Symantec Access Management

Update on March 29th. The sample code has been expanded to include support for Android. The zip file also now includes updated instructions as well.
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The attached SiteMinder mobile application authentication solution provides a sample source code project that you can use to build a working sample native iOS app that demonstrates the use of SiteMinder for authentication. Mobile application developers can also use the source code as the basis for developing their own native mobile apps that use SiteMinder authentication. It also provides resources to deploy on a Web Agent or Secure Proxy Server (SPS) to expose SiteMinder authentication operations as web services.

This is a Prerelease Documentation, do we have a formal release doc now?

Any soluton name related to that. Quite interested in it.

Cloudfans,

I'm also very interested in finding out if there is a formal release doc.

If anyone is aware of one please share it with the forum.

Sharing some issues I found when running the iOS version:

1) the logout.fcc file should redirect the flow to "success.html" file; so change the target as follows:

@target=/success.html

2) the "success.html" must exist in the <web_root> folder (because the code tests the response status 200 as well...); so, as it's not included in the zip, create an empty file.

(Note: the "fail.html" file does not need to exist..)

Cheers.

I was wondering if anyone has updated the Android version of the mobile app into the current Android Studio? According to what I am seeing, Eclipse is no longer being used?

mailto:"If you have been using Eclipse with ADT, be aware that Android Studio is now the official IDE for Android, so you should migrate to Android Studio to receive all the latest IDE updates" http://developer.android.com/sdk/index.html

Hi

I did import the SM android project into Android Studio as part of a case I was working on.

Generally it worked, the project uses httpclient, which is deprecated in latest android release but can be enabled via:

http://stackoverflow.com/questions/32153318/httpclient-wont-import-in-android-studio

If you need sdk 23, add this to your gradle:

android {
  useLibrary 'org.apache.http.legacy'
}

However, the code for this app is quite old, its a starting point, but in reviewing it particularly the login mechanism I though needed upgrading.  The current method uses a GET with the UN/PW as query parameters, and a regular URL to test login status.  :

• Login mechanism via Basic  
  A better mechanism would be to use a Basic Auth which is done by adding an Authenticate: header to the request.  The UN/PW is passed as a content header rather than on the URL line. Also httpclient and URLConnection can setup Authenticators to respond when the server asks for this basic http authetication.   Basic Auth from Siteminder also responds with a 401 status when access fails, which is easier to detect in the app progamatically.   A resource protected by a login page, on auth failure responds with a 302 redirect to the login page - so you need more work in your app to cater for all that.    The Basic Auth UN/PW passed via basic can be done fairly easily :
  http://stackoverflow.com/questions/1748374/http-401-whats-an-appropriate-www-authenticate-header-value
  
  
• Login method via REST/SOAP webservices
  An alternative login method (suggested to me internally) was the webservices REST/SOAP ones available on CA Access Gateway (formerly Secure Proxy Server). 
  
  Configuring the Authentication and Authorization Web Services - CA Single Sign-On - 12.52 SP1 - CA Technologies Document…
  
  Its a good suggestion, but the first one only needs a normal webagent, this one needs the SPS server with those web services setup.  The webservices while good for the login process, does not directly resolve what happens you access a resource and fail, so you may still need to check for 302 redirects to the login page to identify Az failure or timeout.
  

Cheers - Mark

Thanks Mark. Looking at the documentation for REST API there is a support for application/xml . Is there a REST API call supports JSON request and response?

No, REST API call does not support JSON request and response.

Do you know when the JSON request/response will be supported for REST API. When we talk about mobile authentication,mobile device prefer to use json as oppose to other formats the support of JSON would be ideal for those apps to call SM exposed services via REST.

Hi,

We are trying to enable Mobile Auth/AZ through webservice using SPS, we are not able to access the webservice when it is protected, it works when we unprotect the webservice and disable the RequireAgentEnforcement parameter in ACO. for POC purpose it is working as we are not protecting the webservice. Please let us know how to proceed with a protected webservice.

Hi Ajay,

Yes it is a little tricky, when you set RequireAgentEnforcement=yes, then access to the webservices URL needs to be protected access.

https://webservices.example.com/authazws/AuthRestService/login/appID/Resource

In addition to RequireAgentEnforcement=YES in the ACO you also need to add an AgentName mapping for the access the webserver, something like :

AgentName=wsagent,webservices.sample.com

http://webservices.sample.com/AgentName=agent1,appID1

And then you need to add policy so the webagent: wsagent considers /authazws URL as protected.  You also need to pick an auth scheme for the realm as well. 

The deal then is that then to access https://webservices.example.com/authazws/AuthRestService/login/appID/Resource  it is a normal siteminder protected URL, so you need an SMSESSION cookie to make that webservices call.   The Admin guide recommends using an SSL credential scheme.

So the idea is that your client has one level of access to get to the webservices.sample.com URL, either using a client certiifcate or similar (coded UN/PW basic auth will also work), that gives that client the ability to send logon requests and get back responses.

You can see in the above that it is really applicable to a server trying to process logon requests on behalf on some other service, giving user credentials and passing back the smtoken (really the SMSESSION cookie content).  It is not really the same as a mobile app making a call, and trying to logon the device owner, and get a SMSESSON cookie for its own use. 

If yours is the 2nd case then you really want anonymous access to the login service, to allow any user to make that call.   Also then in this 2nd case the call to the https://webservices.exmaple.com/AuthRestService/authz/appID/Resource is probably not applicable to you, since it just tells you if that user has access to the resource - it does not return the resource contents.  In the 2nd case, you are more likely to bundle the smtoken you got back as an SMSESSION cookie to access a normal Siteminder protected resource.

Cheers - Mark

PS: A good tip to seeing what is happening is to enable the webagent and webagnet trace logging in the webservices ACO

This may help also https://www.youtube.com/watch?v=6ZMe_7WL_-M

Thanks sharing useful information. 

We are building an ipad tablet app for a client. This client use the Siteminder for their Login process. Within the app we are able to login using the webviewer. But after login when we make a call to other api, it is NOT showing results and redirecting to login page again. This is due to smsession values are in webviewer and not in native xcode environment and authentication is failing. May I know how to get authentication from webviewer into native environment?                       

Or is there any documentation to follow so we can use siteminder protected api in native ios environment?

thanks.

Hi pmhooda,

I also have a similar problem to solve, can you help with what you had to do to resolve this ?