Symantec Access Management

 View Only
  • 1.  How to use the SMAUTH_CHALLENGE response during user authentication phase in authenticate() method?

    Posted Nov 28, 2017 02:45 PM

    What is the SMAUTH_CHALLENGE response used for in the Authentication Phase of the authenticate() method of the SMJavaAPI? I am creating a Custom Authentication Scheme.

     

    Can this be used to redirect the user to another FCC page to collect additional information? Is the "challenge" meant for "challenging" the user for more info before returning an SMAUTH_ACCEPT?

     

    CA Single Sign-On CA Security #siteminderr12.52 



  • 2.  Re: How to use the SMAUTH_CHALLENGE response during user authentication phase in authenticate() method?

    Posted Nov 29, 2017 01:32 AM

    Hi Rob,

     

    From doco : 

    Configure a Java Custom Authentication Scheme Instance - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

    During the user authentication phase:

    • SMAUTH_ACCEPT: The user is authenticated.

    • SMAUTH_REJECT: The user is not authenticated.

    • SMAUTH_CHALLENGE: The user is challenged. The scheme passes the challenge message to the Policy Server through setUserText(). Also, a reason code must be supplied in the SmAuthenticationResult object returned by authenticate(). The Policy Server passes back this reason code in the challengeReason parameter in a subsequent call to authenticate().

     

    Yes, it is meant for re challenging the user if the authentication fails. I don't think you can redirect to another fcc however.

     

    Have you looked at this option for collecting addtional attribute during authentication :

    Tech Tip : CA Single Sign-On :Policy Server:How to collect additional attribute using custom authentication 

     

    Regards,

    Ujwol



  • 3.  Re: How to use the SMAUTH_CHALLENGE response during user authentication phase in authenticate() method?

    Posted Nov 30, 2017 10:37 AM

    Hi Ujwol - Thank you for the quick response and for the recommendation. I have actually used that example in the past to create a custom authentication scheme and I have successfully collected additional information on the initial FCC page. 

     

    At a high level, I would like to receive additional information from the end user, but I don't want to do it all at once. I would like to ask for the additional information once I've verified the user's username/password. 

     

    I was more interested in being able to have the first FCC page (let's call it credential's FCC) to collect a username/password. I would then like that to call the custom authentication scheme which would verify username/password and then return back an "SMAUTH_CHALLENGE".

     

    Can this "SMAUTH_CHALLENGE" response be used to point the "authenticated" user to an additional FCC page (more info FCC) to ask for 1 more bit of information.



  • 4.  Re: How to use the SMAUTH_CHALLENGE response during user authentication phase in authenticate() method?

    Posted Dec 04, 2017 02:06 PM

    Hi Rob,

     

    Yes that is what the Challenge Auth status is meant to do.

    These parts of the SDK are not documented as well as they should be.

     

    I hope the below snippet helps:

     

    PS: I am with the CA Global Delivery group, Ca's Professional Services group.

    If you need assistance writing a custom Auth Scheme, we are available (for a fee).

     

    Good Luck,

    Joe O'Donnell

     

    public SmAuthenticationResult authenticate(String parameter, String secret, int challengeReason,
    SmAuthenticationContext context)
    {

       // cannot do authentication without the authentication context
       if (null == context)
       {
          //logWriter.println("auth nullcontext");
          return new SmAuthenticationResult(SmAuthStatus.SMAUTH_NO_USER_CONTEXT,       SmAuthenticationResult.REASON_NONE);
       }

    .

    .

    .

    context.setErrorText( newFccUrl);

    return new SmAuthenticationResult (SmAuthStatus.SMAUTH_CHALLENGE , SmAuthenticationResult.REASON_ERROR_MESSAGE_IS_REDIRECT);

    }