Previous Topic: ResponsesNext Topic: How to Create a Web Agent Response That Generates an Open Format Cookie


Configure a Response

You can create a response by specifying an agent type and an attribute list. A response contains the specified attributes and is sent to the specified agent.

To create a response

  1. Click Policies, Domain.
  2. Click Responses.

    The Responses page appears.

  3. Click Create Response.

    The Create Response: Select Domain page appears.

  4. Select a domain and click Next.

    The Create Response: Define Response page appears.

  5. Type the name and a description of the response.
  6. Select Radius or CA SiteMinder® and an Agent Type.
  7. (Optional) Click Create Response Attribute to create a response attribute and add it to the attribute list.

    The Create Response Attribute page appears.

  8. Click Finish.

    The Response is created.

More information:

Configure a Web Agent Response Attribute

Configure a RADIUS Response Attribute

Configure Response Attributes

Each CA SiteMinder® response may contain one or more response attributes. Response attributes identify the pieces of information that the Policy Server passes to a CA SiteMinder® Agent. Each CA SiteMinder® Agent type can accept different response attributes.

Note: More information on configuring an smetssocookie Web Agent active response attribute, which is needed for enabling single sign-on from CA SiteMinder® to CA Single Sign-On, exists in Configure an smetssocookie Web Agent Active Response Attribute.

Response Attribute Types

CA SiteMinder® supports different types of response attributes. The type of response attribute determines how CA SiteMinder® provides appropriate content for the attribute.

You can specify the following types of response attributes when you add response attributes to a CA SiteMinder® response:

Static

Returns data that remains constant.

Use a static attribute to return a string as part of a CA SiteMinder® response. This type of response can be used to provide information to a Web application. For example, if a group of users has specific customized content on a Web site, the static response attribute, show_button = yes could be passed to the application.

User Attribute

Returns profile information from a user entry in a user directory.

A user attribute can be retrieved from an LDAP, WinNT, Microsoft SQL Server, or Oracle user directory.

Note: In order for the Policy Server to return values from user directory attributes as response attributes, configure the user directories on the CA SiteMinder® User Directory pane.

DN Attribute

Returns profile information from a directory object in an LDAP, Microsoft SQL Server, or Oracle user directory.

User groups and Organizational Units (OUs) that are part of a user DN are examples of directory objects attributes that can be treated as DN attributes.

For example, you can use a DN attribute to return a company division for a user that is based on the user membership in a division.

Note: In order for the Policy Server to return values from DN attributes as response attributes, configure the user directories on the CA SiteMinder® User Directory pane.

Active Response

Returns values from a customer supplied library that is based on the CA SiteMinder® Authorization API.

An Active Response is used to return information from an external source. An Active Response is generated by having the Policy Server invoke a function in a customer-supplied shared library. This shared library conforms to the Authorization API (available separately with the Software Development Kit).

Note: Make sure that the returned value is valid. When you configure a response attribute, the correct Value Type for the response attribute is displayed on the Response Attribute pane.

Variable Definition

Returns the value of the specified variable at runtime.

Select Variable Definition when you want to select and use a variable from a list of already-defined variables.

Session Variable

Returns the value of a session variable.

CA SiteMinder® retrieves the value from the session store, or from memory when the response is part of the authentication request.

Expression

Allows the administrator to provide an expression.

For example, the administrator can configure a Response Attribute to extract a certain string from the Certificate issuerDN attribute and store it as a new session variable.

Configure a Web Agent Response Attribute

You can create a response attribute for a CA SiteMinder® Web Agent by selecting CA SiteMinder® and Web Agent on the Attributes group box on the Response pane. Web Agent response attributes support HTTP header variables, cookie variables, redirections to other resources, text, and timeout values.

Note: If you have purchased and installed SOA Security Manager, you can create a WebAgent-SAML-Session-Ticket-Variable response attribute. For more information, see the CA SOA Security Manager Policy Configuration Guide.

To create a response attribute

  1. Click Create Response Attribute.

    The Create Response Attribute page appears.

  2. Select a response attribute.
  3. Select an attribute type.

    The details in the Attribute Fields are updated to match the specified attribute type.

  4. Complete the details in the Attribute Fields.

    Note: A list of automatically generated CA SiteMinder® user attributes that you can use in responses exists in SiteMinder Generated User Attributes.

  5. (Optional) Edit the attribute in the Script field.

    Note: The Attribute Setup section closes when you edit the attribute on the Advanced section.

  6. Specify Cache Value or Recalculate value every ... seconds.

    Note: The maximum time limit that can be entered is 3600 seconds.

  7. Click Submit.

    The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Response page.

Configure a RADIUS Response Attribute

You can create a response attribute for a RADIUS Agent by selecting RADIUS and a RADIUS vendor on the Attributes group box on the Response pane. RADIUS response attributes support any of the attributes supported by the RADIUS protocol.

To create a response attribute

  1. Click Create Response Attribute.

    The Create Response Attribute page appears.

  2. Select a response attribute.
  3. Select an attribute type.

    The details in the Attribute Fields are updated to match the specified attribute type.

  4. Complete the details in the Attribute Fields.

    Note: A list of automatically generated CA SiteMinder® user attributes that you can use in responses exists in SiteMinder Generated User Attributes.

  5. (Optional) Edit the attribute in the Script field.

    Note: The Attribute Setup section closes when you edit the attribute on the Advanced section.

  6. Specify Cache Value or Recalculate value every ... seconds.

    Note: The maximum time limit that can be entered is 3600 seconds.

  7. Click Submit.

    The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Response page.

More information:

Configure a Web Agent Response Attribute

Use Variable Objects in Responses

You can create responses that include variable objects by incorporating them in response attributes. Variable objects can be used in response attributes to include dynamic information evaluated during the authorization of a request.

Note: Variable objects included in responses are only evaluated during the authorization of a request and not during the authentication process. Responses that include variables are limited to authorization events.

Responses can contain any number of response attributes. Each response attribute contains one variable object. Like HTTP header and cookie variables, a CA SiteMinder® variable object is a name-value pair. CA SiteMinder® variable objects are different from HTTP header and cookie variables, however, in that the variable object name is used to look up the variable object value at runtime. Then, in the case of response attributes, the resulting name-value pair can be returned in an HTTP header or cookie variable.

Configure a Response Attribute that Contains a Variable

A response can contain one or more response attributes whose values are determined by variable objects. Each response attribute contains one variable object. Each variable object is a name-value pair. The name of the variable object is used to look up the value of the variable object at runtime. CA SiteMinder® passes the resulting name-value pair to the Web Agent.

To configure a response attribute that contains a variable

  1. Follow the instructions in Configure a Response to create a response.
  2. Select SiteMinder and Web Agent as the Agent Type on the Attributes section.
  3. Click Create Response Attribute on the Attribute List section.

    The Create Response Attribute pane opens.

  4. Select a response attribute from the drop-down list on the Attribute Type section.
  5. Select the type of response attribute on the Attribute Kind section.
  6. Type the name of the variable object in the Variable Name field on the Attribute Fields section.

    Note: When this field is required, CA SiteMinder® passes this name to the Web Agent in the form of a name-value pair.

  7. For the selected response attribute type, complete the following fields on the Attribute Fields group section:
    Static

    Specify the value of the static variable in the Variable Value field.

    User Attribute

    Specify the name of the user attribute in the Attribute Name field.

    DN Attribute

    Specify the DN of the user or user group in the DN Spec field and the name of the user attribute in the Attribute Name field.

    (Optional) Click Lookup to search for and select one set of users or user group in a specified user directory.

    (Optional) Select the Allow Nested Groups check box.

    Active Response

    Specify the name of your library, the name of a library function. Optionally, specify the names of parameters in the Library Name, Function Name, and Parameters fields.

    Note: Your library must be based on the SiteMinder Authorization API.

    Variable Definition

    Click Lookup to select an existing variable object for the Variable field.

    Session Variable

    Specify the name of a session variable for which an administrator can retrieve the value.

    Expression

    Specify an expression that extracts a value from an attribute and stores it as a new session variable.

    Note: CA SiteMinder® uses the information that you provide in the fields on the Attribute Fields section to determine the value that it passes to the Web Agent in the form of a name-value pair.

  8. Click OK.

    The response attribute is saved.

More information:

Response Attributes

Select a Variable Using Variable Lookup

Select Users for Inclusion in a Response Attribute

The User Lookup pane allows you to select one user directory and search a list of users and user groups in that directory, selecting one set of users or user group for inclusion in a response attribute.

To select users for inclusion in a response attribute

  1. Select DN Attribute as the Attribute Kind on the Attribute Setup group box.

    The Attribute Fields group box expands to include the DN Spec field.

  2. Click Lookup on the Attribute Fields group box.

    The User Lookup pane opens.

  3. Select the name of one user directory from the list, and click Search.

    The User Search pane opens.

  4. (Optional) Select a Search type, and click GO:
    Attribute-value

    Specify an attribute name and value in the fields on the Users/Groups dialog.

    Expression

    Specify a search expression in the Expression field on the Users/Groups dialog.

    Note: You can click Reset to clear the search results.

  5. Select one set of users or user group from the list, and click OK.

    The User Lookup pane reopens.

  6. Click OK.

    The Response Attribute pane reopens, and the set of users or user group is added to the DN Spec field in the Attribute Fields group box.

Select a Variable Using Variable Lookup

The Select Variable pane allows you to select one variable object from a list of existing variable objects.

To select a variable using variable lookup

  1. Select Variable Definition as the Attribute Kind on the Attribute Setup group box.
  2. Click Lookup on the Attribute Fields group box.

    The Select Variable pane opens.

  3. Select one variable object from the list, and click OK.

    The Create Response Attribute pane reopens, and the name of the variable object is displayed in the Variable field on the Attribute Fields group box.

Configure Response Attribute Caching

Responses return values to a requesting Agent. The data returned to the Agent can be a fixed value, or it may change over time. When you use a CA SiteMinder® Agent to protect a resource, Agents can cache a value for fixed data, so that the value does not need to be recalculated each time the associated policy fires.

For example, a customer’s account number is a fixed value, while the customer’s account balance changes after each transaction. It would be more efficient to retrieve the account number once and then cache it. However, you probably want the balance to be recalculated at a regular interval to make sure the information is current.

Note: CA SiteMinder® does not cache RADIUS response attributes.

To configure response attribute caching

  1. Open the response.

    The associated response attributes are listed in the Attribute List group box.

  2. Click the edit icon to the left of the response attribute you want.

    The Modify Response Attribute pane opens.

  3. Specify the cache settings in the Attribute Caching group box.
    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
  4. Click Submit.

    The cache settings are saved.

Edit a Response

You can edit all of the properties of a response, except the Agent Type. If you want to change the Agent Type, you must delete the response and create a new one.

Note: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.

Delete a Response

Deleting a response removes the response from any policies with which it is associated.

It may take a short amount of time for all deleted objects to be removed from caches.

Note: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.