Symantec Access Management

Hi,

customer is looking for a mechanism for creating an authorization policy based on REST calls.
I found it is feasible with siteminder variables based on SOAP calls, but I didn't find nothing about REST.

The **** idea is to have a REST API where to send userid and url and receive back authorized YES/NO.

The only option I found is to develop a custom policy in Java.

Any idea of a simpler implementation?
If java is the only optino, do you have some sample code for it?

regards
Franco

Hi Franco,

SiteMinder's Authentication & Authorization Web Services support RESTful calls for authN & authZ operations. The SiteMinder Access Gateway is a requirement as the services are provided from that component.

Here's a link to the SiteMinder documentation: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/access-gateway-configuration/configuring-the-authentication-and-authorization-web-services.html

Original Message:
Sent: Mar 25, 2022 05:50 AM
From: Francesco Mascioli
Subject: Authorization based on REST API

Hi,

customer is looking for a mechanism for creating an authorization policy based on REST calls.
I found it is feasible with siteminder variables based on SOAP calls, but I didn't find nothing about REST.

The **** idea is to have a REST API where to send userid and url and receive back authorized YES/NO.

The only option I found is to develop a custom policy in Java.

Any idea of a simpler implementation?
If java is the only optino, do you have some sample code for it?

regards
Franco

Hi Warren,
this is not the point.

the situation is the following:
Customer has a standard configuration with many applications managed by siteminder and authorization policies based on group membership. 

Now the authorization rules is getting complex and the group membership does not fit anymore the customer requirements. So customer would like to create an application , with a REST interface, where to pass as parameters user and url and receiving back the answer authorized yes/no. Customer is now expecting to integrate the authorization application in Siteminder.

In the current siteminder version I can create a custom policy in java for calling the external REST interface and get this result.
I'm asking for a mechanism for implementing this policy without a custom code.

(I mentioned here that this mechanism is feasible now using variables based on SOAP calls, and I'm asking a similar feature with REST calls)

thanks and regards
Franco 


Original Message:
Sent: Mar 31, 2022 04:49 PM
From: Warren Barrow
Subject: Authorization based on REST API

Hi Franco,

SiteMinder's Authentication & Authorization Web Services support RESTful calls for authN & authZ operations. The SiteMinder Access Gateway is a requirement as the services are provided from that component.

Here's a link to the SiteMinder documentation: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/access-gateway-configuration/configuring-the-authentication-and-authorization-web-services.html

Original Message:
Sent: Mar 25, 2022 05:50 AM
From: Francesco Mascioli
Subject: Authorization based on REST API

Hi,

customer is looking for a mechanism for creating an authorization policy based on REST calls.
I found it is feasible with siteminder variables based on SOAP calls, but I didn't find nothing about REST.

The **** idea is to have a REST API where to send userid and url and receive back authorized YES/NO.

The only option I found is to develop a custom policy in Java.

Any idea of a simpler implementation?
If java is the only optino, do you have some sample code for it?

regards
Franco

Hello Franco,
I had the same problem! And also I had thought to solve it by filling in some variables via REST api.
Did you able to figure out if it is natively supported?
In the end I wrote a parameterized policy which do the rest call.
Marco
Original Message:
Sent: Apr 01, 2022 03:07 AM
From: Francesco Mascioli
Subject: Authorization based on REST API

Hi Warren,
this is not the point.

the situation is the following:
Customer has a standard configuration with many applications managed by siteminder and authorization policies based on group membership.

Now the authorization rules is getting complex and the group membership does not fit anymore the customer requirements. So customer would like to create an application , with a REST interface, where to pass as parameters user and url and receiving back the answer authorized yes/no. Customer is now expecting to integrate the authorization application in Siteminder.

In the current siteminder version I can create a custom policy in java for calling the external REST interface and get this result.
I'm asking for a mechanism for implementing this policy without a custom code.

(I mentioned here that this mechanism is feasible now using variables based on SOAP calls, and I'm asking a similar feature with REST calls)

thanks and regards
Franco


Original Message:
Sent: Mar 31, 2022 04:49 PM
From: Warren Barrow
Subject: Authorization based on REST API

Hi Franco,

SiteMinder's Authentication & Authorization Web Services support RESTful calls for authN & authZ operations. The SiteMinder Access Gateway is a requirement as the services are provided from that component.

Here's a link to the SiteMinder documentation: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/access-gateway-configuration/configuring-the-authentication-and-authorization-web-services.html

Original Message:
Sent: Mar 25, 2022 05:50 AM
From: Francesco Mascioli
Subject: Authorization based on REST API

Hi,

customer is looking for a mechanism for creating an authorization policy based on REST calls.
I found it is feasible with siteminder variables based on SOAP calls, but I didn't find nothing about REST.

The **** idea is to have a REST API where to send userid and url and receive back authorized YES/NO.

The only option I found is to develop a custom policy in Java.

Any idea of a simpler implementation?
If java is the only optino, do you have some sample code for it?

regards
Franco