The message consumer plug-in is a Java program that implements the Message Consumer Plug–in. The plug-in lets you implement your own business logic for processing assertions, such as rejecting an assertion and returning a status code. This additional processing works together with the standard processing of an assertion.
Note: For more information about status codes for authentication and disambiguation, see the CA SiteMinder® Programming Guide for Java.
During authentication, CA SiteMinder® first tries to process the assertion by mapping a user to its local user store. If CA SiteMinder® cannot find the user, it calls the postDisambiguateUser method of the message consumer plug-in.
If the plug-in successfully finds the user, CA SiteMinder® proceeds to the second phase of authentication. If the plug-in cannot map the user to a local user store, the plug-in returns a UserNotFound error. The plug-in can optionally use the redirect URL feature. Without the consumer plug-in, the redirect URLs are based on the error that the SAML authentication scheme generates.
During the second phase of authentication, CA SiteMinder® calls the postAuthenticateUser method of the message consumer plug-in, if the plug-in is configured. If the method succeeds, CA SiteMinder® redirects the user to the requested resource. If the method fails, you can configure the plug-in to send the user to a failure page. The failure page can be one of the redirect URLs that you can specify with the authentication scheme configuration.
Additional information about the message consumer plug-in can be found as follows:
To configure the plugin
Create a custom message consumer plug-in by implementing the MessageConsumerPlugin.java interface. The minimum requirements for the implementation class are listed in the following procedure.
Follow these steps:
The MessageConsumerPlugin includes the following four methods:
Performs any initialization procedures that the plug-in requires. CA SiteMinder® calls this method once for each plug-in instance, when the plug-in is loaded.
Performs any rundown procedures that the plug-in requires. CA SiteMinder® calls this method once for each plug-in instance, when CA SiteMinder® is shutting down.
Provides processing to disambiguate a user when the authentication scheme is unable to do so. Alternatively, this method can add data for new federation users to a user store. This method receives the decrypted assertion. The decrypted assertion is added to the properties map passed to plug-in under the key "_DecryptedAssertion".
Provides additional code to determine the final outcome of assertion processing, regardless of whether the Policy Server processing is a success or failure.
CA SiteMinder® provides the following samples of the Message Consumer plug-in class:
MessageConsumerPluginSample.java in installation_home\sdk\samples\messageconsumerplugin
MessageConsumerSAML20.java in installation_home\sdk\samples\authextensionsaml20
After you have coded your implementation class for the MessageConsumerPlugin interface, compile it and verify that CA SiteMinder® can find your executable file.
To deploy the Message Consumer Plugin:
installation_home\siteminder\bin\jars\SmJavaApi.jar
An identical copy of SmJavaApi.jar is installed with CA SiteMinder® SDK. The file is in the directory installation_home\sdk\java\SmJavaApi.jar.
You can use either of them at development time.
Note: Do not modify the classpath for the existing xerces.jar, xalan.jar, or SmJavaApi.jar.
After writing a message consumer plug-in and compiling it, enable the plug-in by configuring settings in the Administrative UI. The UI settings tell CA SiteMinder® where to find the plug-in.
Do not configure the plug-in settings until you deploy the plug-in.
To enable the message consumer plug-in
Specify the Java class name for the plug-in, For example, a sample class included with the CA SiteMinder® SDK is:
com.ca.messageconsumerplugin.MessageConsumerPluginSample
Specify a string of parameters that are passed to the plug-in specified in the Full Java Class Name field.
As an alternative to configuring the plug-in in the Administrative UI, use the Policy Management API (C or Perl) to set the IdpPluginClass and IdpPluginParameters.
Copyright © 2014 CA.
All rights reserved.
|
|