Symantec Access Management

  • 1.  Where does the Authorization Action 'OnAccessValidateIdentity' come from?

    Posted 12-04-2017 11:15 AM

    Reading the following document:

    How to Require Re-authentication for Sensitive Resources - CA Single Sign-On - 12.52 SP2 - CA Technologies Documentation 

     

    There is a reference to a OnAccessValidateIdentity action. I can't find any other reference to that in the documentation. What version and/or component provides that action option?



  • 2.  Re: Where does the Authorization Action 'OnAccessValidateIdentity' come from?
    Best Answer

    Posted 12-04-2017 03:14 PM

    This Feature for "Sensitive Tasks" was released in R12.51.

     

    https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2051-ENU/Bookshelf.html#maincontent

     

    The impacted components are the WAMUI Code and Policy Server Code. Presumably the WebAgent code as well.

     

     

     

    As for the original question, "There is a reference to a OnAccessValidateIdentity action. I can't find any other reference to that in the documentation. What version and/or component provides that action option".

    The Policy Administrator Creates an OnAccessValidateIdentity Rule for the Sensitive Resource

    Creating an OnAccessValidateIdentity rule in the policy is the next step that the policy administrator takes toward protecting sensitive resources. This rule rejects the current credentials of the user which started the session. This rejection forces the user to re-authenticate before accessing the sensitive resource.

    Follow these steps:

    1. From the Administrative UI, click Policies, Domain, Domain Policies.
    2. Click the edit icon that corresponds to the policy containing the URL of sensitive resource.
    3. Click the Rules tab.
    4. Click Add Rule.
      The Available Rules dialog appears.
    5. Click Create.
    6. Click the option button for the realm under which you want to create the rule, and then click Next.
    7. Create the OnAccessValidateIdentity rule with the following steps:
      1. Enter a name and an optional description.
      2. Click the Resource field and enter the URL of the sensitive resource. The following example defines an HTML page named transfer_funds as the sensitive resource:

        transfer_funds.html
      3. Click the Authorization events option button.
      4. Click the following item under the Action list:

        OnAccessValidateIdentity
      5. (Optional) define any time restrictions that you want.
    8. Click Finish.
      The Available rules dialog appears. The new OnAccessValidateIdentity rule appears in the list.
    9. Click OK.
    10. Click Submit.
      The rule is added to the policy, and a confirmation message appears.
    11. Continue with the next stop of creating a redirect response to the .FCC file.


  • 3.  Re: Where does the Authorization Action 'OnAccessValidateIdentity' come from?

    Posted 12-04-2017 03:17 PM


  • 4.  Re: Where does the Authorization Action 'OnAccessValidateIdentity' come from?

    Posted 12-04-2017 03:31 PM

    Thanks for the info, but what I'm wondering is if the action OnAccessValidateIdentity was released in 12.51, why don't I have the option in the authorization action drop down in 12.52 SP1? Does it absolutely require the Session Store?

     

    I've been referring to this document, How to Require Re-authentication for Sensitive Resources - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation .



  • 5.  Re: Where does the Authorization Action 'OnAccessValidateIdentity' come from?

    Posted 12-04-2017 04:10 PM

    What is the version of CA SSO we are talking about? Has the Data Definition and default objects imported?

     

     

     

    Regards

     

    Hubert

    CA Services



  • 6.  Re: Where does the Authorization Action 'OnAccessValidateIdentity' come from?

    Posted 12-04-2017 04:18 PM

    The version is 12.52 SP1, as stated above.

    The data definitions were added. We did not import the smpolicy.xml as CA support informed us that it would only update the ACO templates with the new default attributes. Was that incorrect?



  • 7.  Re: Where does the Authorization Action 'OnAccessValidateIdentity' come from?

    Posted 12-04-2017 04:42 PM

    It does not only update ACO parameters only. Thats for sure.

     

    About that rule, Do a search for that rule name in smpolicy.xml.

     

     

     

    Regards

     

    Hubert

    CA Services



  • 8.  Re: Where does the Authorization Action 'OnAccessValidateIdentity' come from?

    Posted 12-04-2017 05:28 PM

    Yes, I found it in the file. I'll import the smpolicy.xml and let you know how it works.

     

    Thanks!

    Eric



  • 9.  Re: Where does the Authorization Action 'OnAccessValidateIdentity' come from?

    Posted 12-05-2017 10:10 AM

    Mystery solved. I ran the import task and the new action and responses are available. Thanks Hubert!