This section contains the following topics:
Create a Custom Authentication Scheme Library
Each SiteMinder Authentication Scheme is an instance of a shared library that supports the Authentication API provider interface.
Typically, when you define an authentication scheme in the Administrative UI, you accept the default library for the authentication scheme type you want to use. For example, if you want to use an authentication scheme based on the HTML Form Template, you would accept its default library, smauthhtml.
If you want your authentication scheme to support custom authentication functionality, build a new library for the authentication scheme. You build an authentication scheme library using the Authentication API.
The following figure shows how the authentication scheme library is used in the authentication process:
Install your custom-built library in one of the following default locations:
The authentication scheme library is loaded by both the authentication server and the authorization server. Both servers use the scheme to retrieve the required credentials.
Immediately after the scheme is loaded, the following operations occur:
An authentication scheme verifies the user credentials passed to it by SiteMinder and returns the authentication result. An authentication scheme operates in these modes:
Looking up the user in the user store is called user disambiguation.
Authentication results are tied to SiteMinder events. If authentication events are enabled in the realm where the user is being authenticated, SiteMinder evaluates optional policies tied to OnAuthAccept, OnAuthReject, OnAuthAttempt, and OnAuthChallenge rules. You can configure these policies to return custom responses based on a user’s identity, redirect the user to another location based on the result of the authentication, or update the user data in an external database.
The authentication scheme can tell the Policy Server to instruct the agent to perform a redirect. To build an authentication scheme that provides redirection capabilities, place the URL in the lpszErrMsg parameter and return a status code that includes reason code Sm_Api_Reason_ErrorMessageIsRedirect.
For example:
strcpy (lpszErrMsg, "https://12.12.1.1/display/user.cgi?dn="); strcat (lpszErrMsg, lpUserContext->lpszUserName); return SM_MAKEAUTH_STATUSVALUE (Sm_AuthApi_Accept, Sm_Api_Reason_ErrorMessageIsRedirect);
This functionality is useful when customizing the workflow of a Web application using a standard Agent. However, configuring redirection is also useful when using custom agents.
The Authentication API supports user authentication based on the following types of credentials:
To create a custom authentication scheme library:
Include the SmApi.h file, as follows:
#include "SmApi.h"
Make the following functions externally visible:
Function |
Description |
---|---|
Performs user authentications. The scheme authenticates user credentials and returns the result. |
|
Initializes the scheme. The scheme should initialize whatever resources it needs at this time. |
|
Requests scheme information. |
|
Releases the scheme only when SiteMinder is shutting down. The scheme should release its resources at this time. |
Each entry point in the shared library must be defined according to specified syntax.
Note: If you are using Microsoft Visual Studio, export the function addresses to a modular definition file (.DEF) file. To export the function addresses, create a .DEF file, and in the export section of the .DEF file, list all of the authentication scheme functions, described in the previous table. Once you have created the .DEF file, add it to the Microsoft Visual Studio project.
Compile the code into a DLL or shared library. When you define the authentication scheme in the Administrative UI, you will specify this library name in the Authentication Scheme Properties dialog box.
After you have written and compiled a custom authentication scheme library, you define the authentication scheme that will use the custom library. You do so using the Administrative UI.
The SmAuthenticate() function authenticates user credentials.
Syntax
This function has the following format:
Sm_AuthApi_Status_t SM_EXTERN SmAuthenticate ( const Sm_Api_Context_t* lpApiContext, const Sm_Api_UserContext_t* lpUserContext, const Sm_AuthApi_UserCredentials_t* lpUserCredentials, const Sm_Api_Reason_t nChallengeReason, const char* lpszParam, const char* lpszSharedSecret, const int nBytesUserMsg, char* lpszUserMsg, const int nBytesErrMsg, char* lpszErrMsg );
Parameters
This function has the following parameters:
[in] Indicates a pointer to the API context structure.
[in] Indicates a pointer to the user context structure.
[in] Indicates a pointer to the user credentials context structure.
[in] Indicates the reason for the original challenge; otherwise, set to zero.
[in] Indicates a pointer to the buffer containing the null-terminated parameter string as specified for the authentication scheme.
[in] Indicates a pointer to the buffer containing the null-terminated shared secret string as specified for the authentication scheme.
[in] Indicates the maximum size of the lpszUserMsg buffer to receive the user message—4097 bytes, including the string termination character.
[out] Indicates a pointer to an output buffer to receive the user message. This message can be the challenge text or any other message that the scheme developer wants to present to the user through a mechanism external to SiteMinder. The Agent stores this message in the HTTP_SM_USERMSG HTTP variable. For RADIUS authentication, the user message is returned in the REPLY-MESSAGE response attribute.
[in] Indicates the maximum size of the lpszErrMsg error buffer—4097 bytes, including the string termination character.
[out] Indicates a pointer to an output buffer to receive the error text. Use this buffer to return an error message to SiteMinder.
Returns
This function uses the SM_MAKEAUTH_STATUSVALUE macro to construct the return value. This macro is defined in SmApi.h. The syntax of the macro is as follows:
SM_MAKEAUTH_STATUSVALUE(status, reason)
This macro ha sthe following two parameters::
During the disambiguation phase:
During the authentication phase:
The SmAuthInit() function lets the authentication scheme perform its own initialization procedure. This call is made once, when the scheme is first loaded.
Syntax
This function has the following format:
Sm_AuthApi_Status_t SM_EXTERN SmAuthInit ( const char* lpszParam, const char* lpszSharedSecret );
Parameters
This function has the following parameters:
[in] Indicates a pointer to the buffer containing the null-terminated parameter string as specified for the authentication scheme.
[in] Indicates a pointer to the buffer containing the null-terminated shared secret string as specified for the authentication scheme.
Returns
This function returns one of the following values:
Indicates the function completed successfully.
Indicates the function was unsuccessful. The scheme is not loaded.
The SmAuthQuery() function returns information about an authentication scheme.
Syntax
This function has the following format:
Sm_AuthApi_Status_t SM_EXTERN SmAuthQuery ( const char* lpszParam, const char* lpszSharedSecret, const Sm_AuthApi_QueryCode_t code, char* lpszStatusBuffer, int* lpnStatusCode );
Parameters
This function has the following parameters:
[in] Indicates a pointer to the buffer containing the null-terminated parameter string as specified for the authentication scheme.
[in] Indicates a pointer to the buffer containing the null-terminated shared secret string as specified for the authentication scheme.
[in] Request code as defined by an enum type Sm_AuthApi_QueryCode_t, which contains the following values:
Individual flags are defined by the enum type Sm_Api_Credentials_t. The scheme may return the location where the credentials can be obtained (that is, an HTTP URL) using the lpszStatusBuffer parameter.
Receives a character string response. Up to Sm_AuthApi_StatusBufSize characters can be returned.
If the call requests the scheme’s description, receives a numeric response indicating the version number of the Authentication API. Supported versions are Sm_Api_Version_V4 and Sm_Api_Version_V4_1.
If the call requests the credentials required by the scheme, the scheme returns one or more credentials. See Remarks. These constants are defined in SmApi.h.
Returns
This function returns one of the following values:
Indicates the function completed successfully.
Indicates the caller has specified an invalid request code.
Remarks
The scheme supports request codes as specified by enumeration type Sm_AuthApi_QueryCode_t. The caller queries the scheme to find out what kind of credentials are required for authentication and where to obtain them.
The credentials are defined by the enum type Sm_Api_Credentials_t and can be combined to request multiple credentials. The caller collects the requested credentials, places them into the Sm_AuthApi_UserCredentials_t context structure, and calls the SmAuthenticate() function.
The individual flags in Sm_Api_Credentials_t are as follows:
Examples: Setting status codes
*lpnStatusCode = Sm_AuthApi_Cred_None|Sm_AuthApi_Cred_AllowAnonymous;
*lpnStatusCode = Sm_AuthApi_Cred_Basic;
*lpnStatusCode = Sm_AuthApi_Cred_Basic | Sm_AuthApi_Cred_SSLRequired; strcpy(lpszStatusBuffer, "https://xxx.yyy.zzz/secure.ssc?basic")
*lpnStatusCode = Sm_AuthApi_Cred_Basic | Sm_AuthApi_Cred_FormRequired; strcpy(lpszStatusBuffer, "https://xxx.yyy.zzz/getcredentials.fcc")
*lpnStatusCode = Sm_AuthApi_Cred_SSLRequired | Sm_AuthApi_Cred_X509Cert; strcpy(lpszStatusBuffer, "https://xxx.yyy.zzz/getcert.scc?cert")
*lpnStatusCode = Sm_AuthApi_Cred_Basic | Sm_AuthApi_Cred_SSLRequired | Sm_AuthApi_Cred_X509Cert; strcpy(lpszStatusBuffer, "https://xxx.yyy.zzz/getcert.scc?cert+basic")
The SmAuthRelease() function lets an authentication scheme perform its own rundown procedure.The caller makes this call once when SiteMinder is shutting down.
Syntax
This function has the following format:
Sm_AuthApi_Status_t SM_EXTERN SmAuthRelease ( const char* lpszParam const char* lpszSharedSecret );
Parameters
This function has the following parameters:
[in] Indicates a pointer to the buffer containing the null-terminated parameter string as specified for the authentication scheme.
[in] Indicates a pointer to the buffer containing the null-terminated shared secret string as specified for the authentication scheme.
Returns
This function returns one of the following values:
Indicates the function completed successfully.
Indicates the function was unsuccessful. The scheme is not loaded.
Copyright © 2014 CA.
All rights reserved.
|
|