A response passes static text, user attributes, DN attributes, customized active responses, or the runtime values of defined variables from the Policy Server to a CA SiteMinder® Agent. Responses can be used by servlets, Web applications, or other custom applications to display customized content, change CA SiteMinder® settings, or redirect users to different resources. When working with Web applications, responses can be used as privileges or entitlements for fine-grained access control.
A policy contains rules and responses which are bound to users and user groups. In a policy, responses are bound to specific rules or rule groups. When a rule fires, the associated response returns information to a CA SiteMinder® Agent.
Responses take the form of name/value pairs. When a rule is triggered, the Policy Server returns the paired response to the CA SiteMinder® Agent.
For example, if a user attempts to access a protected Web page, but is not authorized to view the contents of the page, a response can redirect the user to an HTML page that indicates the user does not have access, and provide details for contacting a system administrator.
For Web Agents, CA SiteMinder® adds response attributes to HTTP header variables or HTTP cookie variables so that the responses are available to the Web resource or application named in the rule. In a RADIUS environment, the response is returned to the RADIUS client.
A response is a container for one or more response attributes. The response attributes are what a CA SiteMinder® Agent receives after the Policy Server processes a response. The available response attributes differ based on the type of response.
The following types of responses are available:
Note: You can create response types for custom Agents and response attributes using the CA SiteMinder® APIs, which are available separately with the Software Development Kit. More information exists in the API Reference Guide for C.
Web Agent responses are CA SiteMinder® responses that provide name/value pairs usable by a CA SiteMinder® Web Agent. These responses can contain attributes for HTTP header variables, cookie variables, and URLs for redirections.
RADIUS responses are CA SiteMinder® responses that provide values usable by a RADIUS Agent. These responses can contain response attributes for all supported RADIUS attributes.
Each CA SiteMinder® response contains one or more response attributes. These attributes differ based on the type of response. The following sections discuss the response attributes that are available for each type of response.
In addition to the CA SiteMinder® Web Agent response attributes, CA SiteMinder® Web Services Security provides the following Web Agent response attributes that are only applicable for use with WSS Agents:
Provides Policy Server data that the SiteMinder WSS Agent uses to generate a SAML assertion. The data is inserted into an XML message HTTP or SOAP envelope header or a cookie (as specified by associated response attributes).
When you configure a SAML Session Ticket response, the Policy Server generates the response data. This data instructs the SiteMinder WSS Agent how to build the assertion. The SiteMinder WSS Agent encrypts a session ticket (and optionally, the public key from a web service consumer) and the response data. The agent then generates the assertion. The agent delivers the assertion to the web service. The token can only be encrypted and decrypted by the SiteMinder WSS Agent using its Agent key.
Provides Policy Server data that the SiteMinder WSS Agent uses to generate WS-Security Username, X509v3, or SAML tokens (as specified by associated response attributes). These tokens are added to a SOAP message header.
When you configure a WS-Security response, the Policy Server generates the response data. This data instructs the SiteMinder WSS Agent how to build the token. The agent then generates and adds the token to the SOAP request and delivers it to the web service.
RADIUS Agent response attributes are response attributes that RADIUS Agents can interpret. All of the response attributes supported by CA SiteMinder® correspond to the attributes described in the Request for Comments (RFC) 2138, which describes attributes supported by the RADIUS protocol.
Directory mappings let you specify a separate authorization user directory in application object component or a realm. When you define a separate authorization directory, a user is authenticated based on the information contained in one directory, but authorized based on the information contained in another directory.
When you create a response and associate it with a authentication (OnAuth) event, any information retrieved from a user directory is retrieved from the authentication directory. If you create an authorization (OnAccess) event, any information retrieved from a user directory is retrieved from the authorization directory.
Copyright © 2014 CA.
All rights reserved.
|
|