You can create a response by specifying an agent type and an attribute list. A response contains the specified attributes and is sent to the specified agent.
To create a response
The Responses page appears.
The Create Response: Select Domain page appears.
The Create Response: Define Response page appears.
The Create Response Attribute page appears.
The Response is created.
Each CA SiteMinder® response may contain one or more response attributes. Response attributes identify the pieces of information that the Policy Server passes to a CA SiteMinder® Agent. Each CA SiteMinder® Agent type can accept different response attributes.
Note: More information on configuring an smetssocookie Web Agent active response attribute, which is needed for enabling single sign-on from CA SiteMinder® to CA Single Sign-On, exists in Configure an smetssocookie Web Agent Active Response Attribute.
CA SiteMinder® supports different types of response attributes. The type of response attribute determines how CA SiteMinder® provides appropriate content for the attribute.
You can specify the following types of response attributes when you add response attributes to a CA SiteMinder® response:
Returns data that remains constant.
Use a static attribute to return a string as part of a CA SiteMinder® response. This type of response can be used to provide information to a Web application. For example, if a group of users has specific customized content on a Web site, the static response attribute, show_button = yes could be passed to the application.
Returns profile information from a user entry in a user directory.
A user attribute can be retrieved from an LDAP, WinNT, Microsoft SQL Server, or Oracle user directory.
Note: In order for the Policy Server to return values from user directory attributes as response attributes, configure the user directories on the CA SiteMinder® User Directory pane.
Returns profile information from a directory object in an LDAP, Microsoft SQL Server, or Oracle user directory.
User groups and Organizational Units (OUs) that are part of a user DN are examples of directory objects attributes that can be treated as DN attributes.
For example, you can use a DN attribute to return a company division for a user that is based on the user membership in a division.
Note: In order for the Policy Server to return values from DN attributes as response attributes, configure the user directories on the CA SiteMinder® User Directory pane.
Returns values from a customer supplied library that is based on the CA SiteMinder® Authorization API.
An Active Response is used to return information from an external source. An Active Response is generated by having the Policy Server invoke a function in a customer-supplied shared library. This shared library conforms to the Authorization API (available separately with the Software Development Kit).
Note: Make sure that the returned value is valid. When you configure a response attribute, the correct Value Type for the response attribute is displayed on the Response Attribute pane.
Returns the value of the specified variable at runtime.
Select Variable Definition when you want to select and use a variable from a list of already-defined variables.
Returns the value of a session variable.
CA SiteMinder® retrieves the value from the session store, or from memory when the response is part of the authentication request.
Allows the administrator to provide an expression.
For example, the administrator can configure a Response Attribute to extract a certain string from the Certificate issuerDN attribute and store it as a new session variable.
You can create a response attribute for a CA SiteMinder® Web Agent by selecting CA SiteMinder® and Web Agent on the Attributes group box on the Response pane. Web Agent response attributes support HTTP header variables, cookie variables, redirections to other resources, text, and timeout values.
Note: If you have purchased and installed SOA Security Manager, you can create a WebAgent-SAML-Session-Ticket-Variable response attribute. For more information, see the CA SOA Security Manager Policy Configuration Guide.
To create a response attribute
The Create Response Attribute page appears.
The details in the Attribute Fields are updated to match the specified attribute type.
Note: A list of automatically generated CA SiteMinder® user attributes that you can use in responses exists in SiteMinder Generated User Attributes.
Note: The Attribute Setup section closes when you edit the attribute on the Advanced section.
Note: The maximum time limit that can be entered is 3600 seconds.
The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Response page.
You can create a response attribute for a RADIUS Agent by selecting RADIUS and a RADIUS vendor on the Attributes group box on the Response pane. RADIUS response attributes support any of the attributes supported by the RADIUS protocol.
To create a response attribute
The Create Response Attribute page appears.
The details in the Attribute Fields are updated to match the specified attribute type.
Note: A list of automatically generated CA SiteMinder® user attributes that you can use in responses exists in SiteMinder Generated User Attributes.
Note: The Attribute Setup section closes when you edit the attribute on the Advanced section.
Note: The maximum time limit that can be entered is 3600 seconds.
The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Response page.
You can create responses that include variable objects by incorporating them in response attributes. Variable objects can be used in response attributes to include dynamic information evaluated during the authorization of a request.
Note: Variable objects included in responses are only evaluated during the authorization of a request and not during the authentication process. Responses that include variables are limited to authorization events.
Responses can contain any number of response attributes. Each response attribute contains one variable object. Like HTTP header and cookie variables, a CA SiteMinder® variable object is a name-value pair. CA SiteMinder® variable objects are different from HTTP header and cookie variables, however, in that the variable object name is used to look up the variable object value at runtime. Then, in the case of response attributes, the resulting name-value pair can be returned in an HTTP header or cookie variable.
A response can contain one or more response attributes whose values are determined by variable objects. Each response attribute contains one variable object. Each variable object is a name-value pair. The name of the variable object is used to look up the value of the variable object at runtime. CA SiteMinder® passes the resulting name-value pair to the Web Agent.
To configure a response attribute that contains a variable
The Create Response Attribute pane opens.
Note: When this field is required, CA SiteMinder® passes this name to the Web Agent in the form of a name-value pair.
Specify the value of the static variable in the Variable Value field.
Specify the name of the user attribute in the Attribute Name field.
Specify the DN of the user or user group in the DN Spec field and the name of the user attribute in the Attribute Name field.
(Optional) Click Lookup to search for and select one set of users or user group in a specified user directory.
(Optional) Select the Allow Nested Groups check box.
Specify the name of your library, the name of a library function. Optionally, specify the names of parameters in the Library Name, Function Name, and Parameters fields.
Note: Your library must be based on the SiteMinder Authorization API.
Click Lookup to select an existing variable object for the Variable field.
Specify the name of a session variable for which an administrator can retrieve the value.
Specify an expression that extracts a value from an attribute and stores it as a new session variable.
Note: CA SiteMinder® uses the information that you provide in the fields on the Attribute Fields section to determine the value that it passes to the Web Agent in the form of a name-value pair.
The response attribute is saved.
The User Lookup pane allows you to select one user directory and search a list of users and user groups in that directory, selecting one set of users or user group for inclusion in a response attribute.
To select users for inclusion in a response attribute
The Attribute Fields group box expands to include the DN Spec field.
The User Lookup pane opens.
The User Search pane opens.
Specify an attribute name and value in the fields on the Users/Groups dialog.
Specify a search expression in the Expression field on the Users/Groups dialog.
Note: You can click Reset to clear the search results.
The User Lookup pane reopens.
The Response Attribute pane reopens, and the set of users or user group is added to the DN Spec field in the Attribute Fields group box.
The Select Variable pane allows you to select one variable object from a list of existing variable objects.
To select a variable using variable lookup
The Select Variable pane opens.
The Create Response Attribute pane reopens, and the name of the variable object is displayed in the Variable field on the Attribute Fields group box.
Responses return values to a requesting Agent. The data returned to the Agent can be a fixed value, or it may change over time. When you use a CA SiteMinder® Agent to protect a resource, Agents can cache a value for fixed data, so that the value does not need to be recalculated each time the associated policy fires.
For example, a customer’s account number is a fixed value, while the customer’s account balance changes after each transaction. It would be more efficient to retrieve the account number once and then cache it. However, you probably want the balance to be recalculated at a regular interval to make sure the information is current.
Note: CA SiteMinder® does not cache RADIUS response attributes.
To configure response attribute caching
The associated response attributes are listed in the Attribute List group box.
The Modify Response Attribute pane opens.
The cache settings are saved.
You can edit all of the properties of a response, except the Agent Type. If you want to change the Agent Type, you must delete the response and create a new one.
Note: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.
Deleting a response removes the response from any policies with which it is associated.
It may take a short amount of time for all deleted objects to be removed from caches.
Note: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.
Copyright © 2013 CA.
All rights reserved.
|
|