(Optional) SSO HTTP Response Headers

CA Identity Governance Configuration Guide › Authentication Options › Single Sign-On (SSO) with CA SiteMinder® › (Optional) SSO HTTP Response Headers

(Optional) SSO HTTP Response Headers

HTTP response headers are components of those HTTP message header fields that define the HTTP transaction operating parameters. The CA Identity Governance server maintains a configuration file (eurekify.cfg) that contains the CA Identity Governance Portal user accounts. You configure the CA SiteMinder® response policy to return the user information that corresponds to the UserID field in this configuration file as follows:

The UserID field can contain the user name, for example:
```
Javier.Torres
```
In this example, the CA SiteMinder® response policy returns the user name as an HTTP header variable. You can use the standard, predefined sm_user CA SiteMinder® WebAgent-HTTP header variable attribute.
The UserID field can contain the domain and username, for example:
```
GMusersDb\Javier.Torres
```
In this example, the CA SiteMinder® response policy returns both the domain and the username as HTTP header variables. Define a custom attribute, in one of the following ways:
- Use the standard sm_user attribute for the username, and define a custom attribute for the domain.
- Define a custom attribute that contains the entire domain\username value.

CA Identity Governance uses the following system properties to parse the returned HTTP header for returned attributes. These values must match the attribute labels that CA SiteMinder® inserts in the HTTP header:

sage.security.siteminder.username.attribute

Defines the attribute label in the returned HTTP header that contains the username or the value of the UserID field. The field defined in this property must be present in the HTTP header.

Default: sm_user

Note: This attribute is case-sensitive. Restart the system if you change the default setting.

sage.security.siteminder.domain.attribute

Defines the label of the attribute in the returned HTTP header that contains the user domain.

Default: rcm_domain.

Example: Domain and User Name in Separate Attributes

Consider the following UserID field in the CA Identity Governance user configuration file:

RCMusersDb\Javier.Torres

The returned HTTP header can specify this user using two attributes, with the following values:

sm_user="Javier.Torres" rcm_domain="RCMusersDb"

sm_user is a standard CA SiteMinder® attribute, but you define the rcm_domain attribute for the return policy.

To parse this header, both of the following CA Identity Governance system properties must be set to the default values:

sage.security.CA SiteMinder®.username.attribute=sm_user
sage.security.CA SiteMinder®.domain.attribute=rcm_domain

Example: Domain and Username in One Attribute

Consider the following UserID field in the CA Identity Governance user configuration file:

RCMusersDb\Javier.Torres

The returned HTTP header can specify this user using one attribute, with the following value:

rcm_userIDstring="RCMusersDb"

This attribute is not standard, and you define it for the return policy.

To parse this header, you only set the following CA Identity Governance system property:

sage.security.CA SiteMinder®.username.attribute=rcm_userIDstring

Note: Not all environments include the domain name in the UserID field, but the username is always present. For this reason, CA Identity Governance always uses the .username. system property to parse the HTTP header, but the .domain. system property is optional.