Configuration GuidesSiteMinder Agent for JBoss GuideConfigure the SiteMinder Agent Security Interceptor to Protect Web ApplicationsConfigure Policy Objects for the SiteMinder Agent Security Interceptor › (Optional) Configure the Agent to Return Group Membership to JBoss Using Responses

Previous Topic: Configure a SiteMinder Agent Security Interceptor Authentication Realm

Next Topic: Configure Security Policies for the Proxy Server Web Agent
(Optional) Configure the Agent to Return Group Membership to JBoss Using Responses

The SiteMinder Agent Web Interceptor can be configured to return physical or virtual group membership information to JBoss using SiteMinder HTTP header responses from the Policy Server during user authentication.

When the SiteMinder Agent Web Interceptor receives responses containing the _SM_JBOSS_GROUP=group name syntax, the SiteMinder Agent Web Interceptor converts the group_name value to a J2EE principal and adds this principal to the subject after successful authentication.

group_name

Specifies a response attribute value from the Policy Server that could be a physical group name from the user store or a virtual group.

The SiteMinder Agent adds the same amount of group principals as responses received from the Policy Server.

To configure Groups as responses for the SiteMinder Agent

  1. Configure an OnAuthAccept group authentication rule with a * resource filter in the SiteMinder Authentication Realm.
  2. Create SiteMinder HTTP header responses using the _SM_JBOSS_GROUP variable name in the policy domain for the SiteMinder Authentication Realm.

    Note: The SiteMinder Administrative UI shows an additional underscore before "_SM_JBOSS_GROUP" when it displays the variable name, so that it appears as "HTTP__SM_JBOSS_GROUP". This is not an error and can be ignored.

  3. In the policy domain for the SiteMinder Authentication Realm:
    1. Create a group policy.
    2. Attach the users who belong to the group policy.
    3. Attach the group authentication rule to this policy.
    4. Bind the group response to the group authentication rule.
Example: Configure the SiteMinder Agent Web Interceptor to return groups using responses

The following example shows one method of configuring the SiteMinder Agent Web Interceptor to return groups using responses:

  1. In the SiteMinder Authentication Realm, configure an OnAuthAccept rule named Group Authentication Rule with a * resource filter.
  2. In the policy domain for the SiteMinder Authentication Realm, create SiteMinder responses with a static HTTP header attribute for the following sample JBoss groups:

Name

Attribute
Kind

Variable Name

Variable Value

Group
Administrators

Static
HTTP Header

_SM_JBOSS_GROUP

Administrators

Group
Deployers

Static
HTTP Header

_SM_JBOSS_GROUP

Deployers

Group
Monitors

Static
HTTP Header

_SM_JBOSS_GROUP

Monitors

Group
Operators

Static
HTTP Header

_SM_JBOSS_GROUP

Operators
  1. In the policy domain for the SiteMinder Authentication Realm:
    1. Configure a policy named Group Administrator Policy.
    2. Attach the Administrator group or users, who belong to the Administrator group, to this policy.
    3. Attach the Group Authentication Rule to this policy.
    4. Bind the Group Administrator response to this rule.
    5. Repeat this step and configure separate policies for the Deployers, Operators, and Monitors groups.
    6. Bind the Group Administrator response to this rule.
    7. Repeat this step and configure separate policies for the Deployers, Operators, and Monitors groups.
  2. Repeat Step 3 and configure separate policies for the Deployers, Operators, and Monitors groups.