In a single sign-on environment, a user who successfully authenticates through a given agent does not have to re-authenticate when accessing a realm protected by a different agent. When a custom agent is involved in a single sign-on environment, the two agents must be in the same cookie domain—for example, xxx.domainname.com.
Single sign-on is made possible through a single sign-on cookie named SMSESSION. This cookie is created and written to the user’s browser either by SiteMinder or by the custom agent.
Class AgentAPI contains two methods that allow custom agents to participate in a single sign-on environment with standard SiteMinder Web Agents:
The custom agent extracts the cookie’s contents, called a token, from an existing SMSESSION cookie and passes the token to this method. The method decrypts the token and extracts the specified information. This method can also be used to update the last-access timestamp in the token.
After the user successfully logs in through the custom agent, the custom agent passes information about the user to this method. The method creates an encrypted token from this user information and from session information returned from the login call. The custom agent writes the token to the SMSESSION cookie.
See the sample custom agent code for an example of setting up the parameters for the single sign-on methods and parsing the results. The sample custom agent code is located in the smjavaagentapi directory of <install_path>\sdk\samples.
Here is the typical sequence of events in a single sign-on environment when the initial login is through the custom agent:
Here is the typical sequence of events that occurs in a single sign-on environment when the initial login is performed through the standard SiteMinder Web Agent:
Custom agents created with the SiteMinder SDK v6.x can accept SMSESSION cookies created by a standard SiteMinder v4.x, v5.x, or v6.x Web Agent. However, standard SiteMinder v4.x or v5.x Web Agents can only accept cookies created by a custom agent if the standard agent has been upgraded with the appropriate Siteminder Agent Quarterly Maintenance Release (QMR). For information about the QMR version required for each standard agent version, see the accompanying SDK release notes.
To enable a SiteMinder v4.x or v5.x agent with the appropriate QMR upgrade to accept SMSESSION cookies created by a custom agent, the standard agent’s Agent configuration file (LocalConfig.conf with IIS servers or WebAgent.conf with other servers) or central configuration object (for v5.x or higher) must contain the following entry:
AcceptTPCookie="yes"
Set AcceptTPCookie as follows:
Session information can consist of more than the session specification. Session information can include any information that the client application wants to associate with the user’s session.
Application-defined session information consists of name/value pairs called session variables. For example, business logic, certificate information, and SAML assertions for affiliate operations can all be stored as session variables and bound to the session ID.
The class AgentAPI provides the following methods for setting, retrieving, and deleting session variables:
Session variables are stored in a server-side database called the session store. The session store is managed by the Policy Server.
When a client application uses session variables:
For a client application to use session variables, both of the following prerequisites must be met:
When the user logs out and the agent discards the session specification, the session ends. In the case of a persistent session, SiteMinder removes all session information, including any session variables, from the session store.
Copyright © 2014 CA.
All rights reserved.
|
|