CLI Authentication Scheme Configuration

Programming Guides › Programming Guide for Perl › About the Policy Management API › CLI Authentication Scheme Configuration

CLI Authentication Scheme Configuration

When you configure an authentication scheme through a Perl script, you provide information that would otherwise be provided through the Authentication Scheme Properties dialog of the Administrative UI. This section describes the information you need to configure a given authentication scheme using the Policy Management API.

Note: When modifying an authentication scheme, be sure to call Save() after calling all the configuration methods.

Configuration Information

Typically, you configure an authentication scheme when you create the scheme with CreateAuthScheme() or when you modify the scheme with the methods in the PolicyMgtAuthScheme object.

Note: The exception to this rule is an authentication scheme based on the SAML 2.0 Template. You create and configure a SAML 2.0 authentication scheme with the method CreateSAMLAuthScheme().

You can provide the following kinds of configuration information for an authentication scheme. Not every authentication scheme template uses all categories of configuration information:

Scheme type
SiteMinder provides a number of standard authentication scheme types (also known as templates). Each authentication scheme type is configured differently.
Description
Brief description of the authentication scheme.
Protection level
Protection level values can range from 1 through 1000. The higher the number, the greater the degree of protection provided by the scheme.
Library
An authentication scheme library performs authentication processing for the associated authentication scheme type. Each predefined authentication scheme is shipped with a default library. Optionally, you can use a custom library instead of the default.
Parameter
Additional information that the authentication scheme requires, such as the URL of an HTML login page.

With some authentication schemes, the parameter information is constructed from field values in the Scheme Type Setup tab of the Authentication Scheme Properties dialog. To see how a parameter string is constructed for a given scheme type, open this dialog, select the appropriate scheme type, provide values to the fields in the Scheme Type Setup tab, and view the constructed parameter in the Advanced tab.
Shared Secret
Information that is known to both the authentication scheme and the Policy Server. Different authentication schemes use different kinds of secrets. Most schemes use no secret.
Is template?
A flag that specifies whether the authentication scheme is a template.

Note: Setting an authentication scheme as a template with the Perl Policy Management API is deprecated in SiteMinder v6.0 SP3.
Is used by administrator?
A flag that specifies whether the authentication scheme can be used to authenticate administrators.
Save Credentials?
A flag that specifies whether the user’s credentials are saved.
Is RADIUS?
A flag that specifies whether the scheme can be used with RADIUS agents.
Ignore password check?
A flag that specifies whether password policies for the scheme are enabled. If 1, password policies are disabled.

Note: The Ignore password check flag must be set to True for anonymous authentication schemes.

Configuration Tables

The following tables will help you configure authentication schemes. Each table applies to a particular authentication scheme type and contains the following information:

The PolicyMgtAuthScheme method that sets or retrieves a particular kind of configuration value.
The default configuration value, if applicable, or a variable name, shown in italics, that represents the configuration value to be supplied.
The name of the CreateAuthScheme() argument used to supply the configuration value when you are creating an authentication scheme.

The values in the Information Type column can be used for different purposes in different authentication schemes. For example, with TeleID authentication schemes, the shared secret is used to supply the encryption seed.

Anonymous Template

Use this table when configuring an authentication scheme based on the scheme type Anonymous.

Note: The Ignore password check flag must be set to True for anonymous authentication schemes.

Information Type	Value Assignment and Meaning
Scheme type	Type(templateObject) CreateAuthScheme() param: schemeTemplate The scheme type Anonymous.
Description	Description(schemeDesc) CreateAuthScheme() param: schemeDesc The description of the authentication scheme.
Protection level	ProtectionLevel(0) CreateAuthScheme() param: protLevel Set to 0. Not applicable to this scheme type.
Library	CustomLib("smauthanon") CreateAuthScheme() param: schemeLib The default library for this scheme type.
Parameter	CustomParam(param) CreateAuthScheme() param: schemeParam A string containing the guest DN. Policies associated with the guest DN must apply to anonymous users.
Shared secret	CustomSecret("") CreateAuthScheme() param: secret Set to an empty string. Not applicable to this scheme.
Is template?	IsTemplate(templateFlag) CreateAuthScheme() param: isTemplate Set to 0 to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	IsUsedByAdmin(0) CreateAuthScheme() param: isUsedByAdmin Set to 0—scheme is not used to authenticate administrators.
Save credentials?	SaveCredentials(0) CreateAuthScheme() param: saveCreds Set to 0 to indicate that user credentials will not be saved.
Is RADIUS?	IsRadius(0) CreateAuthScheme() param: isRadius Set to 0—scheme is not used with RADIUS agents.
Ignore password check?	IgnorePwd(1) CreateAuthScheme() param: ignorePwd Set to 1—ignore password checking.

Basic Over SSL Template

Use this table when configuring an authentication scheme based on the scheme type Basic over SSL.

Information Type	Value Assignment and Meaning
Scheme type	Type(templateObject) CreateAuthScheme() param: schemeTemplate The scheme type Basic over SSL.
Description	Description(schemeDesc) CreateAuthScheme() param: schemeDesc The description of the authentication scheme.
Protection level	ProtectionLevel(nLevel) CreateAuthScheme() param: protLevel A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 10.
Library	CustomLib("smauthcert") CreateAuthScheme() param: schemeLib The default library for this scheme type.
Parameter	CustomParam(param) CreateAuthScheme() param: schemeParam A string containing the domain or IP address of the SSL server and the name of the SSL Credentials Collector (SCC). Format: https://server/SCC?basic The following example uses the default SCC: https://my.server.com/siteminderagent/ nocert/smgetcred.scc?basic
Shared secret	CustomSecret("") CreateAuthScheme() param: secret Set to an empty string. Not applicable to this scheme.
Is template?	IsTemplate(templateFlag) CreateAuthScheme() param: isTemplate Set to 0 to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	IsUsedByAdmin(0) CreateAuthScheme() param: isUsedByAdmin Set to 0 for this scheme.
Save credentials?	SaveCredentials(0) CreateAuthScheme() param: saveCreds Set to 0 to indicate that user credentials will not be saved.
Is RADIUS?	IsRadius(0) CreateAuthScheme() param: isRadius Set to 0—scheme is not used with RADIUS agents.
Ignore password check?	IgnorePwd(flag) CreateAuthScheme() param: ignorePwd Set to 1 to ignore password checking, or 0 to check passwords. Default is 0.

Basic Template

Use this table when configuring an authentication scheme based on the scheme type Basic.

Information Type	Value Assignment and Meaning
Scheme type	Type(templateObject) CreateAuthScheme() param: schemeTemplate The scheme type Basic.
Description	Description(schemeDesc) CreateAuthScheme() param: schemeDesc The description of the authentication scheme.
Protection level	ProtectionLevel(nLevel) CreateAuthScheme() param: protLevel A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	CustomLib("smauthdir") CreateAuthScheme() param: schemeLib The default library for this scheme type.
Parameter	CustomParam("") CreateAuthScheme() param: schemeParam Set to an empty string. Not applicable to this scheme.
Shared secret	CustomSecret("") CreateAuthScheme() param: secret Set to an empty string. Not applicable to this scheme.
Is template?	IsTemplate(templateFlag) CreateAuthScheme() param: isTemplate Set to 0 to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	IsUsedByAdmin(1) CreateAuthScheme() param: isUsedByAdmin Set to 1—scheme can be used to authenticate administrators.
Save credentials?	SaveCredentials(0) CreateAuthScheme() param: saveCreds Set to 0 to indicate that user credentials will not be saved.
Is RADIUS?	IsRadius(1) CreateAuthScheme() param: isRadius Set to 1—scheme can be used with RADIUS agents.
Ignore password check?	IgnorePwd(flag) CreateAuthScheme() param: ignorePwd Set to 1 to ignore password checking, or 0 to check passwords. Default is 0.

Custom Template

Use this table when configuring an authentication scheme based on the scheme type Custom. You create custom schemes using the C-language Authentication API, which is available with the SiteMinder SDK.

Information Type	Value Assignment and Meaning
Scheme type	Type(templateObject) CreateAuthScheme() param: schemeTemplate The scheme type Custom.
Description	Description(schemeDesc) CreateAuthScheme() param: schemeDesc The description of the authentication scheme.
Protection level	ProtectionLevel(nLevel) CreateAuthScheme() param: protLevel A value of 0 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	CustomLib(customLibName) CreateAuthScheme() param: schemeLib The name of the custom shared library you created using the C Authentication API.
Parameter	CustomParam(param) CreateAuthScheme() param: schemeParam Any string of one or more parameters required by your custom authentication scheme. For a custom authentication scheme that uses SSL, you must supply a URL that points to a SiteMinder Web Agent library required for the SSL-based authentication.
Shared secret	CustomSecret(secret) CreateAuthScheme() param: secret The shared secret, if any, that your custom authentication scheme uses for encryption of credentials.
Is template?	IsTemplate(templateFlag) CreateAuthScheme() param: isTemplate Set to 0 to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	IsUsedByAdmin(flag) CreateAuthScheme() param: isUsedByAdmin Set to true (1) to specify that the scheme can be used to authenticate administrators, or to false (0) to specify that the scheme cannot be used to authenticate administrators. Default is 0.
Save credentials?	SaveCredentials(0) CreateAuthScheme() param: saveCreds Set to 0 to indicate that user credentials will not be saved.
Is RADIUS?	IsRadius(0) CreateAuthScheme() param: isRadius
Ignore password check?	IgnorePwd(flag) CreateAuthScheme() param: ignorePwd Set to 1 to ignore password checking, or 0 to check passwords. Default is 0.

HTML Form Template

Use this table when configuring an authentication scheme based on the scheme type HTML Form.

Information Type	Value Assignment and Meaning
Scheme type	Type(templateObject) CreateAuthScheme() param: schemeTemplate The scheme type HTML Form.
Description	Description(schemeDesc) CreateAuthScheme() param: schemeDesc The description of the authentication scheme.
Protection level	ProtectionLevel(nLevel) CreateAuthScheme() param: protLevel A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	CustomLib("smauthhtml") CreateAuthScheme() param: schemeLib The default library for this scheme type.
Parameter	CustomParam(param) CreateAuthScheme() param: schemeParam A string containing a user attribute list plus the location of the forms credential collector (FCC). The attribute list must begin with AL= and use commas as the list delimiter character, and it must end with a semicolon—for example: AL=Password,SSN,age,zipcode; The complete parameter format is: attr-list;https:/server/fcc The following example uses the default FCC: AL=PASSWORD,SSN,age,zipcode; http://my.server.com/siteminderagent/ forms/login.fcc
Shared secret	CustomSecret("") CreateAuthScheme() param: secret Set to an empty string. Not applicable to this scheme.
Is template?	IsTemplate(templateFlag) CreateAuthScheme() param: isTemplate Set to 0 to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	IsUsedByAdmin(0) CreateAuthScheme() param: isUsedByAdmin Set to 0—scheme is not used to authenticate administrators.
Save credentials?	SaveCredentials(credFlag) CreateAuthScheme() param: saveCreds Set to 1 to indicate that user credentials should be saved, or 0 to indicate that user credentials should not be saved. Default is 0.
Is RADIUS?	IsRadius(0) CreateAuthScheme() param: isRadius Set to 0—scheme is not used with RADIUS agents.
Ignore password check?	IgnorePwd(flag) CreateAuthScheme() param: ignorePwd Set to 1 to ignore password checking, or 0 to check passwords. Default is 0.