Accounting and Administration were separate services.

    So, it was possible to have a specific policy server process the authentication only.

    Now we have all the services combined and no option to enable specific service only(other than the admin service).

    If this is a requirement, you can raise an Idea on this feature.



  • 7.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-22-2016 01:34 PM

    Thank You Kim.



  • 8.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-21-2016 09:41 PM

    Hi,

     

    I do a test in my environment by disable authorization events and get the same behavior that

     

     

     

     

    and get same behavior that user get auth, az

    ie:

    AuthAccept DRSSOIAM2 [22/Sep/2016:11:34:58 +1000] "127.0.0.1 cn=user1,ou=support,o=userstore" "transpolar agent GET /transpolar/frontpage.htm" [idletime=3540;maxtime=7200;authlevel=5;] [0]  [] []
    AzAccept DRSSOIAM2 [22/Sep/2016:11:34:58 +1000] "127.0.0.1 cn=user1,ou=support,o=userstore" "transpolar agent GET /transpolar/frontpage.htm" [0000000000000000000000000100007f-0e18-57e33542-0e44-002b3e12] [0]  [] []

     

    From UI help, it mentioned:

     

     

    therefore, the auth and az will happen anyway. The different is whether it trigger rule that tied to az or not.

     

    In general, isProtected, isAuthenticated, isAuthorized happen. What is the reason not to have authorization?

     

    Regards,

    Kar Meng



  • 9.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-22-2016 01:34 PM

    Thank You for your help Meng.



  • 10.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-22-2016 12:00 AM

    Use this Parameter in ACO to disable Authorization.

    "EnableAuthorization"

     

    Below Documentation link captures some information on this ACO parameter.

    List of Agent Configuration Parameters - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 



  • 11.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-22-2016 01:36 PM

    Hello Konja, I tried that ACO parameter, restarted the webserver and PS, but still seeing the AzAccept in the smaccess.log. Still trying to get this working, Thank You for your help.



  • 12.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-22-2016 07:04 PM

    Hi Kona,

     

    Thanks for the information. That's the new thing to me



  • 13.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-22-2016 01:56 PM

    "EnableAuthorization" ACO parameter functionality is available in 12.52 SP1 CR4 release onwards. please check the version details of both webagent and Policy server.



  • 14.  Re: can we configure a siteminder policy to only process authentication events

    Posted 09-26-2016 12:21 PM

    Thank You for all the suggestions, I had to upgrade my webagent to the 12.52 and test again, I will update once I did that, Thank You.