Web Agent Response Attributes for SOA Agents

Configuration Guides › Policy Server Configuration Guide › Responses and Response Groups › Web Agent Response Attributes for SOA Agents

Web Agent Response Attributes for SOA Agents

Web Agent response attributes are response attributes that SOA Agents and SOA Security Manager Web Agents can interpret and pass on to other applications. The following is a list of Web Agent response attributes available in SOA Security Manager:

WebAgent-SAML-Session-Ticket-Variable

Provides data from the Policy Server that the SOA Agent uses to generate a SAML assertion to insert into an XML message’s HTTP or SOAP envelope header or a cookie (as specified by associated response attributes).

When you configure a SAML Session Ticket response, the Policy Server generates the response data that instructs the SOA Agent how to build the assertion. The SOA Agent encrypts a session ticket (and optionally, a web service consumer’s public key) together with the response data and generates the actual assertion. The Agent then delivers the assertion to the web service. The token can only be encrypted and decrypted by the SOA Agent using its Agent key.

WebAgent-WS‑Security-Token

Provides data from the Policy Server that the SOA Agent uses to generate WS‑Security Username, X509v3, or SAML tokens (as specified by associated response attributes) to add to a SOAP message header.

When you configure a WS‑Security response, the Policy Server generates the response data that instructs the SOA Agent how to build the token. The Agent then generates and adds the token to the SOAP request and delivers it to the web service.

WebAgent-HTTP-Authorization-Variable

Indicates an attribute defined and reserved for future SOA Security Manager use.

WebAgent-HTTP-Cookie-Variable

Generates a SetCookie header, which then sets a non-persistent cookie in a Web browser. The cookies only exist in the cookie domain where the Web Agent is configured. You can enter multiple WebAgent-HTTP-Cookie-Variables.

Limits: Use in accept or reject responses. Multiple instances of this attribute are allowed per response.

WebAgent-HTTP-Header Variable

Specifies an arbitrary dynamic name/value pair for use by a Web application. You can enter multiple WebAgent-HTTP-Header-Variables.

The Web Agent does not include header variables in the responses that it sends back to a Web browser. Instead, these responses, generated by the Policy Server, reside in the request headers of the Web server.

Consequently, the header variables will not be visible in the debug logs that you can enable from the Policy Server Management Console.

Limits: Use in accept or reject responses. Multiple instances of this attribute are allowed per response.

WebAgent-OnAccept-Redirect

Defines one of the following, depending on the type of response in which it is used:

In an authorization response, this defines a URL to redirect the user to if the user is allowed access to a resource.
In an authentication response, this defines a URL to redirect the user to if the user was authenticated for a security realm.

To determine whether or not this is an authorization or authentication response, include it in a policy with a rule that specifies an OnAuthAccept or OnAccessAccept event action.

Limits: Use in accept responses. Only one instance of this attribute is allowed per response.

WebAgent-OnAccept-Text

Specifies text that the Web Agent puts in the HTTP_ONACCEPT_TEXT environment variable when it redirects the user after a successful authorization or authentication attempt.

Limits: Use in accept responses. Only one instance of this attribute is allowed per response.

WebAgent-OnAuthAccept-Session-Idle-Timeout

Overrides the number of seconds a user session can be idle. Once this limit is reached, the user is forced to re-authenticate. Associate this response with a rule configured with an OnAuthAccept authentication event.

Limits: Use in accept responses. Only one instance of this attribute is allowed per response.

WebAgent-OnAuthAccept-Session-Max-Timeout

Overrides the total number of seconds a user session can be active. Once this limit is reached, the user session is terminated and the user is forced to re-authenticate. Associate this response with a rule configured with an OnAuthAccept authentication event.

Limits: Use in accept responses. Only one instance of this attribute is allowed per response.

WebAgent-OnAuthAccept-Session-AuthContext

Specifies an AuthContext response attribute for an authentication scheme. The value of this response attribute is added to the SOA Security Manager session ticket as the value of the SM_AUTHENTICATIONCONTEXT user attribute. It is not returned to the client as a user response.

Note: The response attribute value is truncated to 80 bytes in length.

Limits: Used in accept responses. Only one instance of this attribute is allowed per response.

WebAgent-OnReject-Redirect

Defines one of the following, depending on the type of response in which it is used:

In an authorization response, this defines a URL to redirect the user to if the user is denied access to a resource.
In an authentication response, this defines a URL to redirect the user to if the user has failed to authenticate for a security realm.

To determine whether or not this is an authorization or authentication response, include it in a policy with a rule that specifies an OnAuthReject or OnAccessReject event action.

Limits: Use in reject responses. Only one instance of this attribute is allowed per response.

WebAgent-OnReject-Text

Specifies text that the Web Agent puts in the HTTP_ONREJECT_TEXT environment variable when it redirects the user after a failed authorization or authentication attempt.

Limits: Use in reject responses. Only one instance of this attribute is allowed per response.

Email CA Technologies about this topic