Symantec Access Management

 View Only
  • 1.  How to get "sessionToken"

    Posted Oct 22, 2018 01:27 PM

          I have protected REST api with Basic Authentication. How can I retrieve sessionToken post authentication? I want to use sessionToken in my subsequent REST api call. I have followed steps mentioned in this video CA Single Sign-On r12.52: Authentication & Authorization Web Services - YouTube 

     

          I am not sure but is sessionToken same as SMSESSION ?



  • 2.  Re: How to get "sessionToken"
    Best Answer

    Broadcom Employee
    Posted Oct 23, 2018 11:05 AM

    Vipul, sessionToken is smsession. For REST interface,  see this for getting responses to authentication, and the session variable has the smsession:

     

    <sessionToken>session</sessionToken>

    Configuring the Authentication and Authorization Web Services - CA Single Sign-On - 12.7 - CA Technologies Documentation 

     

    Authentication REST Interface

    REST means REpresentational State Transfer. In REST, service requests transform the state of objects accessible by URIs. HTTP drives state change using actions such as create, read, update, and delete.

    The URI mapping for authentication and authorization consists of the appId and resourcePath. The resource state is the collections of authenticated or authorized users associated with the Resource. The service names for authentication are login, blogin, and logout.

    A URI in this format, http://hostname:port/authazws/AuthRestService/login/appID/Resource, posts the following request:

    <loginRequest>       <binaryCreds></binaryCreds>        <password>user1</password>        <userName>user1</userName>        <action>GET</action>          </loginRequest>

    The login responses:

    HTTP return code 200

    <loginResponse> <message>Authentication successful</message> <resultCode>LOGIN_SUCCESS</resultCode> <sessionToken>session</sessionToken> <authenticationResponses>      <response>           <name>SM_SESSIONDRIFT</name>           <value>0</value>      </response> </authenticationResponses> </loginResponse>

    HTTP return code 400

    <loginResponse>

    <message>Bad Request</message>
    <resultCode>LOGIN_ERROR</resultCode>
    </loginResponse>

    HTTP return code 200

    <loginResponse> <message>Authentication Failed</message> <resultCode>LOGIN_FAILED</resultCode> <authenticationResponses>           <response><name>SM_AUTHREASON</name>      <value>0</value>      </response>      </authenticationResponses> </loginResponse>

    HTTP return code 500

    <loginResponse>
    <message>System</message>
    <resultCode>Server Error</resultCode>
    </loginResponse>

    rgds, Vijay



  • 3.  Re: How to get "sessionToken"

    Posted Oct 29, 2018 03:25 PM

    I am able to get <sessionToken> and I am adding it in cookie header to access the protected REST services. After my job done to invalid the sessionToken I am invoking http://host:port#/authazws/AuthRestService/logout/ and in response I am getting "LOGOUT_SUCCESS".

     

    Here issue is when I try to use same session in cookie header to access the protected REST services it is working even after successful logout call. In SPS trace logs i can see [Found session, no credentials required.]. Please help me how can I invalid the sessionToken.



  • 4.  Re: How to get "sessionToken"

    Posted Oct 29, 2018 03:36 PM

    The only completely secure way to invalidate the sessionToken is to have a Session Store.

     

    The other hack is to have the session timeout so small that it is not good for replay (i.e. as an alternative if you do not have a session store in place). But I don't think we can hack the Session Timeout value using the logout API call.



  • 5.  Re: How to get "sessionToken"

    Posted Oct 29, 2018 03:51 PM

    I have a Session Store. Can you help me how to invalidate the sessionToken.



  • 6.  Re: How to get "sessionToken"

    Posted Oct 29, 2018 03:57 PM

    Please check if the realm that created the Session is a Persistant Realm.

     

    Refer Access Gateway REST Call - Logout not invalidating Session Token 



  • 7.  Re: How to get "sessionToken"

    Posted Oct 23, 2018 11:10 AM

    If you are using sessionToken to SSO outside the SOAP / REST APIs of CA AG, then take into consideration these factors too.

     

    https://communities.ca.com/message/241780962?commentID=241780962#comment-241780961