I have protected REST api with Basic Authentication. How can I retrieve sessionToken post authentication? I want to use sessionToken in my subsequent REST api call. I have followed steps mentioned in this video CA Single Sign-On r12.52: Authentication & Authorization Web Services - YouTube
I am not sure but is sessionToken same as SMSESSION ?
Vipul, sessionToken is smsession. For REST interface, see this for getting responses to authentication, and the session variable has the smsession:
Configuring the Authentication and Authorization Web Services - CA Single Sign-On - 12.7 - CA Technologies Documentation
REST means REpresentational State Transfer. In REST, service requests transform the state of objects accessible by URIs. HTTP drives state change using actions such as create, read, update, and delete.
The URI mapping for authentication and authorization consists of the appId and resourcePath. The resource state is the collections of authenticated or authorized users associated with the Resource. The service names for authentication are login, blogin, and logout.
A URI in this format, http://hostname:port/authazws/AuthRestService/login/appID/Resource, posts the following request:
<loginRequest> <binaryCreds></binaryCreds> <password>user1</password> <userName>user1</userName> <action>GET</action> </loginRequest>
The login responses:
HTTP return code 200
<loginResponse> <message>Authentication successful</message> <resultCode>LOGIN_SUCCESS</resultCode> <sessionToken>session</sessionToken> <authenticationResponses> <response> <name>SM_SESSIONDRIFT</name> <value>0</value> </response> </authenticationResponses> </loginResponse>
HTTP return code 400
<loginResponse> <message>Authentication Failed</message> <resultCode>LOGIN_FAILED</resultCode> <authenticationResponses> <response><name>SM_AUTHREASON</name> <value>0</value> </response> </authenticationResponses> </loginResponse>
HTTP return code 500
I am able to get <sessionToken> and I am adding it in cookie header to access the protected REST services. After my job done to invalid the sessionToken I am invoking http://host:port#/authazws/AuthRestService/logout/ and in response I am getting "LOGOUT_SUCCESS".
Here issue is when I try to use same session in cookie header to access the protected REST services it is working even after successful logout call. In SPS trace logs i can see [Found session, no credentials required.]. Please help me how can I invalid the sessionToken.
The only completely secure way to invalidate the sessionToken is to have a Session Store.
The other hack is to have the session timeout so small that it is not good for replay (i.e. as an alternative if you do not have a session store in place). But I don't think we can hack the Session Timeout value using the logout API call.
I have a Session Store. Can you help me how to invalidate the sessionToken.
Please check if the realm that created the Session is a Persistant Realm.
Refer Access Gateway REST Call - Logout not invalidating Session Token
If you are using sessionToken to SSO outside the SOAP / REST APIs of CA AG, then take into consideration these factors too.