Symantec Access Management

  • 1.  OpenIDConnect Authorisation provider export and import

    Posted 01-24-2019 10:59 PM

    Hi All,


    We are in-progress of automating the OPENIDConnect provider migration from one environment to another environment. Could you please help me to understand, does this something different than siteminder domain object migration  ? What is the root object for authorisation provider and client to export from one environment ?




  • 2.  Re: OpenIDConnect Authorisation provider export and import

    Posted 01-28-2019 05:29 PM

    Any suggestions around this ?

  • 3.  Re: OpenIDConnect Authorisation provider export and import

    Broadcom Employee
    Posted 01-28-2019 10:46 PM

    Hi Sasi,  from the internal case I did some testing with PS R12.7 


    I cheated a bit, I did xpsexport, then viewed using SMPolicyReader to build my xcart, then tried xpsexport with the xcart. 

    Siteminder Policy Reader 

    Using SMPolicyReader to generate xcart selection. 


    But I tried this : 


    1) OpenID Provider 



    (note my first version of this post has this as failed - it was user error however, as I must have been using older backup, and the xid had changed - using the correct xid then the export worked fine - Mark 7-Feb-2019) 


    This did not seem to export : I could grab the id : 


    RIght click add to XCart then Tools/XCart gives a screen then save : gives : 

    # Type: CA.SM::OAuthIdP
    # (I): Name : "null"
    # (C): Desc : "OAuthIdP@21-2daea3f1-02bf-49a5-8cde-13809ec34ec8"


    And then run the export :  

         > xpsexport output2.xml -xf testxcart.txt -npass


    Then it all worked fine : 


    2) OpenID Client 

    This did seem to work.

    I selected the OIDCClient : 

    Then with the xcart, it can show refetences, it had one OIDCAdminConfig : so I added that to the cart as well: 



    Saving the xcart gives : 

    # Type: CA.FED::OIDCClient
    # (I): Name : "www-demo-com"
    # (C): Desc : "CA.FED::OIDCClient@049a2973-ea10-4fc0-877a-d44b3e6e0725"

    # Type: CA.FED::OIDCAdminConfig
    # (I): Name : "openId-provider-example"
    # (C): Desc : "CA.FED::OIDCAdminConfig@87b4d212-b07e-4b40-bfb8-5da126ebda9c"


    Then I ran the export - and it did export items: 


    >xpsexport output.xml -xf testxcart2.txt -npass


    That did export those two items, and variety of other items certs etc as well.


    That is header of output (I have some XTrace items set so it prints long list of stuff).



    I did check and you can get to those items via XPSExplorer as well to build xcart as normal.


    And it gives same result from xpsexport once built up xcart list. 


    Cheers - Mark

  • 4.  Re: OpenIDConnect Authorisation provider export and import

    Posted 01-28-2019 11:04 PM

    Thank you Mark. Much appreciated. 


    We are building CA SSO 12.8 in cloud and planning to restrict any form of server instances directly (including policy and secure proxy servers). Hence, administrator cannot login to execute these OOTB SSO utilities, Do we have any option for this ? Do we need to write REST API based ?


    In the mean time, Let me try your steps to migrate federation objects.

  • 5.  Re: OpenIDConnect Authorisation provider export and import

    Broadcom Employee
    Posted 01-29-2019 09:28 AM

    Hi Sasi,


    We have an option to perform XPS export and import using REST APIs from CA SSO 12.7. If you would like to try, you can check the REST APIs option in the footer of Administrative UI. Swagger references are included in the documentation, you can see these topics: Policy Object REST APIs/REST API Reference Documentation.


    The upcoming validation kit of the CA SSO 14.0 Customer Validation program includes REST APIs for OIDC. You can register to give this feature a try and share your feedback.