Symantec Access Management

Hello All, can we configure a siteminder policy to only authenticate the users and redirect them to the target application with our doing any authorization? Any help is appreciated, Thank You.

Yes you can disable authorization processing at realm level from admin ui.

Thank You for your quick response, I tried that and flushed the realm cache, restarted the webserver, but I still see AuthAccept and AzAccept events being triggered in the smaccess.log, so am assuming that policy server is doing both authentication and authorization events, Thank You.

can you try restarting ps?

I just did restart the policy server and still am seeing both auth and az events in the smaccess.log, Thank You.

In the old days(Policy Server version 5.x) the Authentication, Authorization, Accounting and Administration were separate services.

So, it was possible to have a specific policy server process the authentication only.

Now we have all the services combined and no option to enable specific service only(other than the admin service).

If this is a requirement, you can raise an Idea on this feature.

Thank You Kim.

Hi,

I do a test in my environment by disable authorization events and get the same behavior that

and get same behavior that user get auth, az

ie:

AuthAccept DRSSOIAM2 [22/Sep/2016:11:34:58 +1000] "127.0.0.1 cn=user1,ou=support,o=userstore" "transpolar agent GET /transpolar/frontpage.htm" [idletime=3540;maxtime=7200;authlevel=5;] [0]  [] []
AzAccept DRSSOIAM2 [22/Sep/2016:11:34:58 +1000] "127.0.0.1 cn=user1,ou=support,o=userstore" "transpolar agent GET /transpolar/frontpage.htm" [0000000000000000000000000100007f-0e18-57e33542-0e44-002b3e12] [0]  [] []

From UI help, it mentioned:

therefore, the auth and az will happen anyway. The different is whether it trigger rule that tied to az or not.

In general, isProtected, isAuthenticated, isAuthorized happen. What is the reason not to have authorization?

Regards,

Kar Meng

Thank You for your help Meng.

Use this Parameter in ACO to disable Authorization.

"EnableAuthorization"

Below Documentation link captures some information on this ACO parameter.

List of Agent Configuration Parameters - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation 

Hello Konja, I tried that ACO parameter, restarted the webserver and PS, but still seeing the AzAccept in the smaccess.log. Still trying to get this working, Thank You for your help.

Hi Kona,

Thanks for the information. That's the new thing to me

"EnableAuthorization" ACO parameter functionality is available in 12.52 SP1 CR4 release onwards. please check the version details of both webagent and Policy server.

Thank You for all the suggestions, I had to upgrade my webagent to the 12.52 and test again, I will update once I did that, Thank You.