Programming Guides › Programming Guide for C › Policy Management API

Policy Management API

This section contains the following topics:

Policy Management API Overview

CA SiteMinder® Federation

Policy Management API Data Structures

Exported Types

Structure of a Policy Application

Functions by Category in the Policy Management API

Function Declarations for the Policy Management API

Authentication Scheme Configuration

Policy Management API Overview

The Policy Management API lets you manipulate policy objects within a SiteMinder installation. Using the Policy Management API, you can perform most of the data manipulations that are provided by the Administrative UI. You can also develop your own custom interface to SiteMinder.

Note: Before you work with the Policy Management API, be sure that you are familiar with SiteMinder concepts.

Policy Management Setup

To use the Policy Management API

Install the Policy Server and the SiteMinder Software Development Kit on the same machine. In the Windows environment, the Policy Server is required for running Policy Management applications. In the UNIX environment, the Policy Server is required for both building and running Policy Management applications.
Note: You can build your Policy Management application without running the Policy Server services.
Use the Policy Server Management Console to configure the Policy Server so that it points to the policy store you want to access.
Run your Policy Management application on the machine where the Policy Server is installed and that has been configured to point to the policy store. The policy store can be on a different machine than the Policy Server.

To run your Policy Management application, you need the following files:

Windows platforms: SmPolicyApi45.dll

UNIX platforms: libsmpolicyapi45.so and libsmutilities.so, in the following location:

<siteminder_install_location>\Netegrity\SiteMinder\lib

Refer to the sample makefile before executing a UNIX build.

To build your policy application, include SmPolicyAPI45.h and link to the required shared libraries.

Windows platforms: Link to SmPolicyAPI45.lib, located in
<install_path>\sdk\lib\win32\
UNIX platforms: Link to the libraries libsmpolicyapi45.so and libsmutilities.so, located as described in the previous section.

Note: Before you build policy management applications for UNIX, you must install the SiteMinder SDK on the same machine as the Policy Server.

Object Retrieval Functions

These functions retrieve information about an object from the SiteMinder policy store.

If the return code indicates success, a linked list of objects that match the request is returned. In most cases, the API returns a single item that matches the unique object identifier. If a matching object is not found, the return code indicates failure and the returned linked list pointer points to NULL.

Object retrieval functions are prefixed with Sm_PolicyApi_Get. To find the function that retrieves information for a particular object, look in the table of functions for that object.

More Information:

Functions by Category in the Policy Management API

Object Creation Functions

To create a SiteMinder object, you must fill in the appropriate data structure and call the appropriate function with a properly initialized handle. If the call is successful:

The function returns Sm_PolicyApi_Success.
The object is added to the SiteMinder policy store.
The pszOid field in the corresponding object structure is set to the object identifier of the object.

Object creation functions are prefixed with either Sm_PolicyApi_Add or Sm_PolicyApi_Create.

More Information:

Functions by Category in the Policy Management API

Object Deletion Functions

These functions delete objects from the SiteMinder policy store. Only one object at a time can be deleted.

Object deletion functions are prefixed with Sm_PolicyApi_Delete or Sm_PolicyApi_Remove.

More Information:

Functions by Category in the Policy Management API

Object Associations

Some objects can be associated with or disassociated from one another-for example, Sm_PolicyApi_AddAdminToDomain() adds an administrator object to a domain, and Sm_PolicyApi_RemoveAdminFromDomain() removes an administrator object from a domain.

An "add-to" operation requires that both objects exist prior to the call and have an established association. After a "remove-from" operation, both objects still exist, but they are no longer associated with one other.

When you're looking for a function that associates or disassociates two objects, look in the category of the method that you are adding or removing. For example, the functions Sm_PolicyApi_AddAdminToDomain() and Sm_PolicyApi_RemoveAdminFromDomain() are both found in Administrator Functions.

Object Identifiers

With the introduction of nested realms, the unique identification of an object can no longer rely on a realm name. When a SiteMinder object is created, a unique object identifier (OID) is written in the pszOid field of the object's defining structure.

These functions do not return SiteMinder objects. Instead, they return an array of string pointers that contain the OIDs of SiteMinder objects. You pass in OIDs to SiteMinder Object Retrieval Functions (Sm_PolicyApi_Get...) to specify objects to retrieve.

The functions that return arrays of OIDs are:

Sm_PolicyApi_GetDomainObjects()
Sm_PolicyApi_GetGlobalObjects()
Sm_PolicyApi_GetUserDirSearchOrder()

Free the memory allocated by this group of functions by calling Sm_PolicyApi_FreeMemoryEx().

Directory Search Order Functions

The following functions help you retrieve and set the search order of user directories:

Sm_PolicyApi_GetUserDirSearchOrder() retrieves the object identifiers (OIDs) of user directory objects associated with the specified domain.
Sm_PolicyApi_SetUserDirSearchOrder() sets the search order of the user directories in a domain. The ordered list of OIDs is specified in the pszArray string array. The user directories in this array must match in OID and number (but not order) the list of user directory OIDs that were retrieved by a call to Sm_PolicyApi_GetUserDirSearchOrder().

Performance Enhancement

By performing either of the following actions, a custom Policy Management application can reduce the time it takes to update policy store objects:

Omit the Sm_PolicyApi_InitFlags_PreLoadCache flag in the call to Sm_PolicyApi_Init().
Introduce a very small time delay in the custom application to ensure adequate time for cache processing before exiting.

Memory, Cache, and Agent Key Management

The following functions free memory allocated by the Policy Management API:

Sm_PolicyApi_FreeMemory() and Sm_PolicyApi_FreeMemoryEx() free any of the linked list pointers that are returned by the API.
Sm_AgentApi_FreeServers() frees an array of server structures allocated by Sm_AgentApi_GetConfig().
Sm_PolicyApi_FreeString() frees memory allocated for a single string (for example, pszUseMsg and pszErrMsg strings).
Sm_PolicyApi_FreeStringArray() frees arrays of returned strings.

Another management command, Sm_PolicyApi_ManagementCommand(), performs cache and agent encryption key management, such as:

Flushing all caches
Flushing users cache
Flushing realms from the resource cache
Changing dynamic keys
Changing persistent keys

The type of management operation you want to perform is determined by the management command you pass to Sm_PolicyApi_ManagementCommand().

Object Scope

SiteMinder objects can be classified according to scope:

Domain objects are visible only within the domain. They cannot be shared between domains.
Global objects are visible across all domains. Global objects are sometimes called system objects.

The scope of SiteMinder objects is as follows:

Global objects include:
- Administrators
- Agent types
- Agents and agent groups
- Authentication schemes
- Authentication/authorization maps
- Certificate maps
- Domains
- ODBC query schemes
- Password policies
- Policies
- Registration schemes
- Responses
- Rules
- User directories
Domain objects include:
- Policies
- Realms
- Responses and response groups
- Response attributes
- Rules and rule groups
- User policies

CA SiteMinder® Federation

The federation APIs support the manipulation of policy store data related to Affiliate Domain objects, which can include Affiliates, Service Providers, and Resource Partners.

The CA SiteMinder® federation products support SAML 1.x, SAML 2.0, and WS-Federation profiles. Partners have the ability to exchange user profile information in a secure manner.

More Information:

Federation Functions

SAML 2.0 Configuration Functions

SAML Assertions

A SAML assertion includes:

Affiliate attributes, such as:
- User profile information from a user directory, such as a user’s email address or business title.
- User entitlements, such as the user’s credit limit at the affiliate site.
Session information (SAML 1.x assertions)—for example, whether the assertion producer and the consumer can maintain separate sessions.

Note: You can modify the default assertion that the Policy Server generates. You do so through a custom Java class that you create with the SiteMinder Java SDK.

SAML 1.x

SAML 1.x support lets a user access a consumer site directly or from an assertion producer site without having to supply credentials more than once.

When a user requests access to a protected resource at an affiliate site, the Policy Server at the producer site is notified. After authenticating the user (if the user has not yet been authenticated), the Policy Server generates a SAML assertion from the affiliate object associated with the consumer site.

An application at the affiliate site then retrieves the SAML assertion from the Policy Server, and uses the information for authorization purposes and any other required purpose.

For example, suppose a user logs into a site for a bank (the producer site). The producer includes Policy Server software. The Policy Server contains an affiliate object that represents a site offering credit card services, and also other affiliate objects that represent other sites affiliated with the bank. When a user is authenticated at the producer, the user can click the link for the credit-card site and access the site without having to re-enter his credentials.

SAML 1.x Pseudo-code Example

The pseudo-code in this section illustrates the following operations:

Initialize the API.
Add an affiliate domain.
Add a user directory to an affiliate domain.
Create an affiliate in an affiliate domain.
Add users to an affiliate.
Add an attribute to an affiliate.
Get an existing affiliate domain.
Get all the affiliates in an affiliate domain.
Get all the attributes in an affiliate.
Remove an affiliate domain.

Note: Comments using <> notation represent code omitted for ease of understanding. Return code checking is omitted for ease of understanding.

# 1. Initialize the API
use Netegrity::PolicyMgtAPI;
$policyapi = Netegrity::PolicyMgtAPI‑>New();
$session = $policyapi‑>CreateSession("adminid", "adminpwd");

# 2. Add an affiliate domain
$affdomain = $session‑>CreateAffDomain("name", "description");

# 3. Add a previously obtained user directory to the affiliate domain
# <Obtain $userdir via $session‑>GetAllUserDirs>
$affdomain‑>AddUserDir($userdir);

# 4. Create an affiliate in the affiliate domain
$affiliate = $affdomain‑>CreateAffiliate("affname", "password",
                                          http://authurl, 60, 30);

# 5. Add users from a previously obtained user table to the affiliate
# <Obtain $user via $userdir‑>GetContents>
$affdomain‑>AddUser($user);

# 6. Add an attribute for the affiliate
$affdomain‑>AddAttribute(1, "staticAttrName=StaticAttrValue");
# 7. Get an existing affiliate domain
$affiliate = $affdomain‑>GetAffiliate("affname");

# 8. Get all the affiliates in an affiliate domain
@affiliates = $affdomain‑>GetAllAffiliate();

# 9. Get all the attributes in an affiliate
@affiliateAttrs = $affiliate‑>GetAllAttributes();

# 10. Remove an affiliate domain
$session‑>DeleteAffDomain($affiliate);

SAML 2.0

With SAML 2.0, security assertions are shared between the following entities within a federation:

Identity Provider

An Identity Provider generates assertions for principals within a SAML 2.0 federation. The Identity Provider sends the SAML assertion to the Service Provider where the principal is attempting to access resources.

Service Provider

A Service Provider makes applications and other resources available to principals within a federation, using the identity information provided in an assertion. A principal is a user or another federation entity.

The Service Provider uses a SAML 2.0 authentication scheme to validate a user based on the information in a SAML 2.0 assertion.

Identity Providers and Service Providers can belong to a SAML affiliation. A SAML affiliation is a group of SAML entities that share a name identifier for a single principal.

Service Providers and Identity Providers can belong to an affiliation; however, an entity can belong to no more than one affiliation. Service Providers share the Name ID definition across the affiliation. Identity Providers share the user disambiguation properties across the affiliation.

Using affiliations reduces the configuration required at each Service Provider. Additionally, using one name ID for a principal saves storage space at the Identity Provider.

Single Sign-on Example

By sharing security assertions, a principal can log in at one site (the site acting as the Identity Provider), and then access resources at another site (the Service Provider) without explicitly supplying credentials at the second site.

For example:

The user is a home buyer who authenticates at a realtor’s web site.
Any authentication scheme can be used to authenticate the user.
While viewing real estate listings, the user notices a link to a bank with an attractive mortgage rate.
The user clicks the link.
At the realtor’s site, an entity acting as the Identity Provider packages the user’s information in a SAML assertion, then transports the assertion to the bank’s site using the SAML 2.0 POST binding.
At the bank’s site, an entity acting as the Service Provider uses the SAML 2.0 Authentication scheme associated with the Identity Provider to validate the user for the resources on the bank’s site.
This validation is transparent to the user.
If the user is successfully validated, the user is allowed on the bank’s site to view the rate information.

SAML 2.0 Pseudo-code Example

The pseudo-code in this section illustrates the following operations:

Initialize the API.
Retrieve the affiliate domain for the Service Provider.
Assign metadata constants to variables.
Assign values to the Service Provider metadata.
Create the Service Provider.
Retrieve users from the directory associated with the affiliate domain.
Add the users to the Service Provider.
Update the Service Provider's default skew time to 100.
Save the update.

Print the updated skew time.

# 1. Initialize the API
use Netegrity::PolicyMgtAPI;
$policyapi = Netegrity::PolicyMgtAPI‑>New();
$session = $policyapi‑>CreateSession("adminid", "adminpwd");

# 2. Retrieve the affiliate domain for the Service Provider
$affDom=$session‑>GetAffDomain("AffiliateDomain");

# 3. Assign metadata constants to variables
$SAML_NAME=SAML_NAME;
$SAML_SP_AUTHENTICATION_URL=SAML_SP_AUTHENTICATION_URL;
$SAML_KEY_SPID=SAML_KEY_SPID;
$SAML_SP_IDPID=SAML_SP_IDPID;
$SAML_AUDIENCE=SAML_AUDIENCE;
$SAML_SP_ASSERTION_CONSUMER_DEFAULT_URL=
                           SAML_SP_ASSERTION_CONSUMER_DEFAULT_URL;
$SAML_SP_NAMEID_ATTRNAME=SAML_SP_NAMEID_ATTRNAME;
$SAML_SKEWTIME=SAML_SKEWTIME;

# 4. Assign values to the Service Provider metadata
%hsh=($SAML_NAME=>'My Service Provider',
   $SAML_SP_AUTHENTICATION_URL=>
                             'http://www.mysite.com/redirect.jsp',
   $SAML_KEY_SPID=>'http://www.spprovider.com',
   $SAML_SP_IDPID=>'http://www.idpprovider.com',
   $SAML_AUDIENCE=>'SSOAudience',
   $SAML_SP_ASSERTION_CONSUMER_DEFAULT_URL=>
                                 'http://www.defaultconsumer.com',
   $SAML_SP_NAMEID_ATTRNAME=>'attribute'
   );
# 5. Create the Service Provider
$sp=$affDom‑>CreateSAMLServiceProvider(\%hsh);

# 6. Retrieve users from the directory associated with the #    affiliate domain—in this case, users in the group HR
$userDir=$session‑>GetUserDir("MyNtDirectory");
$usr=$userDir‑>LookupEntry("HR");

# 7. Add the users to the Service Provider
$sp‑>AddUser($usr);

# 8. Update the Service Provider's default skewtime to 100
$sp‑>Property($SAML_SKEWTIME,"100");

# 9. Save the update
$sp‑>Save();

# 10. Print the updated skewtime
print "\n";
print $sp‑>Property($SAML_SKEWTIME);

SAML 2.0 Affiliations

A SAML 2.0 affiliation consists of Service Providers and Identity Providers that have a shared Name ID namespace. Identity Providers also share the user disambiguation properties across the affiliation.

A SAML 2.0 affiliation can have multiple Service Providers and Identity Providers. However, a Service Provider or Identity Provider can belong to no more than one SAML 2.0 affiliation.

Example:

The user is a home buyer who authenticates at a realtor's web site.
Any authentication scheme can be used to authenticate the user.
While viewing real estate listings, the user notices a link to a bank with an attractive mortgage rate.
The user clicks the link.
At the realtor's site, an entity acting as the Identity Provider packages the user's information in a SAML assertion, then transports the assertion to the bank's site using the SAML 2.0 POST binding.
At the bank's site, an entity acting as the Service Provider uses the SAML 2.0 Authentication scheme associated with the Identity Provider to validate the user for the resources on the bank's site.
This validation occurs transparently to the user.
If the user is successfully validated, the user is allowed on the bank's site to view the rate information.

SAML 2.0 Attribute Authority

SiteMinder supports authorization that uses the values of predetermined user attributes from a remote site as the basis for the authorization decision. The request contains no session information, because the user is not necessarily authenticated on the remote site.

For example, imagine a customer logs on to a car rental agency site to inquire about rates. The customer is authenticated by the agency, but to provide a competitive rate, the agency uses information from the customer's preferred airline. The car rental agency puts in a request to the airline's Web site to obtain the customer's quality code, which is based on the customer's accrued frequent flier miles. The airline returns the value of the quality code, for instance, 1A, and the car agency displays a customized rate sheet.

In this example, the car rental agency acts as what is know as the the SAML Requester, and the airline acts as what is known as a SAML Attribute Authority. Note that the customer is not authenticated by the Attribute Authority.

The Policy Server implements this kind of authorization decision by using variables within policy expressions. In the policy expressions, Federation Attribute Variables associate an attribute with a remote Attribute Authority. When the policy server attempts to resolve the Federation attribute variable, it determines the Attribute Authority from which to request the value of the attribute.

In the Policy Management API, the Sm_PolicyApi_SAMLRequesterAttr_t structure defines an attribute that can be requested by the SAML Requester. It specifies the actual name of the attribute known by the Attribute Authority, as well as a local name used in Federation attribute variables. The local name maps to a variable defined in the SAML 2.0 authentication scheme.

More Information:

Sm_PolicyApi_SAMLRequesterAttr_t

SAML 2.0 Attribute Authority Functions

SAML 2.0 Indexed Endpoints

When configuring single sign-on at the Identity Provider, you can configure more than one endpoint for the Assertion Consumer Service, the service that enables a Service Provider to consume a SAML assertion. Each endpoint you configure is assigned a unique index value, instead of a single, explicit reference to an Assertion Consumer Service URL.

The assigned index can be used as a part of a Service Provider request for an assertion that it sends to the Identity Provider. This enables you to have a different Assertion Consumer Service at the Service Provider for different protocol bindings (Artifact or POST).

In the Policy Management API, you can, for example, add a new Assertion Consumer Service to the Service Provider programmatically by calling the Sm_PolicyApi_AddAssertionConsumerServiceToSAMLSP() function as follows:

iSmApiRetCode = Sm_PolicyApi_AddAssertionConsumerServiceToSAMLSP (

pSmApiSessionHandle,
&structSAMLSPACS2,
pszOid);

Parameters:

pSmAPiSessionHandle is a pointer to a structure that holds information about the administrative session and the client session.
pstructSAMLSPACS2 is a pointer to Sm_PolicyApi_SAMLSPAssertionConsumerService_t. This structure specifes the index, binding, and Assertion Consumer Service URL.
pszOid is a pointer to a string containng the OID of the Service Provider.

In addition, the API includes a function to remove an Assertion Consumer Service and a function to retrieve all the Assertion Consumer Services defined in the Service Provider object. The C Policy Management API sample program, smpolicyapiexample.cpp, shows how these functions are implemented.

More Information:

SAML 2.0 Indexed Endpoint Functions

Sample Application for Affiliates

The C sample program smpolicyapi has been augmented for the affiliate functionality.

To run the affiliate portions

Install the SiteMinder Option Pack on the Policy Server
Define the Affiliate Policy Store objects in smpolicy.smdif and import the objects to the Policy Store.
Install the sample. This creates a sample user directory, which is used by the affiliate sample.

Three options have been added to the smpolicyapi program.

Do you wish to install Affiliate Sample Api? (Y/N):
Answering Y causes smpolicyapi to:
- Add an affiliate domain
- Add the sample user directory to the affiliate domain
- Add an affiliate to the affiliate domain
- Add users from the sample user directory to the affiliate
- Add an affiliate attribute to the affiliate
Do you wish to traverse affiliate domain? (Y/N):
Answering Y causes smpolicyapi to:
- Get the affiliate domain and print it.
- Get all user dir OIDs in the sample affiliate domain and print them
- Get all affiliate OIDs in the sample affiliate domain and print them
- Get all affiliates in the sample affiliate domain and print their properties
- Get all users in Affiliate and print them
- Get all attributes in Affiliate and print them
Do you wish to uninstall Affiliate Sample Api? (Y/N):
Answering Y causes smpolicyapi to delete the affiliate domain.

WS-Federation

The WS-Federation specification provides a protocol for how passive clients (such as Web browsers) implement the federation framework. ADFS is Microsoft's implementation of the WS-Federation Passive Requestor Profile.

Web SSO and Signout in the WS-Federation environment are implmented using Account Partners and Resource Partners. An Account Partner authenticates users, provides WS-Federation security tokens and passes them to a Resource Partner. The Resource Partner consumes security tokens and establishes a session based on the contents of the WS-Federation security token.

For SiteMinder to act as an Account Partner, an administrator must define the Resource Partner that will be consuming security tokens. This is done by defining a Resource Partner in an Affiliate domain. For SiteMinder to act as a Resource Partner, an administrator must define the Account Partner that is going to supply security tokens. This is done by defining a WS-Federation authentication scheme.

The C Policy Management API sample program, smpolicyapiexample.cpp, includes examples of how to define, list, and delete a Resource Partner, as well as define, list, and delete a WS-Federation authentication scheme.

More Information:

Sm_PolicyApi_WSFEDProviderProp_t

Sm_PolicyApi_WSFEDResourcePartner_t

WS-Federation Functions

Policy Management API Data Structures

Each data structure represents an entity in the SiteMinder policy store. The structures have a common format:

The first field in each structure denotes the type of the structure, so that it can be freed by the correct Policy Management API memory function. When the structure is used as an input parameter, the first field is ignored by the Policy Management API. When the structure is used for a return, the first field is set properly by the Policy Management API.
The last field of each structure is a pointer to the next item in a returned linked list. On input, this field is ignored, since the Policy Management API does not accept linked lists as input parameters. (If you supply a linked list as an input parameter, the function examines only the first item in the list.)

All the character arrays within the following structures are sized according to BFSIZE, which is set to 1024 characters. A 24-character TIMESIZE buffer is used for policy time restrictions.

Sm_PolicyApi_Admin_t

Defines a SiteMinder Administrator object.

Syntax

typedef struct Sm_PolicyApi_Admin_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char pszDesc[BFSIZE];
   char pszPassword[BFSIZE];
   char pszUserDirOid[BFSIZE];
   char pszSchemeOid[BFSIZE];
   Sm_PolicyApi_AdminRights_t nRights;      /* Required */
   struct Sm_PolicyApi_Admin_s* next;
} Sm_PolicyApi_Admin_t;

Field	Description
iStructId	Administrator data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the administrator object.
pszName	Name of the administrator.
pszDesc	Brief description of the administrator.
pszPassword	This is required if the pszUserDirOid is not specified. The SiteMinder stores the password in its directory.
pszUserDirOid	Object identifier of the user directory if the administrator is stored in an external directory.
pszSchemeOid	Object identifier of the authentication scheme to use to authenticate the administrator. This is required if the pszUserDirOid is specified.
nRights	Rights of the administrator, as specified in Sm_PolicyApi_AdminRights_t.
next	Pointer to the next administrator structure.

Sm_PolicyApi_Affiliate_t

Represents an affiliate object.

Syntax

typedef struct Sm_PolicyApi_Affiliate_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];
   char pszDesc[BFSIZE];
   char pszAffiliateDomainOid[BFSIZE];
   char pszPassword[BFSIZE];
   bool bIsEnabled;
   bool bAllowNotification;
   char pszAuthURL[BFSIZE];
   char pszAudience[BFSIZE];
   long nValidityDuration;
   bool bSharedSession;
   long nSyncInterval;
   long nSkewTime;
   long nStartTime;
   long nEndTime;
   unsigned char pszTimeGrid[TIMESIZE];
   Sm_PolicyApi_IPAddress_t *pIPAddress;
   struct Sm_PolicyApi_Affiliate_s* next;
   long nSAMLVersion;
   char pszAssertionPluginClass[BFSIZE];
   char pszAssertionPluginParameters[BFSIZE];
   Sm_PolicyApi_SAML_Profile_t SAMLProfile;
   char pszConsumerURL[BFSIZE];
} Sm_PolicyApi_Affiliate_t;

Field	Description
iStructId	Domain data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the affiliate object.
pszName	Name of the affiliate.
pszDesc	Brief description of the affiliate.
pszAffiliateDomain Oid	The object identifier of the affiliate domain object.
pszPassword	The password for the affiliate as a null terminated string.
bIsEnabled	Boolean indicating if the affiliate is enabled.
bAllowNotification	Boolean indicating if notifications are allowed for the affiliate.
pszAuthURL	The authentication URL for the affiliate.
pszAudience	A URI of the document that describes the terms and conditions of the agreement between the portal and the affiliate.
nValidityDuration	The amount of time, in seconds, that the assertion is valid.
bSharedSession	Boolean that enables the sharing of session information between the portal and the affiliate.
nSyncInterval	The frequency, in seconds, at which the affiliate contacts the portal to validate session status.
nSkewTime	The difference, in seconds, between the system clock time of the portal and the system clock time of the affiliate.
nStartTime	The time when the time restriction becomes effective. This value is stored in standard time_t format. Set nStartTime to 0 to start the time restriction immediately.
nEndTime	The time when the time restriction expires. This value is stored in standard time_t format. Set nEndTime to 0 to end the time restriction immediately.
pszTimeGrid	An array containing time restrictions for an entire week.
pIPAddress	IP address that user must use in order to gain access to the resources governed by the Policy.
next	Pointer to the next affiliate structure.
nSAMLVersion	One of the following SAML version constants: SM_POLICY_API_SAML_1_0 SM_POLICY_API_SAML_1_1 The SAML version has effect only if the Policy Management API's session version is at least SM_POLICY_API_VERSION_6_0_1.
pszAssertion PluginClass	The fully qualified class name of a custom assertion generator plug-in. The plug-in lets you customize the default assertion that SiteMinder generates for an affiliate. A plug-in class and parameter string are supported only if the Policy Management API's session version is at least SM_POLICY_API_VERSION_6_0_2. Custom assertion generator plug-ins are implemented with the Java SDK.
pszAssertion PluginParameters	The parameter string to pass to a custom assertion generator plug-in.
SAMLProfile	The type of profile used to send and receive SAML assertions. Defined in Sm_PolicyApi_SAML_Profile_t. Valid profiles: Sm_PolicyApi_SAML_Profile_Artifact. The SAML assertion is retrieved from a URL associated with the assertion producer. The URL is specified during configuration of the SAML Artifact authentication scheme. Sm_PolicyApi_SAML_Profile_POST. The generated SAML assertion is POSTed to the URL specified in pszConsumerURL. This profile is supported only if the Policy Management API's session version is at least SM_POLICY_API_VERSION_6_0_2.
pszConsumerURL	With a SAML POST profile, this field specifies the URL where the requesting user's browser must POST a generated assertion. The site associated with the URL validates the assertion and uses its contents to make access decisions.

Sm_PolicyApi_AffiliateAttr_t

Represents affiliate attributes. Used with affiliate methods to manipulate affiliate attributes.

Syntax

typedef struct Sm_PolicyApi_AffiliateAttr_s
{
   int iStructId;
   Sm_PolicyApi_AffiliateAttrType_t nAttrType;
   char pszValue[BFSIZE];
   struct Sm_PolicyApi_AffiliateAttr_s* next;
} Sm_PolicyApi_AffiliateAttr_t;

Field	Description
iStructId	Domain data structure ID, defined in Sm_PolicyApi_Structs_t.
nAttrType	An affiliate attribute type from Sm_PolicyApi_AffiliateAttrType_t.
pszValue	An affiliate attribute specification. The affiliate attribute's name and value, in one of these formats: Static attributes: variableName=value User attributes: variableName=<%userattr="AttrName"%> DN attributes: variableName=<#dn="DNSpec" attr="AttrName"#> To allow SiteMinder to retrieve DN attributes from a nested group, begin DNSpec with an exclamation mark ( ! )-for example: dn="!ou=People,o=security.com"
next	Pointer to the next Affiliate Attribute structure.

Sm_PolicyApi_AffiliateDomain_t

Represents an affiliate domain.

Syntax

typedef struct Sm_PolicyApi_Domain_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];
   char pszDesc[BFSIZE];
   struct Sm_PolicyApi_Domain_s*   next;
} Sm_PolicyApi_Domain_t, Sm_PolicyApi_AffiliateDomain_t;

Field	Description
iStructId	Affiliate Domain data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Affiliate Domain.
pszName	Name of the Affiliate Domain.
pszDesc	Brief description of the Affiliate Domain.
next	Pointer to the next Affiliate Domain structure.

Sm_PolicyApi_Agent_t

Defines a SiteMinder Agent object.

Syntax

typedef struct Sm_PolicyApi_Agent_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                     /* Required */
   char pszDesc[BFSIZE];
   char pszIpAddr[BFSIZE];
   char pszSecret[BFSIZE];
   char pszAgentTypeOid[BFSIZE];             /* Required */
   int nRealmHintAttrId;                     /* Required */
   struct Sm_PolicyApi_Agent_s* next;
} Sm_PolicyApi_Agent_t;

Field	Description
iStructId	Agent data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the agent object.
pszName	Name of the agent. Agent names are converted to lower case when written to the policy store.
pszDesc	Brief description of the agent.
pszIpAddr	IP address of the server on which the agent resides.
pszSecret	A shared secret known to two parties for the purpose of establishing secure data exchange. If a shared secret is provided, the agent is considered to be a SiteMinder version 4.x agent. If a shared secret is not provided, the agent is considered to be a SiteMinder version 5.x or 6.0 agent.
pszAgentTypeOid	Type of agent.
nRealmHintAttrId	The hint attribute is a RADIUS attribute that is sent by the RADIUS client device.
next	Pointer to the next agent structure.

Sm_PolicyApi_AgentConfig_t

Defines an agent configuration object.

Syntax

typedef struct Sm_PolicyApi_AgentConfig_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char pszDesc[BFSIZE];
   struct Sm_PolicyApi_AgentConfig_s* next;
} Sm_PolicyApi_AgentConfig_t;

Field	Description
iStructId	Data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the agent configuration object.
pszName	Name of the agent configuration.
pszDesc	Brief description of the agent configuration.
next	Pointer to the next agent configuration object structure.

Sm_PolicyApi_AgentType_t

Defines a SiteMinder Agent Type object.

Syntax

typedef struct Sm_PolicyApi_AgentType_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];
   char pszDesc[BFSIZE];
   int nRfcId;
   int nAgentType;
   int nResourceType;
   int nAgentTypeSpecific;
   struct Sm_PolicyApi_AgentType_s* next;
} Sm_PolicyApi_AgentType_t;

Field	Description
iStructId	Agent Type data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Agent Type object.
pszName	Name of the Agent Type object.
pszDesc	Brief description of the Agent Type object.
nRfcId	The IETF Vendor ID, assigned by the Internet Assigned Numbers Authority (IANA). (Applies to RADIUS device only.)
nAgentType	Agent type: RADIUS (value=0) or Web Agent (value=1).
nResourceType	The resource type that the agent will protect. One of the following values: 0 = None 1 = URL 2 = IpAddr 3 = IpAddrRange 4 = AgentAuth 5 = Radius Authentication
nAgentTypeSpecific	The vendor-specific offset provided by the RADIUS vendor. (Applies to RADIUS device only.) Not a required field.
next	Pointer to the next Agent Type structure.

Sm_PolicyApi_AgentTypeAttr_t

Defines a SiteMinder Agent Type Attribute object.

Syntax

typedef struct Sm_PolicyApi_AgentTypeAttr_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];
   char pszDesc[BFSIZE];
   char pszAgentTypeOid[BFSIZE];
   struct Sm_PolicyApi_AgentTypeAttr_s* next;
} Sm_PolicyApi_AgentTypeAttr_t;

Field	Description
iStructId	Agent Type Attribute data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Agent Type Attribute object.
pszName	Name of the Agent Type Attribute object.
pszDesc	Brief description of the Agent Type Attribute object.
pszAgentTypeOid	The object identifier of the Agent Type.
next	Pointer to the next Agent Type Attribute structure.

Sm_PolicyApi_Association_t

Defines a configuration parameter name and its associated value for an agent configuration object.

Syntax

typedef struct Sm_PolicyApi_Association_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char* pszValue;
   int iFlags;
   struct Sm_PolicyApi_Association_s* next;
} Sm_PolicyApi_Association_t;

Field	Description
iStructId	Data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the configuration parameter association object.
pszName	The name of the configuration parameter.
pszValue	The value of the configuration parameter.
iFlags	If 1, the name/value pair is stored in encrypted format. If 0, storage is in plain text.
next	Pointer to the next configuration parameter association structure.

Sm_PolicyApi_AuthAzMap_t

Defines a SiteMinder authentication and authorization mapping object.

Syntax

typedef struct Sm_PolicyApi_AuthAzMap_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszAuthDirOid[BFSIZE];              /* Required */
   char pszAuthDirName[BFSIZE];
   char pszAzDirOid[BFSIZE];                /* Required */
   char pszAzDirName[BFSIZE];
   Sm_PolicyApi_AuthAzMapType_t nMapType;   /* Required */
   struct Sm_PolicyApi_AuthAzMap_s *next;
} Sm_PolicyApi_AuthAzMap_t;

Field	Description
iStructId	Authentication and authorization mapping object data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the authentication and authorization mapping object.
pszAuthDirOid	The object identifier for the Authentication Directory.
pszAuthDirName	The name of the Authentication Directory.
pszAzDirOid	The object identifier for the Authorization Directory.
pszAzDirName	The name of the Authorization Directory.
nMapType	The type of mapping between an authentication directory and an authorization directory. The mapping can be based on a DN, a universal identifier, or on an attribute in the directory.
next	Pointer to the next authentication and authorization mapping structure.

Sm_PolicyApi_CertMap_t

Defines a SiteMinder certification mapping object.

Syntax

typedef struct Sm_PolicyApi_CertMap_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszDesc[BFSIZE];
   char pszUserDirOid[BFSIZE];              /* Required */
   char pszIssuerDN[BFSIZE];                /* Required */
   char pszCaDN[BFSIZE];
   char pszMapAttr[BFSIZE];
   Sm_PolicyApi_CertMapFlags_t nFlags;      /* Required */
   Sm_PolicyApi_CertMapAttrType_t nAttrType;
   Sm_PolicyApi_DirType_t nDirType;         /* Required */
   struct Sm_PolicyApi_CertMap_s *next;
} Sm_PolicyApi_CertMap_t;

Field	Description
iStructId	Certificate mapping data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the certificate mapping object.
pszDesc	Brief description of the certificate mapping object.
pszUserDirOid	Object identifier of the user directory.
pszIssuerDN	DN of the server certificate.
pszCaDN	DN of the issuing Certificate Authority.
pszMapAttr	You can perform single attribute mapping or custom mapping: Single Attribute Mapping The format of the attribute is: %{<attribute name>} <attribute name> is the name of the attribute, matching a single attribute from the subject DN of a user's certificate to a single attribute stored in the user directory to verify the user's identity. Custom Mapping Using custom mapping expressions for complex multiple attribute mapping, you can specify multiple user attributes that should be extracted from a user DN to establish a certificate mapping. The syntax for a custom mapping expression is a parsing specification designed to enable full mapping flexibility. It indicates which information to take from the certificate and where it should be applied to in the user directory. The basic syntax is: UserAttribute=%{CertificateAttribute}, UserAttribute2=%{CertificateAttribute}
nFlags	Set one or more of these flags: Sm_PolicyApi_CertMapFlags_CertRequired Sm_PolicyApi_CertMapFlags_UseDistributionPoints Sm_PolicyApi_CertMapFlags_VerifySignature Sm_PolicyApi_CertMapFlags_CRLCheck Sm_PolicyApi_CertMapFlags_Cache
nAttrType	This enumeration specifies how the X.509 client certificate maps to the user information in the authentication directory. Sm_PolicyApi_CertMapAttrType_Single = 1 Specify single attribute to make the Policy Server match a single attribute from the subject DN of a user's certificate to a single attribute stored in the user directory to verify the user's identity. Sm_PolicyApi_CertMapAttrType_Custom = 2 You can specify a custom mapping expression to verify the user's identity. Specify this attribute type if the mapping is based on a custom expression. Sm_PolicyApi_CertMapAttrType_Exact = 3 Specify exact attribute type to make the Policy Server match the user's entire DN from the certificate to the entire DN in the authentication directory.
nDirType	The type of directory used to authenticate users. One of these values: Sm_PolicyApi_DirType_LDAP = 1 Sm_PolicyApi_DirType_WinNT = 2 Sm_PolicyApi_DirType_ODBC = 3
next	Pointer to the next registration scheme structure.

Sm_PolicyApi_Domain_t

Defines a SiteMinder Domain object.

Syntax

typedef struct Sm_PolicyApi_Domain_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char pszDesc[BFSIZE];
   struct Sm_PolicyApi_Domain_s* next;
   Sm_PolicyApi_DomainFlags_t iFlags;
} Sm_PolicyApi_Domain_t;

Field	Description
iStructId	Domain data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Domain object.
pszName	Name of the Domain.
pszDesc	Brief description of the Domain.
next	Pointer to the next domain structure.
iFlags	Flag to enable or disable global policies processing for the domain.

Sm_PolicyApi_Group_t

Defines a SiteMinder Group object. SiteMinder Groups are defined in the Sm_PolicyApi_Groups_t enumeration.

Syntax

typedef struct Sm_PolicyApi_Group_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                      /* Required */
   char pszDesc[BFSIZE];
   char pszAgentTypeOid[BFSIZE];              /* Required */
   struct Sm_PolicyApi_Group_s* next;
} Sm_PolicyApi_Group_t;

Field	Description
iStructId	Group data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Group object.
pszName	Name of the Group.
pszDesc	Brief description of the Group.
pszpszAgentTypeOid	Object identifier of the agent.
next	Pointer to the next Group structure.

Sm_PolicyApi_HostConfig_t

Defines a host configuration object.

Syntax

typedef struct Sm_PolicyApi_HostConfig_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char pszDesc[BFSIZE];
   char pszIPAdress[BFSIZE];
   bool bEnableFailOver;
   int iMaxSocketsPerPort;
   int iMinSocketsPerPort;
   int iNewSocketStep;
   int iRequestTimeout;
   struct Sm_PolicyApi_HostConfig_s* next;
   Sm_PolicyApi_Server_t* pServer;
   Sm_PolicyApi_Server_t* pCluster;
   long nFailoverThreshold;
} Sm_PolicyApi_HostConfig_t;

Field	Description
iStructId	Data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the host configuration object.
pszName	The name of the host configuration.
pszDesc	Brief description of the host configuration.
pszIPAddr	The IP address of the host configuration object.
bEnableFailOver	Specifies whether an agent and the Policy Server should communicate through failover or round-robin. The parameter is applicable to non-cluster servers specified in the pServer parameter.
iMaxSocketsPerPort	The maximum number of TCP/IP sockets that can be opened between an agent and a particular Policy Server process.
iMinSocketsPerPort	The minimum number of TCP/IP sockets that should be opened between an agent and a particular Policy Server process.
iNewSocketStep	The incremental number of TCP/IP sockets that should be opened between an agent and a particular Policy Server process when demand increases.
iRequestTimeout	The length of time in seconds that an agent will wait for a response from the Policy Server.
next	Pointer to the next host configuration structure.
pServer	A linked list of Sm_PolicyApi_Server_t structures that describe TCP/IP connectivity information for a particular Policy Server installation.
pCluster	Pointer to an array of Sm_PolicyApi_Server_t structures. The array specifies cluster servers.
nFailoverThreshold	Specifies the failover threshold percent. The parameter is applicable to the cluster servers specified in pCluster.

Sm_PolicyApi_IPAddress_t

Defines an IP address restriction for an object-for example, you can define IP address restrictions that must be met for a policy to fire.

You can specify a single host IP address, a range of IP addresses, a host name, or a subnet mask.

Syntax

typedef struct Sm_PolicyApi_IPAddress_s
{
   int iStructId;
   Sm_PolicyApi_IPAddressType_t iIPAddressType;
   unsigned long nIPAddress;
   unsigned long nEndIPAddress;
   unsigned long nSubnetMask;
   char pszHostName[BFSIZE];
   struct Sm_PolicyApi_IPAddress_s *next;
} Sm_PolicyApi_IPAddress_t;

Field	Description
iStructId	IP address structure ID, defined in Sm_PolicyApi_Structs_t.
iIPAddressType	Type of IP address, as enumerated in Sm_PolicyApi_IPAddressType_t.
nIPAddress	Starting IP address.
nEndIPAddress	Ending IP address.
nSubnetMask	The subnet mask value is a number of bits. To arrive at this value, count the bits in the binary value of the address. For example, suppose the subnet mask is 255.255.255.128. The binary format is: 11111111 11111111 11111111 10000000 Counting from left to right, the number to pass in nSubnetMask would be 25.
pszHostName	Host name of the machine that a user must be using in order for a policy to fire.
next	Pointer to next IP Address structure.

Sm_PolicyApi_ManagementCommand_t

Defines a management command. Management commands enable an agent to retrieve information from the Policy Server.

Syntax

typedef struct Sm_PolicyApi_ManagementCommand_s
{
   Sm_PolicyApi_ManagementCommands_t iCommand;
   char pszData[BFSIZE];
} Sm_PolicyApi_ManagementCommand_t;

Field	Description
iCommand	Management command, as specified in Management Commands.
pszData	Reserved.

Sm_PolicyApi_ODBCQueryScheme_t

Defines a SiteMinder ODBC Query Scheme object.

Syntax

typedef struct Sm_PolicyApi_ODBCQueryScheme_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char pszDesc[BFSIZE];
   char pszQueryEnumerate[BFSIZE];          /* Required */
   char pszQueryGetObjInfo[BFSIZE];         /* Required */
   char pszQueryLookup[BFSIZE];             /* Required */
   char pszQueryInitUser[BFSIZE];           /* Required */
   char pszQueryAuthenticateUser[BFSIZE];   /* Required */
   char pszQueryGetUserProp[BFSIZE];        /* Required */
   char pszQuerySetUserProp[BFSIZE];        /* Required */
   char pszQueryGetUserProps[BFSIZE];       /* Required */
   char pszQueryLookupUser[BFSIZE];         /* Required */
   char pszQueryGetGroups[BFSIZE];          /* Required */
   char pszQueryIsGroupMember[BFSIZE];      /* Required */
   char pszQueryGetGroupProp[BFSIZE];       /* Required */
   char pszQuerySetGroupProp[BFSIZE];       /* Required */
   char pszQueryGetGroupProps[BFSIZE];      /* Required */
   char pszQueryLookupGroup [BFSIZE];       /* Required */
   char pszQuerySetPassword [BFSIZE];       /* Required */
   struct Sm_PolicyApi_ODBCQueryScheme_s* next;
} Sm_PolicyApi_ODBCQueryScheme_t;

Field	Description
iStructId	ODBC Query Scheme data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the ODBC Query Scheme object.
pszName	Name of the ODBC Query Scheme.
pszDesc	Brief description of the ODBC Query Scheme.
pszQueryEnumerate	Query that lists the names of user objects in the directory.
pszQueryGetObjInfo	Query that fetches the class of the object.
pszQueryLookup	Query that returns objects based on an attribute specified in a group table.
pszQueryInitUser	Query that determines if a user with a given name exists in the database.
pszQueryAuthenticateUser	Query that retrieves a password from a user.
pszQueryGetUserProp	Query that retrieves the value of a user property. The property must be one of the properties listed with pszQueryGetUserProps.
pszQuerySetUserProp	Query that sets the value of a user property. The property must be one of the properties listed in pszQueryGetUserProps.
pszQueryGetUserProps	Query that returns a comma-separated list of user attributes that reside in the same table as the user name.
pszQueryLookupUser	Query that retrieves a user name using an attribute of the user table.
pszQueryGetGroups	Query that retrieves the names of the groups of which the user is a member.
pszQueryIsGroupMember	Query that identifies the group membership of a particular user.
pszQueryGetGroupProp	Query that returns the value of a property defined in pszQueryGetGroupProps
pszQuerySetGroupProp	Query that sets the value of a group property. The property must be one of the properties listed in pszQueryGetGroupProps.
pszQueryGetGroupProps	Query that returns a comma-separated list of group attributes.
pszQueryLookupGroup	Query that retrieves a group name using an attribute of the group table.
pszQuerySetPassword	Query that changes a user password.
next	Pointer to the next ODBC query scheme structure.

Sm_PolicyApi_Oid_t

Used by the following functions to retrieve a SiteMinder object collection:

Sm_PolicyApi_GetDomainObjects()
Sm_PolicyApi_GetChildren()
Sm_PolicyApi_GetGlobalObjects()
Sm_PolicyApi_GetGroupOids().

Syntax

typedef struct Sm_PolicyApi_Oid_s
{
   int iStructId;
   int iObjectId;
   char pszOid[BFSIZE];
   struct Sm_PolicyApi_Oid_s *next;
} Sm_PolicyApi_Oid_t;

Field	Description
iStructId	OID data structure ID, defined in Sm_PolicyApi_Structs_t.
iObjectId	The object type identifier (enumerated in Sm_PolicyApi_Objects_t).
pszOid	The unique object identifier.
next	Pointer to the next OID structure.

Sm_PolicyApi_PasswordMsgField_t

Describes a password policy message field. A password policy message field contains information about an error that occurred during a validation attempt for a new password.

A password policy message field is associated with a password policy message identifier. This identifier is returned in the nMsgId parameter of Sm_PolicyApi_GetPasswordMsg().

This structure is returned in the ppStructMsgField parameter of Sm_PolicyApi_GetPasswordMsg().

Syntax

typedef struct Sm_PolicyApi_PasswordMsgField_s
{
   int iStructId;
   Sm_PolicyApi_PasswordMsgFieldId_t nId;
   Sm_PolicyApi_FieldType_t nType;
   char pszMsg[BFSIZE];
   int nValue;
   struct Sm_PolicyApi_PasswordMsgField_s* next;
} Sm_PolicyApi_PasswordMsgField_t;

Field	Description
iStructId	Password policy data structure ID, defined in Sm_PolicyApi_Structs_t.
nId	The password message field identifier. Message field identifiers are enumerated in Sm_PolicyApi_PasswordMsgFieldId_t.
nType	The data type of the message field (integer, string, or none) as enumerated in Sm_PolicyApi_FieldType_t. The value of nType determines whether pszMsg or nValue is populated.
pszMsg	Text that provides information about the error.
nValue	Integer that provides information about the error.
next	Pointer to the next password message field structure.

Sm_PolicyApi_PasswordPolicy_t

Defines a SiteMinder password policy object.

Syntax

typedef struct Sm_PolicyApi_PasswordPolicy_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char pszDesc[BFSIZE];
   bool bEntireDir;                         /* Required */
   bool bIsEnabled;                         /* Required */
   char pszUserDirectoryOid[BFSIZE];        /* Required */
   char pszPath[BFSIZE];                    /* Required */
   char pszClass[BFSIZE];                   /* Required */
   int nResolution;                         /* Required */
   int nLoginMaxFailures;                   /* Required */
   int nLoginMaxInactivity;                 /* Required */
   int nLoginInactivityWarn;
   int nLoginDaysGrace;                     /* Required */
   char pszDictionaryName[BFSIZE];
   int nDictionaryPartial;                  /* Required */
   int nExpirationDelay;                    /* Required */
   int nReenablement;                       /* Required */
   int nPasswordBehavior;                   /* Required */
   char pszPasswordServicesRedirect[BFSIZE];
   int nPWMaxLength;                        /* Required */
   int nPWMinLength;                        /* Required */
   int nPWMaxRepeatingChar;                 /* Required */
   int nPWMinAlphaNum;                      /* Required */
   int nPWMinAlpha;                         /* Required */
   int nPWMinNonAlpha;                      /* Required */
   int nPWMinNonPrintable;                  /* Required */
   int nPWMinNumbers;                       /* Required */
   int nPWMinPunctuation;                   /* Required */
   int nPWReuseCount;                       /* Required */
   int nPWReuseDelay;                       /* Required */
   int nPWPercentDifferent;                 /* Required */
   int nPWPercentSequence;                  /* Required */
   int nPWSpecialsLength;                   /* Required */
   struct Sm_PolicyApi_PasswordPolicy_s* next;
   int nPriority;                           /* Required */
   int nPWMinLowerAlpha;                    /* Required */
   int nPWMinUpperAlpha;                    /* Required */
   int nReserved1;
   int nReserved2;
   int nReserved3;
   int nReserved4[BFSIZE];
} Sm_PolicyApi_PasswordPolicy_t;

Field	Description
iStructId	Password policy data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the password policy object.
pszName	Name of the password policy.
pszDesc	Brief description of the password policy object.
bEntireDir	Flag: Set to true to apply the password policy to the entire LDAP directory.
bIsEnabled	Flag: Set to true to enable the password policy.
pszUserDirectoryOid	Object identifier of the user directory to which the password policy will apply.
pszPath	If bEntireDir is set to false, use this field to specify the users to whom the password policy applies. For example, values you can specify include: A complete user DN A complete DN of an organization or group containing the users to whom the password policy applies A search expression that represents the users to whom the password policy applies See nResolution for more information.
pszClass	If bEntireDir is set to false, use this field to specify the object class where the password policy applies. Specify the object class as understood by a particular user directory, such as organizationalUnit in LDAP or User in NT.
nResolution	A constant that shows how the password policy applies to the users specified in pszPath. For example: If pszPath is the path to a group, the following constant indicates that the password policy applies to the members of the group: Sm_PolicyResolution_UserGroup If pszPath is a search expression that searches for all groups containing a particular attribute, the following constant indicates that the password policy applies to the members of the matching groups: Sm_PolicyResolution_GroupProp Policy resolution constants are defined in Sm_PolicyResolution_t.
nLoginMaxFailures	Maximum number of failed login attempts a user can make before the user account is disabled.
nLoginMaxInactivity	Number of days of inactivity allowed before a user's password expires. The account is not disabled until the user tries to log in after the expiration.
nLoginInactivityWarn	Reserved.
nLoginDaysGrace	Number of days in advance to notify user that the password will expire.
pszDictionaryName	The location of a dictionary file that lists words that cannot be used in a password.
nDictionaryPartial	The minimum number of letters to qualify for dictionary checking. For example, set this field to 5 to avoid checking words of 4 or fewer characters. Set this field to 0 to reject only passwords that match a word in the dictionary exactly.
nExpirationDelay	Number of days of inactivity allowed before user account is disabled.
nReenablement	Specifies the number of minutes a user must wait before attempting to log in again or before the user's account is re-enabled. The condition that applies after the nReenablement time period is determined by the following flag (which is set through nPasswordBehavior): Sm_PasswordPolicyBehavior_ FullReenable
nPasswordBehavior	Bit mask flags expressing the behavior of the password policy, as defined in Sm_PasswordPolicyBehavior_t. You can also set recursive behavior for the password policy through the additional password behavior flag below. Use this flag to indicate that the password policy applies to the group specified in pszPath and to any groups nested within it: Sm_PolicyBehavior_Recursive_Yes All password behavior flags are defined in SmApi.h.
pszPasswordServices Redirect	The URL to which the user should be redirected when an invalid password is entered. This must be the URL of the Password Services CGI.
nPWMaxLength	The maximum length for user passwords.
nPWMinLength	Minimum length for user passwords.
nPWMaxRepeatingChar	Maximum number of identical characters that can appear consecutively in a password.
nPWMinAlphaNum	Minimum number of alphabetic or numeric characters (A-Z, a-z, or 0-9) that a password must contain. May be set in conjunction with PWMinAlpha or PWMinNumbers. For example, if PWMinAlphaNum and PWMinNumbers are set to 4, the password 1234 is valid.
nPWMinAlpha	Minimum number of alphabetic characters (A-Z, a-z) a password must contain.
nPWMinNonAlpha	Minimum number of non-alphanumeric characters a password must contain. These characters include punctuation marks and other symbols located on the keyboard, such as "@", "$", and "*."
nPWMinNonPrintable	Minimum number of non-printable characters that must be in a password. These characters cannot be displayed on a computer screen.
nPWMinNumbers	Minimum number of numeric characters (0-9) a password must contain.
nPWMinPunctuation	Minimum number of punctuation marks a password must contain. These characters include periods, commas, exclamation marks, slashes, hyphens, dashes, and other marks used for punctuation.
nPWReuseCount	Number of new passwords that must be used before an old one can be reused.
nPWReuseDelay	Number of days a user must wait before reusing a password.
nPWPercentDifferent	The percentage of characters a new password must contain that differ from characters in the previous password. If the value is set to 100, the new password may contain no characters that were in the previous password, unless nPWPercentSequence is set to 0.
nPWPercentSequence	Flag that indicates whether to ignore sequence (character position) when the different-from-previous-characters percentage is calculated. To ignore character position, set nPWPercentSequence to 1. This flag works in conjunction with nPWPercentDifferent. For examples of how this parameter works with nPWPercentDifferent, see Figure 31 on page 150.
nPWSpecialsLength	Specifies the minimum character sequence to check against the user's personal information. For example, if this value is set to 4, SiteMinder prohibits the use of any four consecutive characters found in the user's personal information, such as the four last digits of the user's telephone number. This field prevents a user from incorporating personal information in a password. SiteMinder checks the password against attributes in the user's directory entry.
next	Pointer to the next registration scheme structure.
nPriority	Priority of password policy, when multiple password policies apply. The value can be any integer, including a negative one. The higher number has priority over the lower number.
nPWMinLowerAlpha	Minimum number of lowercase alphabetic characters.
nPWMinUpperAlpha	Minimum number of uppercase alphabetic characters.

Sm_PolicyApi_Policy_t

Defines a SiteMinder Policy object.

Syntax

typedef struct Sm_PolicyApi_Policy_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char pszDesc[BFSIZE];
   char pszActiveExpr[BFSIZE];
   bool bIsEnabled;                         /* Required */
   char pszDomainOid[BFSIZE];               /* Required */
   long nStartTime;
   long nEndTime;
   unsigned char   pszTimeGrid[TIMESIZE];
   Sm_PolicyApi_IPAddress_t *pIPAddress;
   struct Sm_PolicyApi_Policy_s* next;
   char pszVariableExpr[BFSIZE]
   Sm_PolicyApi_Oid_t* pVariableList;
} Sm_PolicyApi_Policy_t;

Field	Description
iStructId	Policy data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Policy object.
pszName	Name of the Policy.
pszDesc	Brief description of the Policy.
pszActiveExpr	Active expression associated with the policy. The expression is a string of variable definitions in the following format. The non-alphanumeric characters are required characters. For example: <@lib="LibName" func="FuncName" param="FuncParam"@> In the format example: LibName is the name of the shared library that supports the Active Policy. FuncName is the name of the actual function in the shared library that implements the Active Policy. FuncParam is an optional list of parameters to be passed to the function in the shared library.
bIsEnabled	Flag to enable or disable the policy.
pszDomainOid	The object identifier of the domain. Required for domain-specific policy; ignored for global policy.
nStartTime	The time when the time restriction becomes effective. This value is stored in standard time_t format. Set nStartTime to 0 to start the time restriction immediately.
nEndTime	The time when the time restriction expires. This value is stored in standard time_t format. Set nEndTime to 0 to end the time restriction immediately.
pszTimeGrid	An array containing time restrictions for an entire week.
pIPAddress	IP address that user must use in order to gain access to the resources governed by the Policy.
next	Pointer to the next Policy structure.
pszVariableExpr	Unique object identifier that corresponds to a variable type.
pVariableList	Linked list of variable OIDs used by this expression.

Time Grid Array

The time grid array (used with the field pszTimeGrid) holds time restrictions for an entire week. The array contains a one-byte element for every hour of the day, starting with 12 AM. In every byte, the seven days of the week are represented, beginning with Sunday as the lowest order bit. Bits that are set enable the policy to fire. A zero bit prevents the policy from firing on that day during the associated hour.

Examples:

To disable policy firing for the hour 12-1 AM on Saturdays and Sundays, the hexadecimal value for the entire grid is:
```
3E7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F
```
To fire the policy at all times, leave all bits set:
```
7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F
```
To restrict the policy from being fired all day Thursday, turn off the Thursday bit in all the hour elements:
```
6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F
```
To restrict the policy from being fired from 8 AM to 10AM on Tuesday, turn off the Tuesday bit in hours 8 AM and 9 AM:
```
7F7F7F7F7F7F7F7F7C7C7F7F7F7F7F7F7F7F7F7F7F7F7F7F
```

To fire between 8 AM and 8 PM on all days:

00000000000000007F7F7F7F7F7F7F7F7F7F7F7F00000000

Sm_PolicyApi_PolicyLink_t

Defines a SiteMinder Policy Link object.

Syntax

typedef struct Sm_PolicyApi_PolicyLink_s

{
   int iStructId;
   char pszOid[BFSIZE];
   char pszRuleOid[BFSIZE];                  /* Required */
   char pszResponseOid[BFSIZE];
   struct Sm_PolicyApi_PolicyLink_s* next;
} Sm_PolicyApi_PolicyLink_t;

Field	Description
iStructId	Policy Link data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Policy Link object.
pszRuleOid	Object identifier of the rule.
pszResponseOid	Object identifier of the response.
next	Pointer to the next Policy Link structure.

Sm_PolicyApi_Realm_t

Sm_PolicyApi_Realm_t type defines a SiteMinder Realm object.

Syntax

typedef struct Sm_PolicyApi_Realm_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                     /* Required */
   char pszDesc[BFSIZE];
   char pszResourceFilter[BFSIZE];
   char pszAgentOid[BFSIZE];                 /* Required */
   char pszSchemeOid[BFSIZE];                /* Required */
   char pszParentRealmOid[BFSIZE];           /* Required */
   char pszDomainOid[BFSIZE];                /* Required */
   char pszAzUserDirOid[BFSIZE];             /* Required */
   char pszRegSchemeOid[BFSIZE];             /* Required */
   bool bProcessAuthEvents;                  /* Required */
   bool bProcessAzEvents;                    /* Required */
   bool bProtectAll;                         /* Required */
   int nMaxTimeout;                          /* Required */
   int nIdleTimeout;                         /* Required */
   bool bSyncAudit;                          /* Required */
   struct Sm_PolicyApi_Realm_s* next;
} Sm_PolicyApi_Realm_t;

Field	Description
iStructId	Realm data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Realm object.
pszName	Name of the realm.
pszDesc	Brief description of the realm.
pszResourceFilter	Path for the resource filter.
pszAgentOid	Object identifier of the agent or agent group associated with the realm.
pszSchemeOid	Object identifier of the authentication scheme associated with the realm.
pszParentRealmOid	Object identifier of the parent realm under which this realm will be added. If the realm being added is the top realm in the realm hierarchy, set this field to the domain OID. Otherwise, set it to the parent realm OID.
pszDomainOid	Object identifier of the domain.
bProcessAuthEvents	Boolean to trigger this rule in an event of authentication attempts. Authentication event processing affects performance. If no rules in the realm are triggered by authentication events, set this field to false.
bProcessAzEvents	Boolean to trigger this rule in an event of authorization attempts. Authorization event processing affects performance. If no rules in the realm are triggered by authorization events, set this field to false.
bProtectAll	Boolean to protect all the resources contained in the new realm.
nMaxTimeout	Maximum amount of time a user can access the protected resources in the realm before they must re-authenticate.
nIdleTimeout	Amount of time a user can remain authenticated for the protected resources in the realm without interacting with the resources before they must re-authenticate.
bSyncAudit	Boolean to enable synchronous auditing. When enabled, users cannot access resources within a realm until their activity has been successfully recorded in the audit logs of both the Policy Server and the Web Agent.
pszAzUserDirOid	OID of the directory against which users accessing resources in this realm will be authorized.
pszRegSchemeOid	OID of the registration scheme that will be used to register new users accessing resources in this realm.
next	Pointer to the next realm structure.

Sm_PolicyApi_RegistrationScheme_t

Defines a SiteMinder registration scheme object.

Syntax

typedef struct Sm_PolicyApi_RegistrationScheme_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                     /* Required */
   char pszDesc[BFSIZE];
   char pszUserDirOid[BFSIZE];               /* Required */
   char pszWelcomePageURL[BFSIZE];
   char pszTemplatePath[BFSIZE];
   bool bEnableLogging;                      /* Required */
   struct Sm_PolicyApi_RegistrationScheme_s* next;
} Sm_PolicyApi_RegistrationScheme_t;

Field	Description
iStructId	Registration scheme data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the registration scheme object.
pszName	Name of the registration scheme.
pszDesc	Brief description of the registration scheme.
pszUserDirOid	Object identifier of the LDAP user directory in which user information is stored.
pszWelcomePageURL	Location of the form used to welcome users who registered and who have been successfully authenticated.
pszTemplatePath	Location of a registration template.
bEnableLogging	Flag to indicate whether to log registration information. Set this flag to true to enable logging.
next	Pointer to the next registration scheme structure.

Sm_PolicyApi_RegularExpression_t

Defines a regular expression.

Syntax

typedef struct Sm_PolicyApi_RegularExpression_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];
   char ExpressionDef[BFSIZE];
   bool matchExpression;
   struct Sm_PolicyApi_RegularExpression_s *next;
} Sm_PolicyApi_RegularExpression_t;

Field	Description
iStructId	Regular expression structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the regular expression object.
pszName	Name of the regular expression.
ExpressionDef	Definition of the regular expression.
matchExpression	1 if password must match this expression. 0 if password must not match this expression.
next	Pointer to the next regular expression structure.

Sm_PolicyApi_Response_t

Defines a SiteMinder Response object.

Syntax

typedef struct Sm_PolicyApi_Response_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                     /* Required */
   char pszDesc[BFSIZE];
   char pszAgentTypeOid[BFSIZE];             /* Required */
   char pszDomainOid[BFSIZE];                /* Required */
   struct Sm_PolicyApi_Response_s* next;
} Sm_PolicyApi_Response_t;

Field	Description
iStructId	Response data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Response object.
pszName	Name of the Response.
pszDesc	Brief description of the Response.
pszAgentTypeOid	The object identifier of the agent type.
pszDomainOid	The object identifier of the domain. Required for a domain-specific response; ignored for a global response.
next	Pointer to the next Response structure.

Sm_PolicyApi_ResponseAttr_t

Defines a SiteMinder Response attribute object.

Syntax

typedef struct Sm_PolicyApi_ResponseAttr_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszAgentTypeAttrOid [BFSIZE];        /* Required */
   char pszValue[BFSIZE];
   int iTTL;                                 /* Required */
   int iFlags;
   struct Sm_PolicyApi_ResponseAttr_s* next;
   char pszActiveExpr[BFSIZE];
   Sm_PolicyApi_Oid_t* pVariableList;
} Sm_PolicyApi_ResponseAttr_t;

Field	Description
iStructId	Response Attribute data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the Response Attribute object.
pszAgentTypeAttrOid	The object identifier of the agent type attribute.
pszValue	A response attribute type, as described in Response Attribute Types.
iTTL	Amount of time (in seconds) that can elapse before the value of the response attribute is recalculated.
iFlags	Reserved.
next	Pointer to the next Response Attribute structure.
pszActiveExpr	Active expression associated with the response attribute. For information, see the bullet "Active Response" in the section Response Attribute Types.
pVariableList	Linked list of variable OIDs used by the active expression.

Response Attribute Types

The field pszValue contains one of the following response attribute types:

Note: The non-alphanumeric characters in the formats below are required characters.

Static. A string that is part of a SiteMinder response. The string has the following format:
```
variable-name=variable-value
```
In the format example:
- variable-name is the name for the name/value pair that this response attribute will return to the Web Agent.
- variable-value is the static text that will be returned as the second half of the name/value pair.
User Attribute. A string containing profile information from a user's entry in a user directory. The string has the following format:
```
User-Attr-variable-name=<%userattr="user-attr-name"%>
```
In the format example:
- User-Attr-variable-name is the name for the name/value pair that this response attribute will return to the Web Agent.
- user-attr-name is a user attribute that can be retrieved from an LDAP, WinNT, or ODBC user directory.
DN Attribute. A string containing profile information from a directory object in an LDAP or ODBC user directory. The string has the following format:
```
DN-Variable-Name=<#dn="DN-Spec" attr="DN-Attribute-Name"#>
```
In the format example:
- DN-Variable-Name is the name for the name/value pair that this response attribute will return to the Web Agent.
- DN-Spec is the distinguished name of the user group from which you want to retrieve the user attribute.
- DN-Attribute-Name is an attribute associated with an LDAP or ODBC directory object to which the user is related, such as a group or an organizational unit (OU).
Active Response. An active expression associated with the Response Attribute. The expression is a string of variable definitions in the following format:
```
Name=<@lib="LibName" func="FuncName" param="Param"@>
```
In the format example:
- Name is the name of the variable (with WebAgent-HTTP-Header-Variable response attributes) or cookie (with WebAgent-HTTP-Cookie-Variable response attributes) associated with the name/value pairs in the active expression.
- LibName is the name of the shared library that supports the Active Response.
- FuncName is the name of the actual function in the shared library that implements the Active Response.
- Param is an optional list of parameters to be passed to the function in the shared library.
Note: For information about configuring active expressions in responses, rules, or policies, see Policy Design.

Sm_PolicyApi_Rule_t

Defines a SiteMinder Rule object.

Syntax

typedef struct Sm_PolicyApi_Rule_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                     /* Required */
   char pszDesc[BFSIZE];
   char pszRealmOid[BFSIZE];                 /* Required */
   char pszAction[BFSIZE];                   /* Required */
   char pszResource[2*BFSIZE];
   bool bAllowAccess;                        /* Required */
   bool bRegularExpression;                  /* Required */
   char pszActiveExpr[BFSIZE];
   bool bIsEnabled;                          /* Required */
   long nStartTime;
   long nEndTime;
   unsigned char   pszTimeGrid[TIMESIZE];
   struct Sm_PolicyApi_Rule_s* next;
   char pszAgentOid[BFSIZE];                 /* Required */
} Sm_PolicyApi_Rule_t;

Field	Description
iStructId	Rule data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the rule object.
pszName	Name of the Rule.
pszDesc	Brief description of the rule.
pszRealmOid	Object identifier of the Realm associated with the rule. Required for a domain-specific rule; ignored for a global rule.
pszAction	The type of action the rule is executing. The supported Web Agent Actions consist of the following HTTP operations: Get, Put, and Post.
pszResource	Resource protected by the rule.
bAllowAccess	Flag to allow or deny access to the resource protected by the rule.
bRegularExpression	Flag to perform regular expression pattern matching. Regular expressions are text patterns used for string matching.
pszActiveExpr	Active expression associated with the rule. The expression is a string of variable definitions in the following format: The non-alphanumeric characters are required characters .For example: <@lib="LibName" func="FuncName" param="FuncParam"@> In the format example: LibName is the name of the shared library that supports the Active Rule. FuncName is the name of the actual function in the shared library that implements the Active Rule. FuncParam is an optional list of parameters to be passed to the function in the shared library.
dbIsEnabled	Flag to enable or disable the rule.
nStartTime	The time when the time restriction becomes effective. This value is stored in standard time_t format. Set nStartTime to 0 to start the time restriction immediately.
nEndTime	The time when the time restriction expires. This value is stored in standard time_t format. Set nEndTime to 0 to end the time restriction immediately.
pszTimeGrid	An array containing time restrictions for an entire week.
next	Pointer to the next rule structure.
pszAgentOid	Object identifier of agent or agent group associated with the global rule.

Sm_PolicyApi_SAMLAffiliation_t

Defines a SAML 2.0 affiliation object. A SAML 2.0 affiliation is a set of entities that share a single federated namespace of unique Name IDs for principals.

Syntax

typedef struct Sm_PolicyApi_SAMLAffiliation_s
{
   int iStructId;
   Sm_PolicyApi_SAMLProviderProp_t *pProps;
   struct Sm_PolicyApi_SAMLAffiliation_s *next;
} Sm_PolicyApi_SAMLAffiliation_t;

Field	Description
iStructId	SAML affiliation structure ID, defined in Sm_PolicyApi_Structs_t.
pProps	SAML 2.0 metadata properties associated with the affiliation. If you do not assign a value to a property associated with a default value, the default will be assigned.
next	Pointer to the next SAML affiliation structure.

Field

Description

iStructId

SAML affiliation structure ID, defined in Sm_PolicyApi_Structs_t.

pProps

SAML 2.0 metadata properties associated with the affiliation.

If you do not assign a value to a property associated with a default value, the default will be assigned.

next

Pointer to the next SAML affiliation structure.

Sm_PolicyApi_SAMLProviderProp_t

Defines a SAML 2.0 metadata property as a name/value pair.

An Sm_PolicyApi_SAMLProviderProp_t structure consists of a single name/value pair. You define a set of properties for a given SAML 2.0 object through a linked list of Sm_PolicyApi_SAMLProviderProp_t structures.

Use the following structures and function to define a set of properties for a SAML 2.0 Service Provider, affiliation, or authentication scheme and associated Identity Provider:

Sm_PolicyApi_SAMLSP_t
Sm_PolicyApi_SAMLAffiliation_t
Sm_PolicyApi_AddSAMLScheme()

Syntax

typedef struct Sm_PolicyApi_SAMLProviderProp_s
{
   int iStructId;
   char pszName[BFSIZE];
   char pszValue[BFSIZE];
   struct Sm_PolicyApi_SAMLProviderProp_s *next;
} Sm_PolicyApi_SAMLProviderProp_t;

Field	Description
iStructId	SAML 2.0 properties structure ID, defined in Sm_PolicyApi_Structs_t.
pszName	The property name. See Property Lists for a list of valid property names.
pszValue	The value to assign to pszName.
next	Pointer to the next SAML 2.0 properties structure.

Example

The following is an example of a helper method that creates an instance of Sm_PolicyApi_SAMLProviderProp_t and assigns it the name/value pair that is passed into it:

Sm_PolicyApi_SAMLProviderProp_t * CreateSAMLProp(
                                         const char *pszName,
                                         const char *pszValue)
{
   Sm_PolicyApi_SAMLProviderProp_t * pProp = new
                                Sm_PolicyApi_SAMLProviderProp_t;
   memset(pProp, 0, sizeof(Sm_PolicyApi_SAMLProviderProp_t));
   pProp->iStructId = Sm_PolicyApi_SAMLProviderProp_ID;
   strncpy(pProp->pszName, pszName, BFSIZE);
   strncpy(pProp->pszValue, pszValue, BFSIZE);
   return pProp;
}

The following is an example of a helper method that retrieves the value of the property whose name is passed into it:

char * FindSAMLParam(const Sm_PolicyApi_SAMLSP_t *pStructSP,
                     const char *pszName)
{
   for(Sm_PolicyApi_SAMLProviderProp_t *pCurProp=pStructSP->pProps;
       pCurProp != NULL;
       pCurProp = pCurProp->next)
   {
       if (0 == strcmp(pCurProp->pszName, pszName))
      {
          return pCurProp->pszValue;
      }
   }

   return NULL;
}

Property Lists

Each Sm_PolicyApi_SAMLProviderProp_t structure contains a SAML 2.0 metadata property defined as a name/value pair. A complete set of properties for a particular SAML 2.0 object is defined as a linked list of Sm_PolicyApi_SAMLProviderProp_t structures.

The following metadata properties apply to a given type of SAML 2.0 object:

Service Provider Properties
SAML Affiliation Properties
SAML 2.0 Authentication Scheme Properties

Note: Some properties are used with multiple object types.

Service Provider Properties

A Service Provider object contains information that an Identity Provider needs to produce assertions for the Service Provider. Service Provider properties are stored within an Sm_PolicyApi_SAMLSP_t structure.

The properties of a SAML 2.0 Service Provider object are listed following.

Property Name	Comments

General Properties
SAML_NAME	String, required.
SAML_DESCRIPTION	String.
SAML_SP_AUTHENTICATION_URL	String, required.
SAML_ENABLED	Boolean. Default: SAML_TRUE.
SAML_SP_DOMAIN	String, required.
Name IDs Tab
SAML_SP_NAMEID_FORMAT	String. Default: Unspecified.
SAML_SP_NAMEID_TYPE	Integer. Default: 1.
SAML_SP_NAMEID_STATIC	String. Required conditionally.
SAML_SP_NAMEID_ATTRNAME	String. Required conditionally.
SAML_SP_NAMEID_DNSPEC	String. Required conditionally.
SAML_AFFILIATION	String.
SAML_KEY_SPID	String, required.
	String, required.
SAML_MAJOR_VERSION	Integer. Default: 2.
SAML_MINOR_VERSION	Integer. Default: 0.
SAML_SKEWTIME	Integer. Default: 30.
SAML_DISABLE_SIGNATURE_ PROCESSING	Boolean. Default: SAML_FALSE.
SAML_DSIG_VERINFO_ISSUER_DN	String. Required conditionally.
SAML_DSIG_VERINFO_SERIAL_NUMBER	String. Required conditionally.
SSO Properties
SAML_AUDIENCE	String, required.
SAML_SP_ASSERTION_CONSUMER_ DEFAULT_URL	String, required.
SAML_ENABLE_SSO_ARTIFACT_ BINDING	Boolean. Default: SAML_FALSE.
SAML_SP_ARTIFACT_ENCODING	String. Default: FORM. Applies if no value is provided and SAML_ENABLE_SSO_ ARTIFACT_BINDING is SAML_TRUE.
SAML_SP_IDP_SOURCEID	String. Default: A hex-encoded SHA-1 hash of the SAML_SP_IDPID value.
SAML_SP_PASSWORD	String. Required conditionally (see page 34).
SAML_ENABLE_SSO_POST_BINDING	Boolean. Default: SAML_FALSE.
SAML_SSOECPPROFILE	Boolean. Default: SAML_FALSE.
SAML_SP_REQUIRE_SIGNED_ AUTHNREQUESTS	Boolean. Default: SAML_FALSE.
SAML_SP_AUTHENTICATION_LEVEL	Integer. Default: 5.
SAML_SP_AUTHN_CONTEXT_CLASS_REF	String. Default: urn:oasis:names:tc:SAML: 2.0:ac:classes:Password
SAML_SP_VALIDITY_DURATION	Integer. Default: 60.
SAML_SP_STARTTIME	Long.
SAML_SP_ENDTIME	Long.
SLO Properties
SAML_SLO_REDIRECT_BINDING	Boolean. Default: SAML_FALSE.
SAML_SLO_SERVICE_VALIDITY_ DURATION	Integer. Default: 60. Applies if no value is provided and SAML_SLO_REDIRECT_BINDING is SAML_TRUE.
SAML_SLO_SERVICE_URL	String. Required conditionally.
SAML_SLO_SERVICE_RESPONSE_URL	String.
SAML_SLO_SERVICE_CONFIRM_URL	String.
IPD Properties
SAML_SP_ENABLE_IPD	Boolean. Default: SAML_FALSE.
SAML_SP_IPD_SERVICE_URL	String. Required conditionally.
SAML_SP_COMMON_DOMAIN	String. Required conditionally.
SAML_SP_PERSISTENT_COOKIE	Boolean. Default: SAML_FALSE.
Encryption Properties
SAML_SP_ENCRYPT_ID	Boolean. Default: SAML_FALSE.
SAML_SP_ENCRYPT_ASSERTION	Boolean. Default: SAML_FALSE.
SAML_SP_ENCRYPT_BLOCK_ALGO	String. Default: tripledes.
SAML_SP_ENCRYPT_KEY_ALGO	String. Default: rsa-v15.
SAML_SP_ENCRYPT_CERT_ISSUER_DN	String. Required conditionally.
SAML_SP_ENCRYPT_CERT_SERIAL_ NUMBER	String. Required conditionally.
Attribute Service Properties
SAML_SP_ATTRSVS_ENABLE	Boolean. Default: False (0).
SAML_SP_ATTRSVS_VALIDITY_DURATION	Integer. Default: 60 (seconds)
SAML_SP_ATTRSVS_SIGN_ASSERTION	Boolean. Default: False (0).
SAML_SP_ATTRSVS_LDAP_SEARCH_SPEC	String.
SAML_SP_ATTRSVS_ODBC_SEARCH_SPEC	String.
SAML_SP_ATTRSVS_WINNT_SEARCH_SPEC	String.
SAML_SP_ATTRSVS_CUSTOM_SEARCH_SPEC	String.
SAML_SP_ATTRSVS_AD_SEARCH_SPEC	String.
Advanced Properties
SAML_SP_PLUGIN_CLASS	String.
SAML_SP_PLUGIN_PARAMS	String.

SAML Affiliation Properties

The properties of a SAML 2.0 affiliation object are listed below. Properties are grouped according to the way they are presented on the SAML Affiliation Properties dialog box.

SAML affiliation properties are stored within an Sm_PolicyApi_SAMLAffiliation_t structure.

Property Name	Comments

General Properties
SAML_NAME	String, required.
SAML_DESCRIPTION	String
SAML_KEY_AFFILIATION_ID	String, required.
SAML_MAJOR_VERSION	Integer. Default: 2.
SAML_MINOR_VERSION	Integer. Default: 0.
SAML_OID	String. SiteMinder supplies the object identifier when an affiliation object is created.
Name IDs Tab
SAML_SP_NAMEID_FORMAT	String. Default: Unspecified.
SAML_SP_NAMEID_TYPE	Integer. Default: 1.
SAML_SP_NAMEID_STATIC	String. Required conditionally.
SAML_SP_NAMEID_ATTRNAME	String. Required conditionally.
SAML_SP_NAMEID_DNSPEC	String. Required conditionally.
Users Tab
SAML_IDP_XPATH	String.
SAML_IDP_LDAP_SEARCH_SPEC	String.
SAML_IDP_ODBC_SEARCH_SPEC	String.
SAML_IDP_WINNT_SEARCH_SPEC	String.
SAML_IDP_CUSTOM_SEARCH_SPEC	String.
SAML_IDP_AD_SEARCH_SPEC	String.

SAML 2.0 Authentication Scheme Properties

The properties listed in this section define:

Authentication schemes based on the SAML 2.0 Template.
Metadata properties of the associated Identity Provider. The properties are stored with the authentication scheme.

You define a SAML 2.0 authentication scheme to represent an Identity Provider for a particular Service Provider.

The properties of a SAML 2.0 authentication scheme and its associated Identity Provider are listed below. Properties are grouped according to the way they are presented on the SAML Authentication Scheme Properties dialog box for the SAML 2.0 Template.

You define properties for a SAML 2.0 authentication scheme and its associated Identity Provider by calling Sm_PolicyApi_AddSAMLScheme().

Property Name	Comments

General Properties
SAML_NAME	String, required.
SAML_DESCRIPTION	String
Scheme Setup Tab
SAML_IDP_SPID	String, required.
SAML_KEY_IDPID	String, required.
SAML_MAJOR_VERSION	Integer. Default: 2.
SAML_MINOR_VERSION	Integer. Default: 0.
SAML_SKEWTIME	Integer. Default: 30.
SAML_DISABLE_SIGNATURE_ PROCESSING	Boolean. Default: SAML_FALSE.
SAML_DSIG_VERINFO_ISSUER_DN	String. Required conditionally (see page 9).
SAML_DSIG_VERINFO_SERIAL_NUMBER	String. Required conditionally (see page 10).
Additional Configuration - Users Tab
SAML_IDP_XPATH	String.
SAML_IDP_LDAP_SEARCH_SPEC	String.
SAML_IDP_ODBC_SEARCH_SPEC	String.
SAML_IDP_WINNT_SEARCH_SPEC	String.
SAML_IDP_CUSTOM_SEARCH_SPEC	String.
SAML_IDP_AD_SEARCH_SPEC	String.
SAML_AFFILIATION	String.
Additional Configuration - SSO Tab
SAML_IDP_SSO_REDIRECT_MODE	Integer. Default: 0.
SAML_IDP_SSO_DEFAULT_SERVICE	String, required.
SAML_AUDIENCE	String, required.
SAML_IDP_SSO_TARGET	String.
SAML_ENABLE_SSO_ARTIFACT_ BINDING	Boolean. Default: SAML_FALSE.
SAML_KEY_IDP_SOURCEID	String. Default: A hex-encoded SHA-1 hash of the SAML_KEY_IDPID value.
SAML_IDP_ARTIFACT_RESOLUTION_ DEFAULT_SERVICE	String. Required conditionally (see page 12).
SAML_IDP_BACKCHANNEL_AUTH_TYPE	Integer. Default: 0.
SAML_IDP_SPNAME	String. Required conditionally (see page 19).
SAML_IDP_PASSWORD	String. Required conditionally (see page 14).
SAML_ENABLE_SSO_POST_BINDING	Boolean. Default: SAML_FALSE.
SAML_IDP_SSO_ENFORCE_SINGLE_ USE_POLICY	Boolean. Default: SAML_TRUE.
SAML_SSOECPPROFILE	Boolean. Default: SAML_FALSE.
SAML_IDP_SIGN_AUTHNREQUESTS	Boolean. Default: SAML_FALSE.
Additional Configuration - SLO Tab
SAML_SLO_REDIRECT_BINDING	Boolean. Default: SAML_FALSE.
SAML_SLO_SERVICE_VALIDITY_ DURATION	Integer. Default: 60. Applies if no value is provided and SAML_SLO_REDIRECT_BINDING is SAML_TRUE.
SAML_SLO_SERVICE_URL	String. Required conditionally.
SAML_SLO_SERVICE_RESPONSE_URL	String.
SAML_SLO_SERVICE_CONFIRM_URL	String.
Additional Configuration - Encryption Tab
SAML_IDP_REQUIRE_ENCRYPTED_ ASSERTION	Boolean. Default: SAML_FALSE.
SAML_IDP_REQUIRE_ENCRYPTED_ NAMEID	Boolean. Default: SAML_FALSE.
Additional Configuration - Attributes Tab
SAML_IDP_SAMLREQ_ENABLE	Boolean. Default: False (0).
SAML_IDP_SAMLREQ_REQUIRE_SIGNED_ ASSERTION	Boolean. Default: False (0).
SAML_IDP_SAMLREQ_ATTRIBUTE_SERVICE	String.
Additional Configuration - NameID tab
SAML_IDP_SAMLREQ_NAMEID_FORMAT	String.
SAML_IDP_SAMLREQ_NAMEID_TYPE	Integer. Default: 1 (User Attribute)
SAML_IDP_SAMLREQ_NAMEID_STATIC	String.
SAML_IDP_SAMLREQ_NAMEID_ATTR_NAME	String.
SAML_IDP_SAMLREQ_NAMEID_DN_SPEC	String.
SAML_IDP_SAMLREQ_NAMEID_ALLOW_ NESTED	Boolean. Deafult: False (0).
Additional Configuration - Advanced Tab
SAML_SP_PLUGIN_CLASS	String.
SAML_SP_PLUGIN_PARAMS	String.
SAML_IDP_REDIRECT_URL_USER_ NOT_FOUND	String.
SAML_IDP_REDIRECT_MODE_USER_ NOT_FOUND	Integer. Default: 0.
SAML_IDP_REDIRECT_URL_FAILURE	String.
SAML_IDP_REDIRECT_MODE_FAILURE	Integer. Default: 0.
SAML_IDP_REDIRECT_URL_INVALID	String.
SAML_IDP_REDIRECT_MODE_INVALID	Integer. Default: 0.

More Information:

Property Reference

Sm_PolicyApi_SAMLRequesterAttr_t

Defines an attribute that can be requested by a SAML Requester in an AttributeQuery message.

Syntax

typedef struct Sm_PolicyApi_SAMLRequesterAttr_s
{
   int iStructId;
   Sm_PolicyApi_SAMLSPAttrNameFormat_t nAttrNameFormat;
   char pszLocalName[BFSIZE];
   char pszName[BUFSIZE];
   struct Sm_PolicyApi_SAMLRequesterAttr_s* next;
} Sm_PolicyApi_SAMLRequesterAttr_t;

Field	Description
iStructId	SAML attribute structure ID, defined in Sm_PolicyApi_Structs_t.
nAttrNameFormat	The format of the attribute name, as defined by the SAML 2.0 standard.
pszLocalName	Name of the attribute as defined in the SAML 2.0 authentication scheme.
pszName	Actual name of the attribute requested from the Attribute Authority.
next	Pointer to the next requester attribute structure.

Sm_PolicyApi_SAMLSP_t

Defines a SAML 2.0 Service Provider object for an Identity Provider.

A Service Provider offers services (such as access to applications and other resources) to principals within a federation.

Syntax

typedef struct Sm_PolicyApi_SAMLSP_s
{
   int iStructId;
   Sm_PolicyApi_SAMLProviderProp_t *pProps;
   Sm_PolicyApi_IPAddress_t *pIPAddress;
   unsigned char   pszTimeGrid[TIMESIZE];
   struct Sm_PolicyApi_SAMLSP_s *next;
} Sm_PolicyApi_SAMLSP_t;

Field	Description
iStructId	SAML Service Provider structure ID, defined in Sm_PolicyApi_Structs_t.
pProps	SAML 2.0 metadata properties associated with the Service Provider. If you do not assign a value to a property associated with a default value, the default will be assigned.
pIPAddress	The Service Provider's IP address.
pszTimeGrid	An array containing time restrictions for an entire week.
next	Pointer to the next Service Provider structure.

Sm_PolicyApi_SAMLSPAssertionConsumerService_t

Defines a structure that supports the Assertion Consumer Service.

Syntax

typedef struct Sm_PolicyApi_SAMLSPAssertionConsumerService_s
{
   int iStructId;
   int iIndex;
   Sm_PolicyApi_SAMLSPACSBinding_t nACSBinding;
   char pszAssertionConsumerURL[BFSIZE};
   bool bIsDefault;
   struct Sm_PolicyApi_SAMLSPAssertionConsumerService_s* next;
} Sm_PolicyApi_SAMLSPAsserttionConsumer_t;

Field	Description
iStructId	SAML Assertion Consumer Service ID, defined in Sm_PolicyApi_Structs_t.
iIndex	Index value assigned to this Assertion Consumer Service. The value must be 0 or a positive integer.
nACSBinding	One of the following bindings associated with the Assertion Consumer Service: Sm_PolicyApi_SAMLSP_HTTP_Post Sm_PolicyApi_SAMLSP_HTTP_Artifact Sm_PolicyApi_SAMLSP_PAOS
pszAssertionConsumer- URL	Location of the Assertion Consumer Service. In the case of the HTTP-Artifact binding, this is the URL that contains a SAML artifact and target as query parameters, which are used by the credential collector to obtain the SAML assertion and redirect the user to the target. In the case of the HTTP-Post binding, it is the destination site URL to which the user's browser must POST a generated assertion.
bIsDefault	Specifies whether this Assertion Consumer Service is the default.
next	Pointer to the defintion of the next Assertion Consumer Service.

Sm_PolicyApi_SAMLSPAttr_t

Defines an attribute of a principal for a particular SAML 2.0 Service Provider.

Syntax

typedef struct Sm_PolicyApi_SAMLSPAttr_s
{
   int iStructId;
   Sm_PolicyApi_SAMLSPAttrNameFormat_t nAttrNameFormat;
   char pszValue[BFSIZE];
   bool bEncrypted;
   struct Sm_PolicyApi_SAMLSPAttr_s* next;
   Sm_PolicyApi_SAMLSPAttrMode_t  nMode;
} Sm_PolicyApi_SAMLSPAttr_t;

Field	Description
iStructId	SAML attribute structure ID, defined in Sm_PolicyApi_Structs_t.
nAttrNameFormat	The format of the attribute name, as defined by the SAML 2.0 standard.
pszValue	The attribute's name and value, in one of these formats: Static attributes: variableName=value User attributes: variableName=<%userattr="AttrName"%> DN attributes: variablName=<#dn="DNSpec" attr="AttrName"#> To allow SiteMinder to retrieve DN attributes from a nested group, begin DNSpec with an exclamation mark ( ! ). For example: dn="!ou=People,o=security.com"
bEncrypted	Specifies whether the attribute is encrypted.
next	Pointer to the next attribute structure.
nMode	One of the three following uses of an attribute: Sm_PolicyApi_SAMLSP_SSO_Only = 0 Sm_PolicyApi_SAMLSP_Atribute_Only = 1 Sm_PolicyApi_SAMLSP_Both = 2

Sm_PolicyApi_Scheme_t

Defines a SiteMinder authentication scheme object.

Syntax

typedef struct Sm_PolicyApi_Scheme_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                    /* Required */
   char pszDesc[BFSIZE];
   int nLevel;                              /* Required */
   char pszLib[BFSIZE];
   char pszParam[BFSIZE];
   char pszSecret[BFSIZE];
   bool bIsTemplate;
   bool bIsUsedbyAdmin;
   Sm_Api_SchemeType_t nType;               /* Required */
   bool bAllowSaveCreds;                    /* Required */
   bool bIsRadius;                          /* Required */
   bool bIgnorePwCheck;                     /* Required */
   struct Sm_PolicyApi_Scheme_s* next;
} Sm_PolicyApi_Scheme_t;

Field	Description
iStructId	Authentication scheme data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the authentication scheme object.
pszName	Name of the authentication scheme.
pszDesc	Brief description of the authentication scheme.
nLevel	The protection level of the authentication scheme. The level may vary from 1 through 1000. The higher the number, the more secure is the scheme. With Anonymous authentication schemes, set this value to 0.
pszLib	The name of the shared library that implements the custom authentication scheme.
pszParam	Information that is passed on to the custom authentication scheme.
pszSecret	A shared secret known to two parties for the purpose of establishing secure data exchange. This information is passed on to the custom authentication scheme.
bIsTemplate	Flag to indicate whether the authentication scheme is a template. Note: Setting an authentication scheme as a template with the C Policy Management API is deprecated in SDK v6.0 SP3.
bIsUsedbyAdmin	Flag to indicate if the custom authentication scheme can be used to authenticate administrators.
nType	The type of the authentication scheme, defined in Sm_Api_SchemeType_t.
bAllowSaveCreds	Flag to allow user credentials to be saved.
bIsRadius	Flag to indicate if the scheme is of type Radius.
bIgnorePwCheck	If this flag is set to true, password policies for the authentication scheme will be disabled.
next	Pointer to the next Scheme structure.

Sm_PolicyApi_SharedSecretPolicy_t

Defines a shared secret policy.

In the Administrative UI, a shared secret policy is defined in the Shared Secret Rollover tab of the Key Management dialog box.

Syntax

typedef struct Sm_PolicyApi_SharedSecretPolicy_s
{
   int iStructID;
   bool bIsEnabled;
   int iRolloverPeriod;
   int iRolloverFrequency;
} Sm_PolicyApi_SharedSecretPolicy_t;

Field	Description
iStructID	Authentication scheme data structure ID, defined in Sm_PolicyApi_Structs_t.
bIsEnabled	Is shared secret rollover enabled?
iRolloverPeriod	The unit of time (hourly, daily, weekly, monthly) that is used with iRolloverFrequency to determine how often the shared secret is automatically changed (for example, every 3 days, every 2 months, etc.). Valid values are specified in Sm_PolicyApi_SecretRolloverPeriod_t.
iRolloverFrequency	Specifies the number of iRolloverPeriod units between rollovers.

Sm_PolicyApi_Server_t

Defines TCP/IP connectivity information for a Policy Server.

Syntax

typedef struct Sm_PolicyApi_Server_s
{
   int iStructId;
   char pszIpAddr[BFSIZE];                 /* Required */
   long nPort[3];
   long nClusterSeq;
   struct Sm_PolicyApi_Server_s* next;
} Sm_PolicyApi_Server_t;

Field	Description
iStructId	Policy server structure ID, defined in Sm_PolicyApi_Structs_t.
pszIpAddr	The TCP/IP address of a Policy Server.
nPort	Prior to v6.0 of SiteMinder, this is an array of TCP/IP ports for Accounting, Authentication, and Authorization services. Beginning with SiteMinder v6.0, only the Policy Server port needs to be specified.
nClusterSeq	The cluster sequence number for this server. For a non-cluster server, omit the parameter. For a cluster server, specify the cluster sequence number, starting from one. Specifying a sequence number that is equal to an existing sequence number will result in an error.
next	Pointer to the next server structure.

Sm_PolicyApi_TrustedHost_t

Defines a trusted host object.

Syntax

typedef struct Sm_PolicyApi_TrustedHost_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];
   char pszDesc[BFSIZE];
   char pszIPAddr[BFSIZE];
   char pszSecret[BFSIZE];
   bool bIs4xHost;
   struct Sm_PolicyApi_TrustedHost_s* next;
   bool bRolloverEnabled;
} Sm_PolicyApi_TrustedHost_t;

Field	Description
iStructId	Data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the trusted host object.
pszName	The trusted host name.
pszDesc	Brief description of the trusted host.
pszIPAddr	The IP address of the trusted host.
pszSecret	The shared secret of the trusted host.
bIs4xHost	Internal use only.
next	Pointer to the next trusted host structure.
bRolloverEnabled	Indicates whether or not shared secret rollover is enabled for this trusted host.

Sm_PolicyApi_User_t

Defines a SiteMinder User object.

Syntax

typedef struct Sm_PolicyApi_User_s
{
   int iStructId;
   char pszUserPolicyOid[BFSIZE];            /* Required */
   char pszUserDirOid[BFSIZE];               /* Required */
   char pszPath[BFSIZE];                     /* Required */
   char pszClass[BFSIZE];                    /* Required */
   Sm_PolicyResolution_t nPolicyResolution;  /* Required */
   int nFlags;                               /* Required */
   struct Sm_PolicyApi_User_s* next;
} Sm_PolicyApi_User_t;

Field	Description
iStructId	User data structure ID, defined in Sm_PolicyApi_Structs_t.
pszUserPolicyOid	The object identifier of the user policy.
pszUserDirOid	The object identifier of the user directory
pszPath	User's distinguished name (DN).
pszClass	The object class as understood by a user directory, such as organizationalUnit in LDAP or User in NT.
nPolicyResolution	The relationship between two policy objects. Policy resolutions are enumerated in Sm_PolicyResolution_t.
nFlags	A bitmask using the bits defined in Policy Flags.
next	Pointer to the next User structure.

Sm_PolicyApi_UserContext_t

Makes user context information available to callers of the Policy Management API.

Syntax

typedef struct Sm_PolicyApi_UserContext_s
{
   int iStructId;
   Sm_Api_UserContext_t *pUserContext;
   struct Sm_PolicyApi_UserContext_s* next;
} Sm_PolicyApi_UserContext_t;

Field	Description
iStructId	User data structure ID, defined in Sm_PolicyApi_Structs_t.
pUserContext	Pointer to the user context information.
next	This field is always set to null.

More Information:

Sm_PolicyApi_GetTrustedHostByName()

Sm_PolicyApi_UserDir_t

Defines a SiteMinder user directory object.

Syntax

typedef struct Sm_PolicyApi_UserDir_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];                     /* Required */
   char pszDesc[BFSIZE];
   char pszNamespace[BFSIZE];                /* Required */
   char pszServer[BFSIZE];                   /* Required */
   char pszSearchRoot[BFSIZE];
   char pszUserLookupStart[BFSIZE];
   char pszUserLookupEnd[BFSIZE];
   char pszUsername[BFSIZE];
   char pszPassword[BFSIZE];
   int nSearchResults;                       /* Required */
   int nSearchScope;                         /* Required */
   int nSearchTimeout;                       /* Required */
   bool bSecureConnection;                   /* Required */
   bool bRequireCredentials;                 /* Required */
   char pszDisabledAttr[BFSIZE];
   char pszUniversalIDAttr[BFSIZE];
   char pszODBCQuerySchemeOid[BFSIZE];
   char pszAnonymousId[BFSIZE];
   char pszPasswordData[BFSIZE];
   char pszPasswordAttribute[BFSIZE];
   char pszEmailAddressAttr[BFSIZE];
   char pszChallengeRespAttr[BFSIZE];
   struct Sm_PolicyApi_UserDir_s* next;
} Sm_PolicyApi_UserDir_t;

Field	Description
iStructId	User directory data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The object identifier of the user directory object.
pszName	Name of the user directory.
pszDesc	Brief description of the user directory.
pszNamespace	Mandatory field that designates the specific directory service being connected to (for example, LDAP:, ODBC:, WinNT:, AD:, or Custom:).
pszServer	Mandatory field. This is an overloaded field whose contents depend upon the namespace: ODBC - Data source name. NT - Domain name. LDAP or AD - An IP address or an IP address and port number in the format IP_address:port_number. The port number 389 is assumed if no port number is specified. Custom - Library name.
pszSearchRoot	One of the following values: With LDAP directories, the location in the LDAP tree that serves as the starting point for the directory connection-typically, an organization (o) or organizational unit (ou). The Policy Server begins searching at the root when locating a user. With custom directories, any parameters to pass to the custom library.
pszUserLookupStart	The User DN Lookup Start allows users to authenticate by entering only a part of the user name, without having to enter an entire DN string. Identifying unique and non-unique segments of the user DN string does this. Use this field with LDAP directories only.
pszUserLookupEnd	The User DN Lookup End allows users to authenticate by entering only a part of the user name, without having to enter an entire whole DN string. Use this field with LDAP directories only.
pszUsername	The user name needed to access a user directory.
pszPassword	The password needed to access a user directory.
nSearchResults	The maximum number of records that can be returned from a search of an LDAP or custom directory.
nSearchScope	The extent to which SiteMinder looks for users and user groups below pszSearchRoot in an LDAP directory - all levels below the root (subtree) or just one level below the root. Specify 1 for one level down or 2 for subtree.
nSearchTimeout	The maximum amount of time, in seconds, that SiteMinder will query an LDAP or custom directory.
bSecureConnection	This flag must be enabled when accessing an LDAP or custom directory over SSL. Enabling Secure Connect means that SiteMinder performs secure authentication and encrypted transmissions.
bRequireCredentials	Flag to specify credentials necessary to authenticate against a user directory
pszDisabledAttr	Name of the user directory attribute that SiteMinder uses to keep track of a user's enabled or disabled state. Applies to LDAP and ODBC directories, and possibly to custom directories.
pszUniversalIDAttr	Name of the user directory attribute that has been designated as the Universal ID. Typically, the Universal ID differs from the user's login ID, and the Universal ID is used to look up user information. Applies to LDAP, ODBC, and WinNT directories, and possibly to custom directories.
pszODBCQuerySchemeOid	The object identifier for a set of ODBC queries that SiteMinder uses to query the ODBC directory.
pszAnonymousId	Name of the user directory attribute that is designated as the anonymous user DN. This DN is defined in the anonymous authentication scheme. Anonymous users impersonate this DN to gain access to the resources associated with the anonymous authentication scheme. Applies to LDAP directories, and possibly to custom directories.
pszPasswordData	Name of the user directory attribute that SiteMinder uses to store password policy information. Applies to LDAP and ODBC directories, and possibly to custom directories.
pszPasswordAttribute	Name of the user directory attribute that contains the user's password, as defined using Password Services. Applies to LDAP and ODBC directories, and possibly to custom directories.
pszEmailAddressAttr	Reserved for future use.
pszChallengeRespAttr	Name of the user directory attribute that contains a response to return to the user, such as a hint for a forgotten password. Applies to LDAP directories, and possibly to custom directories.
next	Pointer to the next directory structure.

Remarks

Fields apply to all types of directories (LDAP, ODBC, WinNT, and custom) unless individual directory types are specified.

Fields that apply to LDAP directories also apply to Active Directories.

Sm_PolicyApi_UserPasswordState_t

Information regarding all PasswordState virtual attributes is returned using the SmPolicyApi_UserPasswordState_t structure. This structure coexists with a User object, which is restricted by the UserDirectory OID and a User DN string. The structure can be retrieved, created, or updated through the C Policy Management API.

Syntax

typedef struct Sm_PolicyApi_UserPasswordState_s
{
   int iLoginFailures;
   time_t tLastLogin;
   time_t tPrevLogin;
   time_t tDisabled;
   time_t tLastPWChange;
} Sm_PolicyApi_UserPasswordState_t;

Field	Description
iLoginFailures	Specifies how many times the user has failed to log in since the last successful login.
tLastLogin	Specifies the last time the user successfully logged in.
tPrevLogin	Specifies the second-to-last time the user successfully logged in.
tDisabled	Specifies the time the user was disabled.
tLastPWChange	Specifies the last time the user changed his password. If this value updates the user directory setting for the last time the password was changed, and the password is reset outside of SiteMinder, the password policy preventing password reuse may not work as expected. The value 0 may be returned in this field in the following cases: The user begins the procedure to change his password but does not complete it. Password history is cleared through a call to Sm_PolicyApi_SetUserPasswordState().

Sm_PolicyApi_Variable_t

Defines a variable object that can be used in a variable expression for a policy or a response. Variable objects are managed by the Variable Functions.

A variable is a dynamic object that is resolved to a value during an authorization request. The variables appear within an active expression defined for a policy or a response.

Variables are used as follows:

With policies, variables are used as authorization constraints. When a user requests access to a resource, and the resource contains an active expression that includes one or more variables, the variables are resolved to values that pertain to the user. The values are then evaluated and used in the decision on whether to authorize the user.
For example, suppose a policy that protects a bank's credit card application form contains an active expression with a Credit Rating variable and a Salary variable. When a user attempts to access the form, the user is authorized only if his credit rating and salary meet or exceed the minimum values for these variables.
With responses, variables are used as return values. For example, a response attribute might be configured to return a transaction's tracking number obtained from a remote Web Service.

Syntax

typedef struct Sm_PolicyApi_Variable_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];
   char pszDesc[BFSIZE];
   char pszVariableTypeOid[BFSIZE];
   char pszDefinition[BFSIZE];
   char pszMetaData[BFSIZE];
   int nReturnType;
   bool bPreFetchFlag;
   char pszDomainOid[BFSIZE];
   Sm_PolicyApi_Oid_t* pNestedVariableList;
   struct Sm_PolicyApi_Variable_s*   next;
} Sm_PolicyApi_Variable_t;

Field	Description
iStructId	Data structure ID, defined in Sm_PolicyApi_Structs_t.
pszOid	The unique object ID of the variable object.
pszName	The user-defined name of the variable object.
pszDesc	Optional text describing the variable object.
pszVariableTypeOid	The unique object ID of the variable type.
pszDefinition	Information needed to obtain the value of the variable at runtime.
pszMetaData	Reserved for use by the optional CA TransactionMinder product.
nReturnType	The data type of the variable value: Sm_PolicyApi_VarReturnTypes_Boolean Sm_PolicyApi_VarReturnTypes_Number Sm_PolicyApi_VarReturnTypes_String Sm_PolicyApi_VarReturnTypes_Date
bPreFetchFlag	Not currently used.
pszDomainOid	The unique object ID of the associated domain.
pNestedVariableList	A linked list of nested variable OIDs that are part of the definition of this variable.
next	Pointer to the next variable object structure.

Variable Definition

You define a variable by specifying where the variable's value can be found. You do so through the pszDefinition field.

The value of this field can be a simple string or a set of XML elements, depending on the variable type. Here are the SiteMinder variable types and a description of the pszDefinition field for each type:

Post
The pszDefinition field contains the name of a field on an HTML form. In a POST action, the variable value is derived from the value assigned to the field.
RequestContext
The pszDefinition field contains the following XML code:
```
<RequestContextVariableDef>
   <ItemName></ItemName>
</RequestContextVariableDef>
```
The variable value depends upon which of the following attribute names appears within the ItemName element:
- Action. With this item name, the variable value is the type of action specified in the request (for example, GET or POST).
- Resource. With this item name, the variable value is the target resource (for example, /directory_name/).
- Server. With this item name, the variable value is the full server name specified in the request (for example, server.company.com).
Static
The pszDefinition field contains the actual value that will be compared against the user-supplied data at runtime. For example, a Static variable of return type Sm_PolicyApi_VarReturnTypes_Date might be assigned the string value 2004-01-01. During authorization, this assigned date is compared against a user-supplied date.
UserContext
The pszDefinition field contains some or all of the following XML code:
```
<UserContextVariableDef>
   <ItemName></ItemName>
   <PropertyName></PropertyName>
   <DN></DN>
   <BufferSize></BufferSize>
</UserContextVariableDef>
```
The variable value is based on an attribute of a user directory connection (such as session ID) or on the contents of the user directory (such as user name). The name of the attribute upon which the variable value is based appears in the XML element ItemName.

The ItemName element can contain one of the following values:
- DirectoryEntryProperty
- DirectoryNameSpace
- DirectoryPath
- DirectoryServer
- IsUserContext
- SessionId
- UserPath
- UserProperty
- UserName
The elements PropertyName, DN, and BufferSize are only used as follows:
- When ItemName contains DirectoryEntryProperty, elements PropertyName, DN, and BufferSize are used.
- When ItemName contains UserProperty, elements PropertyName and BufferSize are used.

WebService

The pszDefinition field contains the following basic XML structure:

<WebServiceVariableDefn xmlns:NeteWS=
                       "http://www.netegrity.com/2003/SM6.0";>
   <NeteWS:RemoteURL></NeteWS:RemoteURL>
   <NeteWS:SSL/>
      <NeteWS:RemoteMethod></NeteWS:RemoteMethod>
      <NeteWS:ResultQuery></NeteWS:ResultQuery>
      <NeteWS:AuthCredentials>
         <NeteWS:Username></NeteWS:Username>
         <NeteWS:Password></NeteWS:Password>
         <NeteWS:Hash></NeteWS:Hash>
      </NeteWS:AuthCredentials>
      <NeteWS:Document>
         <SOAP:Envelope xmlns:SOAP=
                 "http://schemas.xmlsoap.org/soap/envelope/";>
            <SOAP:Header></SOAP:Header>
            <SOAP:Body></SOAP:Body>
         </SOAP:Envelope>
      </NeteWS:Document>
</WebServiceVariableDefn>

To retrieve a variable value from a Web Service, the Policy Server sends the Web Service a SOAP request document as specified in pszDefinition, and then extracts the variable value from the SOAP response.

The following table describes the XML elements used to configure a WebService variable:

Element	Description
RemoteURL	The URL to the Web Service that will resolve the WebService variable.
SSL	Specifies that the connection between the Policy Server and the Web Service should use SSL.
RemoteMethod	Set this element to POST.
ResultQuery	The return query, in XPath format. The Policy Server uses this information to search for the variable's value in the SOAP response document.
AuthCredentials	Optionally, specify the user's Web Service credentials through the following elements: Username Password (use either a SHA-1 password digest or a clear-text password) Optionally, use the Hash element to specify that a hash of the password is to be included in the WS‑Security password.
Document	Optionally, use this element to define a SOAP header and/or SOAP body through the following elements: Envelope. The SOAP namespace is: http://schemas.xmlsoap.org/soap/envelope Header. A user-defined SOAP header. A WS‑Security header is automatically added to it if the user's Web Service credentials are specified. Body. A user-defined SOAP body. Nested variables of type RequestContext, UserContext, Post, and Static can be used inside the header and body. Their values are resolved and substituted before the request document is sent to the remote Web Service. Specify a nested variable as follows: $variable-name$

Note: The XML element structures shown above are formatted for legibility. The XML string supplied through the pszDefinition field should not be formatted with spaces, tabs, and return characters. For example, a RequestContext variable for a Resource attribute would be passed in pszDefinition as follows:

<RequestContextVariableDef><ItemName>Resource</ItemName></RequestContextVariableDef>

Sm_PolicyApi_VariableType_t

Defines a supported variable object type. Variable types are read-only. They cannot be created or deleted through the Policy Management Variable Functions.

Syntax

typedef struct Sm_PolicyApi_VariableType_s
{
   int iStructId;
   char pszOid[BFSIZE];
   char pszName[BFSIZE];
   char pszDesc[BFSIZE];
   char pszFilter[BFSIZE];
   struct Sm_PolicyApi_VariableType_s*    next;
} Sm_PolicyApi_VariableType_t;

Field	Description
iStructId	Data structure ID defined in Sm_PolicyApi_Structs_t.
pszOid	The unique object ID of the variable type object.
pszName	One of the following object type names: Post RequestContext Static UserContext WebService If you have installed the optional CA SOA Security Manager product, the following variable types are also available: SAMLAssertion Transport XMLAgent XMLBody XMLEnvelopeHeader You cannot create these variables using the SDK; you must use the Administrative UI.
pszDesc	The description of the variable type object-for example, Form Post Variables.
pszFilter	Not currently used.
next	Pointer to the next variable type object structure.

Sm_PolicyApi_WSFEDProviderProp_t

Defines a linked list of WS-Federation Provider properties, that is, name/value pairs.

An Sm_PolicyApi_WSFEDProviderProp_t structure consists of a single name/value pair. You define a set of properties for a given WS-Federation object through a linked list of Sm_PolicyApi_WSFEDProviderProp_t structures.

Syntax

typedef struct Sm_PolicyApi_WSFEDProviderProp_s
{
	int iStructId;
	char pszName[BFSIZE];
	char pszValue[BFSIZE];
	Sm_PolicyApi_WSFEDProviderProp_t* next;
} Sm_PolicyApi_WSFEDProviderProp_t;

Parameters

iStructId: ID of the structure in Sm_PolicyAp_Structs_t. Should be set to Sm_PolicyApi_WSFEDProviderProp_ID.
pszName: Name of the WS-Federation Provider property.
pszValue: Value of the WS-Federation Provider property.
next: Pointer to the next WS-Federation Provider property data in the linked list.

Each Sm_PolicyApi_WSFEDProviderProp_t structure contains a WS-Federation metadata property defined as a name/value pair. A complete set of properties for a particular object is defined as a linked list of Sm_PolicyApi_WSFEDProviderProp_t structures.

The following metadata properties apply to WS-Federation objects types:

Common properties
Properties for defining a Resource Partner
Properties for defining an Account Partner

Optional properties are specified in square brackets.

For Boolean values, a value of 1 denotes true; any other value denotes false.

The Property Name column also includes the corresponidng C Policy Management API macro name.

Common Properties

The following table specifies the metadata properties that are common to defining a Resource Partner or an Account Partner:

Property Name	Type	Description

General
Name WSFED_NAME	String	Name of the provider.
[Description] WSFED_DESCRIPTION	String	Brief description of the provider.
[SkewTime] WSFED_SKEW_TIME	String	The skew time between consumer and producer sides in seconds. This value is used to calculate validity duration of assertions and of SLO requests. The default value is 30.
Versioning
[WSFEDMajorVersion] WSFED_MAJOR_VERSION	Int	Version of WSFED protocol supported by this provider. The value of this property has to be set to 1.
[WSFEDMinorVersion] WSFED_MINOR_VERSION	Int	Version of WSFED protocol supported by this provider. The value of this property has to be set to 0.
[WSFEDSAMLMajorVersion] WSFED_SAML_MAJOR_ VERSION	Int	Version of SAML protocol supported by this provider. The value of this property has to be set to 1.
[WSFEDSAMLMinorVersion] WSFED_SAML_MINOR_ VERSION	Int	Version of WSFED protocol supported by this provider. The value of this property has to be set to 1.

Resource Partner Properties

The following table lists the metadata properties used to define a Resource Partner:

Property Name	Type	Description

Domain WSFED_RP_DOMAIN	OID	The Domain OID where this Resource Partner is defined
[Enabled] WSFED_ENABLED	Bool	Boolean indicating if the provider is enabled. If not provided, defaults to true. This property does not get stored physically to the property collection but is used to enable underlying policy.
NetegrityAffiliateMinderAuthURL WSFED_RP_AUTHENTICATION_URL	String	The protected URL used to authenticate Resource Partner users.
NameID
[NameIdFormat] WSFED_RP_NAMEID_FORMAT	String	The URI for a WSFED name identifier.
[NameIdType] WSFED_RP_NAMEID_TYPE	Int	Represents the type of name identifier: 0 - Static Text 1 - User Attribute 2 - DN Attribute Defaults to 1
[NameIdStatic] WSFED_RP_NAMEID_STATIC	String	The static text to be used as the name identifier when the NameIdType == 0. The Policy Management API will return an error if no value is specified for this property and NameIdType==0.
[NameIdAttrName] WSFED_RP_NAMEID_ATTR_NAME	String	The attribute name (user or DN) which holds the name identifier when NameIdType == 1 or NameIdType == 2. If "NameIdType" is set to "1" or "2", "NameIdAttrName" property should have a value, otherwise the Policy Management API will return an error.
[NameIdDNSpec] WSFED_RP_NAMEID_DN_SPEC	String	The DN spec used when the NameIdType == 2. If "NameIdType" is set to "2", "NameIdDNSpec" property should have a value, otherwise the Policy Management API will return error.
[NameIdAllowNested] WSFED_RP_NAMEID_ALLOWED_ NESTED	Bool	Flag indicating whether nested groups are allowed when selecting a DN attribute for the name identifier. Defaults to zero.
General
KEY_RPID WSFED_KEY_RPID	String	The Resource Partner ID for WSFED Assertion Consumer. Must be a URI less than 1024 characters in length. Also this is the key using which properties associated to a provider can be looked up.
APID WSFED_APID	String	The Resource Partner ID of the WSFED Assertion Producer.
SSO
[AuthenticationMethod] WSFED_RP_AUTHENTICATION_METHOD	String	The authentication method to use in the assertion.
[ValidityDuration] WSFED_RP_VALIDITY_DURATION	Int	An integer number of seconds for which a generated assertion is valid. If not provided during Resource Partner creation, the default is 60 seconds.
AssertionConsumerDefaultURL WSFED_RP_ASSERTION_CONSUMER_ DEFAULT_URL	String	The default WSFED Assertion Consumer to use.
[AuthenticationLevel] WSFED_RP_AUTHENTICATION_LEVEL	Int	The principal must have authenticated in a realm by an authentication scheme of at least this level or greater. If not supplied during Resrource Partner creation, this will default to 5.
Signout
[SLOEnabled] WSFED_RP_SLO_ENABLED	Bool	Boolean indicating if Signout is enabled for the Resource Partner.
[SignOutCleanupURL] WSFED_RP_SIGNOUT_CLEANUP_URL	String	Sign-out cleanup URL of the Resource Partner. This property is mandatory if SLOEnabled is true.
[SignOutConfirmURL] WSFED_RP_SIGNOUT_CONFIRM_URL	String	URL where the user will be redirected once the Sign-out at Account Partner is complete. (If there are multiple Resource Partners available then Sign-out confirm URL of the last Resource Partner is applicable.)
Advanced
[AssertionPluginClass] WSFED_RP_ PLUGIN_CLASS	String	The fully qualified Java class name for the Assertion Generator Plugin class to be used.
[AssertionPluginParameters] WSFED_RP_ PLUGIN_PARAMS	String	The string containing parameters to be passed to the Assertion Generator Plugin.

Account Partner Properties

The following table lists the metadata properties used to define an Account Partner:

Property Name	Type	Description

General
KEY_APID WSFED_KEY_APID	String	Identifier for the account partner. Among other things this identifier is used to identify assertion issuer. Also this is the key using which properties associated to a Account Partner can be looked up.
RPID WSFED_RPID	String	Identifier of the Resource Partner.
Signing
[DisableSignatureProcessing] WSFED_DISABLE_SIGNATURE_ PROCESSING	Bool	Specifies whether signature processing is disabled. This setting is useful during initial setup of a Account Partner. When a provider is up and running, this setting will need to be set to false, to avoid security implications. Default value is zero.
[DsigVerInfoIssuerDN] WSFED _DSIG_VERINFO_ALIAS	String	Used to locate the certificate of the provider in the key store if it is not provided inline.
Users
[XPath] WSFED_AP_XPATH	String	XPath query for disambiguating the principal.
[LDAPSearchSpec] WSFED_AP_LDAP_SEARCH_SPEC	String	Search specification for LDAP directory.
[ODBCSearchSpec] WSFED_AP_ODBC_SEARCH_SPEC	String	Search specification for ODBC directory.
[WinNTSearchSpec] WSFED_AP_WINNT_SEARCH_SPEC	String	Search specification for WinNT directory.
[CustomSearchSpec] WSFED_AP_CUSTOM_SEARCH_SPEC	String	Search specification for a custom directory.
[ADSearchSpec] WSFED_AP_AD_SEARCH_SPEC	String	Search specification for AD directory.
SSO
[RedirectMode] WSFED_AP_SSO_REDIRECT_MODE	Int	Redirect mode for assertion attributes. The following values are valid: 0—302 No Data 1—302 Cookie Data 2—Server Redirect 3—Persist Attributes The default is zero.
[SSODefaultService] WSFED_AP_SSO_DEFAULT_SERVICE	String	The default location of the Single Sign-on service.
[Target] WSFED_AP_SSO_TARGET	String	Target resource at the destination site.
[EnforceSingleUsePolicy] ENFORCE_SINGLE_USE_POLICY	Bool	If 1, the single use policy for POST assertions will be enforced, if 0, single use policy for POST assertions will not be enforced. Default set to 1.
Signout
[SLOEnabled] WSFED_AP_SLO_ENABLED	Bool	Boolean indicating if Signout is enabled for the Account Partner. If not supplied during Account Partner creation, this will default to disabled.
[SignOutURL] WSFED_AP_SIGNOUT_URL	String	Sign-out URL of the Account Partner. This property is mandatory if SLOEnabled is true.
Message Consumer Plug-in
[APPluginClass] WSFED_AP_ PLUGIN_CLASS	String	Name of a Java class that implements customization of assertion consumption.
[APPluginParameters] WSFED_AP_ PLUGIN_PARAMS	String	Parameters of the Java class that implements customization of assertion consumption. All parameters are concatenated into one line.
Post Processing URL Support
[UserNotFoundRedirectURL] WSFED_AP_USER_NOT_FOUND_ REDIRECT_URL	String	Contains an optional redirect URL to be used when - Auth Scheme cannot obtain a LoginID from the federation Message, given the configured query string - Auth Scheme can not find a user in the specific user directory, given the configured user store search string.
[UserNotFoundRedirectMode] WSFED_AP_USER_NOT_FOUND_ REDIRECT_MODE	0/1	Default is 0. 0: Http 302 redirect without passing federation messages 1: Http Form Post Redirect
[FailureRedirectURL] WSFED_AP_FAILURE_REDIRECT_URL	String	Contains an optional redirect URL to be used when assertion processsing has failed.
[FailureRedirectMode] WSFED_AP_FAILURE_REDIRECT_MODE	0/1	Default is 0. 0: Http 302 redirect without passing federation messages 1: Http Form Post Redirect
[InvalidRedirectURL] WSFED_AP_INVALID_REDIRECT_URL	String	Contains an optional redirect URL to be used when the assertion is invalid.
[InvalidRedirectMode] WSFED_AP_INVALID_REDIRECT_MODE	0/1	Default is 0. 0: Http 302 redirect without passing federation messages 1: Http Form Post Redirect

Sm_PolicyApi_WSFEDResourcePartner_t

Defines WS-Federation Resource Partner data.

Syntax

typdef struct Sm_PolicyApi_WSFEDResourcePartner_s
{
	int iStructId;
	Sm_PolicyApi_WSFEDProviderProp_t* pProps;
	Sm_PolicyApi_WSFEDResourcePartner_t* next;
} Sm_PolicyApi_WSFEDResroucePartner_t;

Parameters

iStructId: ID of the structure in Sm_PolicyApi_Structs_t. Should be set to Sm_PolicyApi_WSFEDResourcePartner_ID.
pProp: Pointer to the linked list of Resource Partner properties.
next: Pointer to the next Resource Partner data in the linked list.

Exported Types

The Policy Management API includes various categories of exported data types, including:

Administrator Rights

Sm_PolicyApi_AdminRights_t enumerates the rights of the administrator. These values may be used individually or combined to set multiple rights. The resulting value is passed to Sm_PolicyApi_AddAdmin() as one of the attributes in a Sm_PolicyApi_Admin_t structure.

Name	Value
Sm_PolicyApi_AdminRights_ManageAllDomains	0x01
Sm_PolicyApi_AdminRights_ManageObjects	0x02
Sm_PolicyApi_AdminRights_ManageUsers	0x04
Sm_PolicyApi_AdminRights_ManageKeys	0x08
Sm_PolicyApi_AdminRights_ManagePasswordPolicy	0x08
Sm_PolicyApi_AdminRights_ManageReports	0x10

The following table shows how these values are used to set administrative privileges:

Scope	Task	Setting and Privilege(s)
System	Manage System & Domain Objects	To set the privileges below, set administrator rights to both of the following: Sm_PolicyApi_AdminRights_ManageAllDomains Sm_PolicyApi_AdminRights_ManageObjects Privileges: Create/edit/delete agents, agent groups, directories, policy domains, authentication schemes, agent types, ODBC setup, directory mappings, certificate mappings, and registration schemes. Create/delete parent realms in all domains. Create/edit/delete administrators. Flush all caches, including cached resources. Change global settings. All the privileges for Manage Domain Objects listed below.
Domains	Manage Domain Objects	To set the privileges below, set administrator rights to: Sm_PolicyApi_AdminRights_ManageObjects Privileges: In managed domains: create/edit/delete rules, rule groups, responses, response groups, policies. Edit top level realms in managed domains (not resource filters). Create/edit/delete nested realms in managed domains. Flush specific realms from the resource cache, and flush all resources (in privileged domains) from the cache.
System	View Reports	To set the privilege below, set administrator rights to both of the following: Sm_PolicyApi_AdminRights_ManageAllDomains Sm_PolicyApi_AdminRights_ManageUsers Privilege: View all system and domain reports.
Domains	View Reports	To set the privilege below, set administrator rights to: Sm_PolicyApi_AdminRights_ManageUsers Privilege: View reports for managed domains.
System	Manage Keys and Password Policies	To set the privileges below, set administrator rights to both of the following: Sm_PolicyApi_AdminRights_ManageAllDomains Sm_PolicyApi_AdminRights_ManageKeys Privileges: Create/edit/delete password policies. Manage keys.
Domains	Manage Password Policies	To set the privilege below, set administrator rights to: Sm_PolicyApi_AdminRights_ManagePasswordPolicy Privilege: Create/edit/delete password policies for users in directories attached to managed domains.
System	Manage Users	To set the privileges below, set administrator rights to both of the following: Sm_PolicyApi_AdminRights_ManageAllDomains Sm_PolicyApi_AdminRights_ManageReports Privileges: Flush all user session caches, or flush the user session cache of any individual user cache from any directory. Enable/disable users in any directory. Force password change on any user in any directory.
Domains	Manage Users	To set the privileges below, set administrator rights to: Sm_PolicyApi_AdminRights_ManageReports Privileges: Flush user session caches for individual users in directories attached to managed domains. Enable/disable users in directories attached to managed domains. Force password change on users in directories attached to managed domains.

Affiliate Attribute Types

Sm_PolicyApi_AffiliateAttrType_t enumerates the valid affiliate attribute types, for use in the affiliate functions to manipulate affiliate attributes.

Name	Value
Sm_PolicyApi_Affiliate_HTTP_Header_Variable	1
Sm_PolicyApi_Affiliate_HTTP_Cookie_Variable	2

Attribute Mode Types

Sm_PolicyApi_SAMLSPAttrMode_t enumerates the valid attribute retrieval types for use in SAML 2.0 Attribute Authority support:

Name	Value
Sm_PolicyApi_SAMLSP_SSO_Only	0
Sm_PolicyApi_SAMLSP_Attribute_Only	1

One of these values should be provided in the nMode element of the Sm_PolicyApi_SAMLSPAttr_t structure.

Authentication and Authorization Mapping Types

Sm_PolicyApi_AuthAzMapType_t enumerates the authentication and authorization mapping types.

Name	Value
Sm_PolicyApi_AuthAzMapType_DN	1
Sm_PolicyApi_AuthAzMapType_UniversalId	2
Sm_PolicyApi_AuthAzMapType_Attr	3

Certificate Mapping Attribute Types

Sm_PolicyApi_CertMapAttrType_t enumerates types of mapping that determine how an X.509 client certificate will map to the user information in the authentication directory.

Name	Value
Sm_PolicyApi_CertMapAttrType_Single	1
Sm_PolicyApi_CertMapAttrType_Custom	2
Sm_PolicyApi_CertMapAttrType_Exact	3

Certificate Mapping Directory Types

Sm_PolicyApi_DirType_t enumerates the types of directories that can be used to authenticate users.

Name	Value
Sm_PolicyApi_DirType_LDAP	1
Sm_PolicyApi_DirType_WinNT	2
Sm_PolicyApi_DirType_ODBC	3

Certificate Mapping Flags Definitions

Sm_PolicyApi_CertMapFlags_t enumerates flags that represent certificate mapping properties.

Flag	Value
Sm_PolicyApi_CertMapFlags_CertRequired Setting this flag causes SiteMinder to verify that the certificate presented by the user matches the certificate stored in the user's entry in the authentication directory. The authentication directory must be an LDAP user directory.	0x01
Sm_PolicyApi_CertMapFlags_UseDistributionPoints Set this flag if your Certificate Revocation List (CRL) uses distribution points. Large CRLs may contain multiple distribution points that can be used to locate a revoked user. Distribution points indicate a starting point in the CRL LDAP directory. The distribution point provides a starting point for a CRL check and saves the processing time that it would take to search the entire CRL for a particular user. When this flag is set, SiteMinder retrieves the distribution point from the user's certificate, then uses it to find the appropriate LDAP directory entry point for the CRL.	0x02
Sm_PolicyApi_CertMapFlags_VerifySignature Set this flag to enable signature verification, where the Policy Server checks the Certificate Authority's public certificate against a signature stored in the policy database.	0x04
Sm_PolicyApi_CertMapFlags_CRLCheck Set this flag to make SiteMinder perform a Certificate Revocation List check. A Certificate Revocation List (CRL) is a list of revoked X.509 client certificates published by the Certificate Authority. Comparing certificates against CRLs is one way to ensure that certificates are valid. When a user with such a certificate tries to access a protected resource, SiteMinder finds the user's certificate in the CRL and rejects the authentication.	0x08
Sm_PolicyApi_CertMapFlags_Cache Setting this flag causes SiteMinder to use cached CRL information until the date specified in the NextUpdate field in the CRL.	0x10

Directory Capabilities

Sm_PolicyApi_GetUserDirCapabilities() uses the values that are enumerated in Sm_DirectoryCapability_t, which is defined in SmApi.h.

Directory Capability	Value
Sm_DirCapability_CreatePasswordPolicy Capable of creating password policy. The following attributes are affected in the user directory (Sm_PolicyApi_UserDir_t): pszPasswordData, pszDisabledAttr, and pszPasswordAttribute.	0x00000001
Sm_DirCapability_CreateRegistrationPolicy Capable of creating registration policy. The following attributes are affected in the user directory (Sm_PolicyApi_UserDir_t): pszAnonymousId, pszEmailAddressAttr, pszChallengeRespAttr, and pszPasswordAttribute.	0x00000002
Sm_DirCapability_ResetUserPassword Capable of resetting the user password. This affects pszPasswordAttribute.	0x00000004
Sm_DirCapability_ChangeUserPassword Capable of changing the user password. This affects pszPasswordAttribute.	0x00000008
Sm_DirCapability_DisableUser Capable of disabling the user account. This affects pszDisabledAttr.	0x00000010
Sm_DirCapability_DmsCapable Capable of being written by the Delegated Management System (DMS).	0x00000020
Sm_DirCapability_Recursive Capable of supporting recursion.	0x00000040
Sm_DirCapability_DisabledAttr Read-Write disabled attribute. This attribute is configured for the user directory.	0x00100000
Sm_DirCapability_UniversalIdAttr Read-only Universal ID. This attribute is configured for the user directory.	0x00200000
Sm_DirCapability_AnonymousIdAttr Read-Write anonymous ID attribute. This attribute is configured for the user directory.	0x00400000
Sm_DirCapability_PasswordDataAttr Read-Write password data attribute. This attribute is configured for the user directory.	0x00800000
Sm_DirCapability_UserPasswordAttr Read-Write password attribute. This attribute is configured for the user directory.	0x01000000
Sm_DirCapability_EmailAddressAttr Read-only E-mail attribute. This attribute is configured for the user directory.	0x02000000
Sm_DirCapability_ChallengeRespAttr Read-Write Challenge and Response attribute. This attribute is configured for the user directory.	0x04000000

Note: Attribute masks are directory user profile attributes. They are available in the directory. Each attribute is read-only or read-write. Read-write attributes are not used by other applications.

Domain Flags

Sm_PolicyApi_DomainFlags_t enumerates flags pertaining to domain-wide influence.

Name

Value

Sm_PolicyApi_DomainFlags_GlobalPoliciesApply

When this flag is set, the domain processes global policies for all realms in the domain. When this flag is not set, the domain does not process global policies.

0x02

Group Types

Sm_PolicyApi_Groups_t enumerates the type of group for which you can perform group functions.

Name	Value
Sm_PolicyApi_NULL_Group_Prop	0
Sm_PolicyApi_Rule_Group_Prop	1
Sm_PolicyApi_Response_Group_Prop	2
Sm_PolicyApi_Agent_Group_Prop	3

IP Address Types

Sm_PolicyApi_IPAddressType_t enumerates the type of IP address restrictions that are defined for an object in Sm_PolicyApi_IPAddress_t.

IP Address Type	Value
Sm_PolicyApi_IPAddressType_SingleHost A single host IP address requires the following fields to be set: iStructId. IP Address data structure ID defined in Sm_PolicyApi_Structs_t. iIPAddressType. Set IP address type to be Sm_PolicyApi_IPAddressType_SingleHost. nIPAddress. The valid IP address. This IP address is specified in the long format.	1
Sm_PolicyApi_IPAddressType_HostName A host name IP address requires the following fields to be set: iStructId. IP Address data structure ID defined in Sm_PolicyApi_Structs_t. iIPAddressType. Set IP address type to be Sm_PolicyApi_IPAddressType_HostName. pszHostName[BFSIZE]. Host name of the machine that a user must be using for an action to occur-for example, for a policy to fire.	2
Sm_PolicyApi_IPAddressType_AddressAndSubNetMask A subnet mask requires the following fields to be set: iStructId. IP Address data structure ID defined in Sm_PolicyApi_Structs_t. iIPAddressType. Set IP address type to be Sm_PolicyApi_IPAddressType_AddressAndSubnetMask. nIPAddress. The valid IP address. This IP address is specified in the long format. nSubnetMask. Specify the subnet mask.	3
Sm_PolicyApi_IPAddressType_Range A range of IP addresses requires the following fields to be set: iStructId. IP Address data structure ID defined in Sm_PolicyApi_Structs_t. iIPAddressType. Set IP address type to be Sm_PolicyApi_IPAddressType_Range. nIPAddress. Starting IP address. This IP address is specified in the long format. nEndIPAddress. Ending IP address. This IP address is specified in the long format.	4

Management Commands

Sm_PolicyApi_ManagementCommands_t enumerates the values that can be passed to Sm_PolicyApi_ManagementCommand() for flushing caches, for managing agent encryption keys, and for shared secret rollover.

Initialize the structure to zero (memset) prior to setting any values. Use the symbolic enumerated values, rather than hard-coding integer command values.

The value is passed in the iCommand field of the structure Sm_PolicyApi_ManagementCommand_t.

Management Command	Value
Sm_PolicyApi_ManagementCommand_FlushAll Flushes all SiteMinder caches. Policy store cache, resource cache, and user information cache are flushed by this command. It does not require any data in the pszData field of Sm_PolicyApi_ManagementCommand_t.	1
Sm_PolicyApi_ManagementCommand_FlushUsers Flushes user information cache. It does not require any data in the pszData field of Sm_PolicyApi_ManagementCommand_t.	2
Sm_PolicyApi_ManagementCommand_FlushRealms Flushes resource cache. It does not require any data in the pszData field of Sm_PolicyApi_ManagementCommand_t.	3
Sm_PolicyApi_ManagementCommand_ChangeDynamicKeys Changes the dynamic agent key. It does not require any data in the pszData field of Sm_PolicyApi_ManagementCommand_t. Before you change a dynamic agent key through the C API, the Agent Key setting in the Policy Server Key Management dialog box must be set to Use dynamic Agent Key. To access this dialog box in the Policy Server UI, click Tools > Manage Keys. Then, in the Agent Key tab, select Use dynamic Agent Key.	4
Sm_PolicyApi_ManagementCommand_ChangePersistentKey Changes the persistent or static key. The data field pszData of Sm_PolicyApi_ManagementCommand_t structure may contain an optional key value. If pszData is empty, the persistent key is randomly generated.	5
Sm_PolicyApi_ManagementCommand_ChangeSessionKey Changes the session key. The data field pszData of Sm_PolicyApi_ManagementCommand_t structure may contain an optional key value. If pszData is empty, the session key is randomly generated.	6
Sm_PolicyApi_ManagementCommand_RolloverSharedSecrets Rolls over shared secrets for rollover-enabled trusted hosts.	7

Password Messages

Sm_PolicyApi_PasswordMsgId_t enumerates password message IDs.

Password messages describe the encoded error message returned to Sm_PolicyApi_SetPassword() when a new password does not satisfy the password policy requirements of the specified directory.

Password Message ID	Value
Sm_PolicyApi_PasswordMsgId_None	0
Sm_PolicyApi_PasswordMsgId_ChangePassword	1
Sm_PolicyApi_PasswordMsgId_PassswordGeneralFailure	1000
Sm_PolicyApi_PasswordMsgId_PasswordShort	1001
Sm_PolicyApi_PasswordMsgId_PasswordLong	1002
Sm_PolicyApi_PasswordMsgId_PasswordOldPasswordBad	1003
Sm_PolicyApi_PasswordMsgId_PasswordReuse	1004
Sm_PolicyApi_PasswordMsgId_PasswordSimilar	1005
Sm_PolicyApi_PasswordMsgId_PasswordRepeatingChars?	1006
Sm_PolicyApi_PasswordMsgId_PasswordDictionaryMatch	1007
Sm_PolicyApi_PasswordMsgId_PasswordContentLetters	1008
Sm_PolicyApi_PasswordMsgId_PasswordContentDigits	1009
Sm_PolicyApi_PasswordMsgId_PasswordContentAlphaNum	1010
Sm_PolicyApi_PasswordMsgId_PasswordContentPunctuation	1011
Sm_PolicyApi_PasswordMsgId_PasswordContentNonPrintable	1012
Sm_PolicyApi_PasswordMsgId_PasswordContentNonAlphaNum	1013
Sm_PolicyApi_PasswordMsgId_PasswordProfileMatch	1014
Sm_PolicyApi_PasswordMsgId_PasswordGraceDays	1015
Sm_PolicyApi_PasswordMsgId_PasswordSystemPIN	1016
Sm_PolicyApi_PasswordMsgId_PasswordUserMaxNumPIN	1017
Sm_PolicyApi_PasswordMsgId_PasswordUserMinMaxNumPIN	1018
Sm_PolicyApi_PasswordMsgId_PasswordUserMaxAlphaPIN	1019
Sm_PolicyApi_PasswordMsgId_PasswordUserMinMaxAlphaPIN	1020
Sm_PolicyApi_PasswordMsgId_PasswordAcceptPIN	1021
Sm_PolicyApi_PasswordMsgId_PasswordContentLowerAlpha	1022
Sm_PolicyApi_PasswordMsgId_PasswordContentUpperAlpha	1023
Sm_PolicyApi_PasswordMsgId_PasswordContentNoLowerAlpha	1024
Sm_PolicyApi_PasswordMsgId_PasswordContentNoUpperAlpha	1025
Sm_PolicyApi_PasswordMsgId_PasswordContentNoDigits	1026
Sm_PolicyApi_PasswordMsgId_PasswordContentNoPunctuation	1027
Sm_PolicyApi_PasswordMsgId_PasswordContentNoNonPrintable	1028
Sm_PolicyApi_PasswordMsgId_PasswordContentNoNonAlphaNum	1029
Sm_PolicyApi_PasswordMsgId_PasswordContentNoAlphaNum	1030
Sm_PolicyApi_PasswordMsgId_PasswordContentMatchRegExp	1031
Sm_PolicyApi_PasswordMsgId_PasswordContentNoMatchRegExp	1032
Sm_PolicyApi_PasswordMsgId_PasswordUserMinNumPIN	1033
Sm_PolicyApi_PasswordMsgId_PasswordUserDigitsPIN	1034
Sm_PolicyApi_PasswordMsgId_PasswordUserAlphaNumPIN	1035

Additional information about the error message is available in the password message field associated with the password message.

Password Message Fields

Sm_PolicyApi_PasswordMsgFieldId_t enumerates password message field IDs.

Password message fields contain additional information about the password messages described in the previous section. You can find this additional information in the structure Sm_PolicyApi_PasswordMsgField_t.

Password Message Field ID	Value
Sm_PolicyApi_PasswordMsgFieldId_None	0
Sm_PolicyApi_PasswordMsgFieldId_Min	1
Sm_PolicyApi_PasswordMsgFieldId_Max	2
Sm_PolicyApi_PasswordMsgFieldId_OldPW	3
Sm_PolicyApi_PasswordMsgFieldId_NewPW	4
Sm_PolicyApi_PasswordMsgFieldId_Days	5
Sm_PolicyApi_PasswordMsgFieldId_Token	6

Fields can be of type integer or string, or they can have no type.

Password Message Field Types

Sm_PolicyApi_FieldType_t enumerates the possible data types for the password message fields.

Password Message Field Type	Value
Sm_PolicyApi_FieldType_None	0
Sm_PolicyApi_FieldType_Int	1
Sm_PolicyApi_FieldType_String	2

Password Policy Behavior Flags

Sm_PasswordPolicyBehavior_t enumerates the behavioral characteristics of a password policy.

Password Policy Behavior Flag	Value
Sm_PasswordPolicy_DontTrackLogins This flag has been replaced in SiteMinder v6.0 SP3 by: Sm_PasswordPolicy_DontTrackSuccessLogins Sm_PasswordPolicy_DontTrackFailedLogins The new flags allow successful and failed logins to be tracked separately. Sm_PasswordPolicy_DontTrackLogins is currently maintained for backwards compatibility. If this flag is set, login tracking for successful and failed logins will not occur.	0x00000004
Sm_PasswordPolicy_AllowFailedWrites Allows users to log in even if password data cannot be written to the user directory.	0x00000008
Sm_PasswordPolicy_InactivityForcePWChange Forces a password change on the next login attempt after a user's password becomes invalid due to inactivity.	0x00000010
Sm_PasswordPolicy_PWExpiredForcePWChange Forces a password change on the next login attempt after a user's password expires.	0x00000020
Sm_PasswordPolicyBehavior_FullReenable If a user's account is disabled due to successive incorrect password entries, this flag re-enables the account after a given time period. Specify the time in the nReenablement field of Sm_PolicyApi_PasswordPolicy_t. If this flag is not set, the user is allowed another login attempt after the given nReenablement time period.	0x00000040
Sm_PasswordPolicy_StopPriorityChaining Prevents the evaluation of password policies with lower priority ratings than the current password policy.	0x00000080
Sm_PasswordPolicy_ExpireDisablePassword When the password expires, disable just the password and not the user account.	0x00000100
Sm_PasswordPolicy_FailuresDisablePassword When the maximum number of authentication failures are exceeded, disable just the password and not the user account.	0x00000200
Sm_PasswordPolicy_ForceCase Force the password's case that is specified through bit Sm_PasswordPolicy_CaseSelect.	0x00000400
Sm_PasswordPolicy_CaseSelect If Sm_PasswordPolicy_ForceCase is set, Sm_PasswordPolicy_ForceCase forces upper case passwords when set, and forces lower case passwords when cleared.	0x00000800
Sm_PasswordPolicy_CaseBits Sets both of the following bits (forces upper case passwords): Sm_PasswordPolicy_ForceCase Sm_PasswordPolicy_CaseSelect	0x00000c00
Sm_PasswordPolicy_StripLeadingWhiteSpace Removes any leading white space from the password.	0x00001000
Sm_PasswordPolicy_StripTrailingWhiteSpace Removes any trailing white space from the password.	0x00002000
Sm_PasswordPolicy_StripFlankingWhiteSpace Sets both of the following bits (strips leading and trailing white space): Sm_PasswordPolicy_StripLeadingWhiteSpace Sm_PasswordPolicy_StripTrailingWhiteSpace	0x00003000
Sm_PasswordPolicy_StripEmbeddedWhiteSpace Removes all white space within the password.	0x00004000
Sm_PasswordPolicy_WhiteSpaceBits Sets all of the following bits (strips leading, trailing, and embedded white space): Sm_PasswordPolicy_StripLeadingWhiteSpace Sm_PasswordPolicy_StripTrailingWhiteSpace Sm_PasswordPolicy_StripEmbeddedWhiteSpace	0x00007000
Sm_PasswordPolicy_PreProcessBits Sets all of the following bits (forces upper case passwords and strips leading, trailing, and embedded white space): Sm_PasswordPolicy_ForceCase Sm_PasswordPolicy_CaseSelect Sm_PasswordPolicy_StripLeadingWhiteSpace Sm_PasswordPolicy_StripTrailingWhiteSpace Sm_PasswordPolicy_StripEmbeddedWhiteSpace	0x00007c00
Sm_PasswordPolicy_DontTrackSuccessLogins Performs directory updates at login time. When this flag is not set, the password policy tracks successful user logins, including the time of the last login.	0x00008000
Sm_PasswordPolicy_DontTrackFailedLogins Performs directory updates at login time. When this flag is not set, the password policy tracks unsuccessful user login attempts.	0x00010000

Note: Values 0x00000400 through 0x00007c00 apply to password preprocessing. During preprocessing, the password is checked before it is processed or stored.

Policy Flags

Sm_PolicyApi_AddUsersToPolicy() uses the following values (which are defined in SmApi.h):

Flag	Value
Sm_PolicyBehavior_Exclude_Mask Bit 0x01 determines whether user policy excludes or includes 'users.'	0x01
Sm_PolicyBehavior_Exclude_No	0x00
Sm_PolicyBehavior_Exclude_Yes	0x01
Sm_PolicyBehavior_Recursive_Mask Bit 0x02 determines whether user policy is recursive. This is applicable to directory object classes that can be nested.	0x02
Sm_PolicyBehavior_Recursive_No	0x00
Sm_PolicyBehavior_Recursive_Yes	0x02
Sm_PolicyBehavior_AND_Mask Bit 0x04 determines whether the user policy has an AND relationship between user policies. This is applicable to user policies that are members of a particular user directory within the policy.	0x04
Sm_PolicyBehavior_AND_No	0x00
Sm_PolicyBehavior_AND_Yes	0x04

Policy Management API Initialization Flags

Sm_PolicyApi_InitFlags_t enumerates the initialization flags used by Sm_PolicyApi_Init(). These flags affect API behavior.

Flag	Value
Sm_PolicyApi_InitFlags_EnableCache Enables caching of policy store, resource, and user information to ensure that SiteMinder responds quickly to user requests.	0x01
Sm_PolicyApi_InitFlags_PreLoadCache Enables the Policy Management API to preload the SiteMinder caches. Note: By omitting this flag, you can reduce the time it takes for custom Policy Management applications to make policy store changes.	0x02
Sm_PolicyApi_InitFlags_LoadAgentTypeDictionary Enables the Policy Management API to preload the SiteMinder agent type dictionary.	0x04
Sm_PolicyApi_InitFlags_DisableValidation Disables validation of policy objects.	0x08
Sm_PolicyApi_InitFlags_DisableAudit Disables: Auditing of user activity, including authentication, authorization, and administration activities. (Administration activities include changes to the policy store.) Monitoring of user sessions.	0x10
Sm_PolicyApi_InitFlags_DisableCacheUpdates Disables cache updates. If cache updates are not disabled and Sm_PolicyApi_InitFlags_EnableCache is turned off, the Policy Management API will still issue the cache updates.	0x20
Sm_PolicyApi_InitFlags_DisableManagementWatchDog Disables the SiteMinder management watchdog. The watchdog is enabled by default. The watchdog is used internally and should not be disabled.	0x40

Policy Object IDs

Sm_PolicyApi_Objects_t describes the policy store properties that can be retrieved, set, and removed.

Note: Sm_PolicyApi_NULL_Domain_Props, value 0, is reserved.

The following table lists the domain object type values that can be passed to Sm_PolicyApi_GetDomainObjects():

Name	Value
Sm_PolicyApi_Rule_Prop	1
Sm_PolicyApi_RuleGroup_Prop	2
Sm_PolicyApi_Policy_Prop	3
Sm_PolicyApi_PolicyLink_Prop	4
Sm_PolicyApi_UserPolicy_Prop	5
Sm_PolicyApi_Realm_Prop	6
Sm_PolicyApi_ResponseGroup_Prop	7
Sm_PolicyApi_Response_Prop	8
Sm_PolicyApi_ResponseAttr_Prop	9
Sm_PolicyApi_UserDir_Prop	10
Sm_PolicyApi_Admins_Prop	17
Sm_PolicyApi_ActiveExpr_Prop	23
Sm_PolicyApi_Variable_Prop	25
Sm_PolicyApi_Affiliate_Prop	33
Sm_PolicyApi_SAMLSP_Prop	35

The following table lists the global object type names that can be passed to Sm_PolicyApi_GetGlobalObjects():

Name	Value
Sm_PolicyApi_Rule_Prop	1
Sm_PolicyApi_Policy_Prop	3
Sm_PolicyApi_Response_Prop	8
Sm_PolicyApi_UserDir_Prop	10
Sm_PolicyApi_Scheme_Prop Object ID for an authentication scheme.	11
Sm_PolicyApi_Agent_Prop	12
Sm_PolicyApi_AgentGroup_Prop	13
Sm_PolicyApi_AgentType_Prop	14
Sm_PolicyApi_AgentTypeAttr_Prop	15
Sm_PolicyApi_Domain_Prop	16
Sm_PolicyApi_Admins_Prop	17
Sm_PolicyApi_ODBCQueryScheme_Prop	18
Sm_PolicyApi_RegistrationScheme_Prop	19
Sm_PolicyApi_PasswordPolicy_Prop	20
Sm_PolicyApi_AuthAzMap_Prop Object ID for an authentication-authorization object.	21
Sm_PolicyApi_CertMap_Prop Object ID for a certification-mapping object.	22
Sm_PolicyApi_VariableType_Prop	24
Sm_PolicyApi_TrustedHost_Prop	26
Sm_PolicyApi_HostConfig_Prop	27
Sm_PolicyApi_AgentConfig_Prop	28
Sm_PolicyApi_Association_Prop Object ID for a configuration name/value pair in an agent configuration object.	29
Sm_PolicyApi_AffiliateDomain_Prop	32
Sm_PolicyApi_SharedSecretPolicy_Prop	34
Sm_PolicyApi_SAMLIdP_Prop	36
Sm_PolicyApi_SAMLAffiliation_Prop	37
Sm_PolicyApi_WSFEDResourcePartner_Prop	38

Policy Resolutions

Sm_PolicyResolution_t, defined in SmApi.h, enumerates the values that describe the relationship between two policy objects.

More Information:

Sm_PolicyResolution_t

Return Codes

The value codes that can be returned by the API are enumerated in Sm_PolicyApi_Status_t. The values have the following significance:

A zero return code indicates success.
Negative return codes indicate failure.

Most of the code names are self-explanatory. However, note that Sm_PolicyApi_BadArgument (-10) is returned when one or more of the required input parameters is not supplied. For example, if an argument such as a domain OID is null or represents a string of zero length, Sm_PolicyApi_BadArgument is returned to the caller.

Return codes with values less than -100 (except for Sm_PolicyApi_NotUnique, value -105) will rarely be returned by this API. They are included for completeness.

Return Code	Value
Sm_PolicyApi_Success	0
Sm_PolicyApi_Failure	-1
Sm_PolicyApi_InvalidHandle	-2
Sm_PolicyApi_ErrorLogin	-3
Sm_PolicyApi_NoPrivilege	-4
Sm_PolicyApi_InvalidPasswordSyntax	-5
Sm_PolicyApi_InvalidPassword	-6
Sm_PolicyApi_DuplicateEntry	-7
Sm_PolicyApi_DoesNotExist	-8
Sm_PolicyApi_NotFound	-9
Sm_PolicyApi_BadArgument	-10
Sm_PolicyApi_WrongNumberOfElements	-11
Sm_PolicyApi_UserDirNotPartOfDomain	-12
Sm_PolicyApi_UserDirNotValid	-13
Sm_PolicyApi_ErrorUserDir	-14
Sm_PolicyApi_AgentNotFound	-15
Sm_PolicyApi_AgentTypeNotFound	-16
Sm_PolicyApi_AgentTypeAttrNotFound	-17
Sm_PolicyApi_AgentTypeMismatch	-18
Sm_PolicyApi_ODBCQuerySchemeNotFound	-19
Sm_PolicyApi_UserDirNotFound	-20
Sm_PolicyApi_DomainNotFound	-21
Sm_PolicyApi_AdminNotFound	-22
Sm_PolicyApi_SchemeNotFound	-23
Sm_PolicyApi_RegistrationSchemeNotFound	-24
Sm_PolicyApi_PasswordPolicyNotFound	-25
Sm_PolicyApi_SchemeIsRequired	-26
Sm_PolicyApi_PasswordPolicyConfig	-27
Sm_PolicyApi_RealmNotFound	-28
Sm_PolicyApi_NoChildren	-29
Sm_PolicyApi_RuleNotFound	-30
Sm_PolicyApi_ResponseNotFound	-31
Sm_PolicyApi_ResponseAttrNotFound	-32
Sm_PolicyApi_PolicyNotFound	-33
Sm_PolicyApi_PolicyLinkNotFound	-34
Sm_PolicyApi_UserPolicyNotFound	-35
Sm_PolicyApi_BadGroup	-36
Sm_PolicyApi_GroupNotFound	-37
Sm_PolicyApi_Invalid	-38
Sm_PolicyApi_InvalidHandleVersion	-39
Sm_PolicyApi_DomainNotAffiliate	-41
Sm_PolicyApi_InvalidOid	-100
Sm_PolicyApi_NotImplemented	-101
Sm_PolicyApi_NotSearchable	-102
Sm_PolicyApi_NotStorable	-103
Sm_PolicyApi_NotCollection	-104
Sm_PolicyApi_NotUnique	-105
Sm_PolicyApi_InvalidProp	-106
Sm_PolicyApi_NotInitted	-107
Sm_PolicyApi_NoSession	-108
Sm_PolicyApi_OidInUseByRealm	-109
Sm_PolicyApi_OidInUseByRule	-110
Sm_PolicyApi_OidInUseByAdmin	-111
Sm_PolicyApi_MissingProperty	-112
Sm_PolicyApi_GroupMemberName	-113
Sm_PolicyApi_RadiusIpAddrNotUnique	-114
Sm_PolicyApi_GroupAgentType	-115
Sm_PolicyApi_RadiusRealmNotUnique	-116
Sm_PolicyApi_RealmFilterNotUnique	-117
Sm_PolicyApi_InvalidCharacters	-118
Sm_PolicyApi_AgentTypeCantBeDeleted	-119
Sm_PolicyApi_ProvNotImplemented	-120
Sm_PolicyApi_ProvNotUnique	-121
Sm_PolicyApi_RealmCantBeUsedInRule	-122
Sm_PolicyApi_OidInUserByCertMap	-123
Sm_PolicyApi_OidInUseBySelfReg	-124
Sm_PolicyApi_OidInUseByUserDirectory	-125
Sm_PolicyApi_SchemeCantBeDeleted	-126
Sm_PolicyApi_BasicSchemeUpdate	-127
Sm_PolicyApi_NonHtmlForm	-128
Sm_PolicyApi_IllegalRealmOperation	-129
Sm_PolicyApi_NameNotUnique	-130
Sm_PolicyApi_FeatureNotSupported	-132
Sm_PolicyApi_AssertionConsumerDefaultMissing	-133
Sm_PolicyApi_SAMLSP_AuthenticationURLMissing	-134
Sm_PolicyApi_SAMLSP_DomainOidMissing	-135
Sm_PolicyApi_SAMLSP_IdPIDMissing	-136
Sm_PolicyApi_SAMLSP_NameMissing	-137
Sm_PolicyApi_SAMLSP_NameIdFormatMissing	-138
Sm_PolicyApi_SAMLSP_NameIdTypeMissing	-139
Sm_PolicyApi_SAMLSP_NameIdStaticMissing	-140
Sm_PolicyApi_SAMLSP_NameIdAttrNameMissing	-141
Sm_PolicyApi_SAMLSP_NameIdDNSpecMissing	-142
Sm_PolicyApi_SAMLSP_ProviderIDMissing	-143
Sm_PolicyApi_SAMLSP_ProviderIDNotUnique	-144
Sm_PolicyApi_SAML_UnSupportedSAMLVersion	-145
Sm_PolicyApi_SAMLIDP_IncorrectParameters	-146
Sm_PolicyApi_SAMLIDP_ProviderIDNotUnique	-147
Sm_PolicyApi_SAMLAFF_NameMissing	-148
Sm_PolicyApi_SAMLAFF_NameIdFormatMissing	-149
Sm_PolicyApi_SAMLAFF_NameIdTypeMissing	-150
Sm_PolicyApi_SAMLAFF_NameIdStaticMissing	-151
Sm_PolicyApi_SAMLAFF_NameIdAttrNameMissing	-152
Sm_PolicyApi_SAMLAFF_NameIdDNSpecMissing	-153
Sm_PolicyApi_SAMLAFF_AffiliationIDMissing	-154
Sm_PolicyApi_SAMLAFF_AffiliationIDNotUnique	-155
Sm_PolicyApi_SAMLAFF_AffiliationHasMembers	-156
Sm_PolicyApi_SAML_UnknownProperty	-157
Sm_PolicyApi_WSFEDRP_AssertionConsumerDefaultMissing	-158
Sm_PolicyApi_WSFEDRP_AuthenticationURLMissing	-159
Sm_PolicyApi_WSFEDRP_DomainOidMissing	-160
Sm_PolicyApi_WSFEDRP_APIDMissing	-161
Sm_PolicyApi_WSFEDRP_NameMissing	-162
Sm_PolicyApi_WSFEDRP_NameIdFormatMissing	-163
Sm_PolicyApi_WSFEDRP_NameIdTypeMissing	-164
Sm_PolicyApi_WSFEDRP_NameIdStaticMissing	-165
Sm_PolicyApi_WSFEDRP_NameIdAttrNameMissing	-166
Sm_PolicyApi_WSFEDRP_NameIdDNSpecMissing	-167
Sm_PolicyApi_WSFEDRP_ProviderIdMissing	-168
Sm_PolicyApi_WSFEDRP_ProviderIdNotUnique	-169
Sm_PolicyApi_WSFEDRP_UnsupportedSAMLVersion	-170
Sm_PolicyApi_WSFEDRP_UnkownProperty	-171
Sm_PolicyApi_WSFEDAP_IncorrectParameters	-172
Sm_PolicyApi_WSFEDAP_ProviderIDNotUnique	-173
Sm_PolicyAPI_InsufficientRPData	-174
Sm_PolicyAPI_WSFED_UnSupportedWSFEDVersion	-175
Sm_PolicyAPI_DuplicateAttribute	-176
Sm_PolicyAPI_SAMLSP_ACSDuplicateIndex	-177
Sm_PolicyAPI_SAMLSP_ACSIndexedEndpointInUse	-178
Sm_PolicyAPI_SAMLSP_ACSIndexedEndpointNotFound	-179
Sm_PolicyAPI_SAMLSP_CantDeleteDefaultACSIndex	-180
Sm_PolicyAPI_SAMLSP_ACSMaxExceeded	-181
Sm_PolicyAPI_InConsistentANDBitMask	-182

SAML1x Redirect URL Types

Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_TYPE_t defines the type of redirection specified in Sm_PolicyApi_AddRedirectURLToSAML1xScheme() and Sm_PolicyApi_GetRedirectURLFromSAML1xScheme().

Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_TYPE_t is listed in SmPolicyApi45.h.

Name	Value
Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_USER_NOT_FOUND_TYPE	0
Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_INVALID_SSO	1
Sm_PolicyApi_SAML1_STATUS_REDIRECT_URL_UNACCEPTABLE_USER_ CREDENTIALS	2

SAML Assertion Consumer Service Bindings

The following values are the SAML Protocol Bindings that can be specified for each row of the Assertion Consumer Service:

Name	Value
Sm_PolicyApi_SAMLSP_HTTP_Post	0
Sm_PolicyApi_SAMLSP_HTTP_Artifact	1
Sm_PolicyApi_SAMLSP_PAOS	2

SAML Attribute Name Format Identifiers

Sm_PolicyApi_SAMLSPAttrNameFormat_t defines the format to use for specifying attributes that apply to a principal. The format specification is made within the structure Sm_PolicyApi_SAMLSPAttr_t.

The format identifiers are defined by the SAML 2.0 standard.

Sm_PolicyApi_SAMLSPAttrNameFormat_t is listed in SmPolicyApi45.h.

Name	Value
Sm_PolicyApi_SAMLSP_Unspecified	0
Sm_PolicyApi_SAMLSP_URI	1
Sm_PolicyApi_SAMLSP_Basic	2

SAML Profiles

Sm_PolicyApi_SAML_Profile_t specifies the communication profile used to send and receive a SAML assertion for a particular affiliate object. The profile is specified as one of the attributes of a Sm_PolicyApi_Affiliate_t structure. Sm_PolicyApi_SAML_Profile_t is listed in SmPolicyApi45.h.

Name	Value
Sm_PolicyApi_SAML_Profile_Artifact	1
Sm_PolicyApi_SAML_Profile_POST	2

Scheme Types

Sm_Api_SchemeType_t describes the values that may be passed to Sm_PolicyApi_AddScheme() as one of the attributes of a SmPolicyApi_Scheme_t structure. Sm_Api_SchemeType_t is listed in SmApi.h.

Scheme Type	Value
Sm_Api_SchemeType_Basic	1
Sm_Api_SchemeType_CryptoCard	2
Sm_Api_SchemeType_Encotone	3
Sm_Api_SchemeType_HTMLForm	4
Sm_Api_SchemeType_BasicOverSSL	5
Sm_Api_SchemeType_RadiusServer	6
Sm_Api_SchemeType_SafeWordServer	7
Sm_Api_SchemeType_ACEServer	8
Sm_Api_SchemeType_X509ClientCert	9
Sm_Api_SchemeType_X509ClientCertAndBasic	10
Sm_Api_SchemeType_X509ClientCertOrBasic	11
Sm_Api_SchemeType_RadiusChapPap	12
Sm_Api_SchemeType_Anonymous	13
Sm_Api_SchemeType_NTLM	14
Sm_Api_SchemeType_Custom	15
Sm_Api_SchemeType_ACEServerHTMLForm	16
Sm_Api_SchemeType_SafeWordHTMLForm	17
Sm_Api_SchemeType_XMLDsig	18
Sm_Api_SchemeType_X509ClientCertOrForm	19
Sm_Api_SchemeType_X509ClientCertAndForm	20
Sm_Api_SchemeType_MSPassport	21
Sm_Api_SchemeType_XMLDocumentCredentialCollector	22
Sm_Api_SchemeType_SAMLSessionTicket	25
Sm_Api_SchemeType_SAMLArtifact	26
Sm_Api_SchemeType_Impersonation	27
Sm_Api_SchemeType_SAMLPOST	28
Sm_Api_SchemeType_SAML2	29
Sm_Api-SchemeType_WSFED	30

Shared Secret Rollover Parameters

Sm_PolicyApi_SecretRolloverPeriod_t enumerates the units of time which, when combined with the rollover frequency setting, determines how often shared secret rollover occurs. For example a rollover period of RolloverHOURS and a frequency of 12 means that the shared secret is changed every 12 hours.

The rollover period is defined in the iRolloverPeriod field of structure Sm_PolicyApi_SharedSecretPolicy_t, and the frequency is defined in the iRolloverFrequency field of the structure.

Name	Value
RolloverNEVER	0
RolloverHOURS	1
RolloverDAYS	2
RolloverWEEKS	3
RolloverMONTHS	4

Structure IDs

Sm_PolicyApi_Structs_t enumerates the data structures that can be passed to and from the Policy Management API as follows:

Name	Value
Sm_PolicyApi_NULL_ID	0
Sm_PolicyApi_Rule_ID	1
Sm_PolicyApi_Policy_ID	2
Sm_PolicyApi_Realm_ID	3
Sm_PolicyApi_Response_ID	4
Sm_PolicyApi_UserDir_ID	5
Sm_PolicyApi_Agent_ID	6
Sm_PolicyApi_Domain_ID	7
Sm_PolicyApi_PolicyLink_ID	8
Sm_PolicyApi_ResponseAttr_ID	9
Sm_PolicyApi_User_ID	10
Sm_PolicyApi_Scheme_ID	11
Sm_PolicyApi_Admin_ID	12
Sm_PolicyApi_Group_ID	13
Sm_PolicyApi_ODBCQueryScheme_ID	14
Sm_PolicyApi_Object_ID	15
Sm_PolicyApi_AgentType_ID	16
Sm_PolicyApi_AgentTypeAttr_ID	17
Sm_PolicyApi_RegistrationScheme_ID	18
Sm_PolicyApi_PasswordPolicy_ID	19
Sm_PolicyApi_IPAddress_ID	20
Sm_PolicyApi_AuthAzMap_ID	21
Sm_PolicyApi_CertMap_ID	22
Sm_PolicyApi_PasswordMsgField_ID	23
Sm_PolicyApi_VariableType_ID	25
Sm_PolicyApi_Variable_ID	26
Sm_PolicyApi_TrustedHost_ID	27
Sm_PolicyApi_HostConfig_ID	28
Sm_PolicyApi_AgentConfig_ID	29
Sm_PolicyApi_Association_ID	30
Sm_PolicyApi_UserContext_ID	31
Sm_PolicyApi_Affiliate_ID	36
Sm_PolicyApi_AffiliateAttr_ID	37
Sm_PolicyApi_SharedSecretPolicy_ID	38
Sm_PolicyApi_UserContext_ID	40
Sm_PolicyApi_SAMLSP_ID	41
Sm_PolicyApi_SAMLProviderProp_ID	42
Sm_PolicyApi_SAMLAffiliation_ID	43
Sm_PolicyApi_SAMLSPAttr_ID	44
Sm_PolicyApi_WSFEDResourcePartner_ID	45
Sm_PolicyApi_WSFEDProviderProp_ID	46
Sm_PolicyApi_WSFEDRPAttr_ID	47
Sm_PolicyApi_SAMLRequesterAttr_ID	48
Sm_PolicyApi_SAMLSPAssertionConsumerService_ ID	49

Structure of a Policy Application

Policy applications must perform the following operations:

Initialization: Sm_PolicyApi_Init() or Sm_PolicyApi_InitEx() must be the first function called by the API client session. The function initializes the connection to the SiteMinder policy store and establishes the init handle. (The init handle is passed in calls to Sm_PolicyApi_Login() and Sm_PolicyApi_Release().)
Login: Sm_PolicyApi_Login() must be called after initialization and before making calls to the other functions in the API. This function can check the administrator's login credentials (username and password) or the administrator's validity.
If the administrator is authenticated, the function initializes internal data structures and resources. Once the administrator is logged in, the Policy Server initializes a handle that is used as an input parameter to subsequent Policy Management API functions. Sm_PolicyApi_Login() can be called more than once during the client session.
Logout: Sm_PolicyApi_Logout() logs out the administrator.
Release: Sm_PolicyApi_Release() must be the last function called by the API client session. It disconnects from the policy store and releases memory and resources held by the API. This function must be called once per client session. Failure to call this function will result in a memory leak.

Functions by Category in the Policy Management API

Most of the functions in the Policy Management API are categorized according to the SiteMinder policy store object (for example, an agent, policy, or rule) that a given function acts upon. There are additional categories-required functions, user state functions, and utility functions such as cache and agent encryption key management-that are categorized by the type of service that certain functions perform.

Use these categories to help you find a particular Policy Management API function to use in your custom policy management applications.

The categories of Policy Management API functions include:

Required Functions
Administrator Functions
Agent Functions
Agent Configuration Functions
Authentication/Authorization Map Functions
Authentication Scheme Functions
Certificate Mapping Functions
Domain Functions
Federation Functions
General Object Functions
Group Functions
ODBC Query Scheme Functions
Password Policy Functions
Policy Functions
Realm Functions
Registration Scheme Functions
Regular Expression Functions
Response Functions
Rule Functions
SAML 2.0 Attribute Authority Functions
SAML 2.0 Configuration Functions
SAML 2.0 Indexed Endpoint Functions
User Directory Functions
User and User State Functions
User Password State Functions
Utility Functions
Variable Functions
WS-Federation Functions

Required Functions

The following functions must be used in all policy management applications:

Function	Description
Sm_PolicyApi_Init()	Initializes the connection to the Policy Server.
Sm_PolicyApi_InitEx()	Initializes a connection to the SiteMinder policy store and establishes the init handle based on a supplied version. Required for clients starting at version SM_POLICY_API_VERSION_6_0.
Sm_PolicyApi_Login()	Authenticates the administrator.
Sm_PolicyApi_Logout()	Logs out the administrator.
Sm_PolicyApi_Release()	Disconnects from the Policy Server and releases memory and resources held by the API.

Administrator Functions

The following functions manage SiteMinder administrator objects:

Function	Description
Sm_PolicyApi_AddAdmin()	Creates or updates an administrator object.
Sm_PolicyApi_AddAdminToDomain()	Gives the administrator permission to administer the specified domain.
Sm_PolicyApi_DeleteAdmin()	Deletes an administrator.
Sm_PolicyApi_GetAdmin()	Gets the contents of an administrator by object identifier.
Sm_PolicyApi_GetAdminByName()	Gets the contents of an administrator by name.
Sm_PolicyApi_GetGlobalPolicyByName()	Gets a specified global policy by name.
Sm_PolicyApi_GetGlobalResponseByName()	Gets a specified global response by name.
Sm_PolicyApi_GetGlobalRuleByName()	Gets a specified global rule by name.
Sm_PolicyApi_RemoveAdminFromDomain()	Disassociates the administrator from the specified domain.

Agent Functions

The following functions manage SiteMinder agent objects.

Note: There is no facility for creating Agent Types or Agent Type attributes.

Function	Description
Sm_PolicyApi_AddAgent()	Creates or updates an agent object.
Sm_PolicyApi_ConvertFromLegacyAgent()	Converts a v4.x agent to a v5.x agent.
Sm_PolicyApi_ConvertToLegacyAgent()	Converts a v5.x agent to a v4.x agent.
Sm_PolicyApi_DeleteAgent()	Deletes an agent.
Sm_PolicyApi_GetAgent()	Gets the contents of an agent by OID.
Sm_PolicyApi_GetAgentByName()	Gets the contents of an agent by name.
Sm_PolicyApi_GetAgentType()	Gets the contents of an agent type object by OID.
Sm_PolicyApi_GetAgentTypeByName()	Gets the contents of an agent type object by name.
Sm_PolicyApi_GetAgentTypeAttr()	Returns one or all agent type attributes.
Sm_PolicyApi_GetAgentTypeAttrByName()	Returns named agent type attribute object.

Agent Configuration Functions

The following functions manage configuration objects (agent configuration objects, host configuration objects, and trusted host objects) for centrally configuring agents.

Trusted hosts are created in any of the following ways:

During agent installation
Through the command line using the smreghost tool. For information about using this tool, see Web Agent Installation Guide.
Through the Sm_PolicyApi_AddTrustedHost() function.

Function	Description
Sm_PolicyApi_AddAgentConfig()	Adds or modifies an agent configuration object.
Sm_PolicyApi_AddAgentConfigAssociation()	Adds or modifies a configuration parameter name and corresponding value in a specified agent configuration object.
Sm_PolicyApi_AddHostConfig()	Adds or modifies a host configuration object.
Sm_PolicyApi_AddTrustedHost()	Creates or modifies a trusted host object in the object store when there is no connection between the agent and the Policy Server.
Sm_PolicyApi_DeleteAgentConfig()	Deletes an agent configuration object.
Sm_PolicyApi_DeleteHostConfig()	Deletes a host configuration object.
Sm_PolicyApi_DeleteTrustedHost()	Deletes a trusted host object.
Sm_PolicyApi_GetAgentConfig()	Retrieves an agent configuration object.
Sm_PolicyApi_GetAgentConfigAssociations()	Retrieves a list of configuration parameters for an agent configuration object.
Sm_PolicyApi_GetAgentConfigByName()	Retrieves an agent configuration object by name.
Sm_PolicyApi_GetHostConfig()	Retrieves a host configuration object.
Sm_PolicyApi_GetHostConfigByName()	Retrieves a host configuration object by name.
Sm_PolicyApi_GetSharedSecretPolicy()	Retrieves the current shared secret policy.
Sm_PolicyApi_GetTrusted Host()	Retrieves a trusted host object by OID.
Sm_PolicyApi_GetTrustedHostByName()	Retrieves a trusted host object by name.
Sm_PolicyApi_RemoveAgentConfigAssociation()	Removes a configuration parameter name/value pair from a specified agent configuration object.
Sm_PolicyApi_SetSharedSecretPolicy()	Sets the current SharedSecretPolicy.

Authentication/Authorization Map Functions

The following functions manage SiteMinder authentication and authorization directory mapping objects:

Function	Description
Sm_PolicyApi_CreateAuthAzMap()	Creates or updates an authentication and authorization directory mapping object.
Sm_PolicyApi_DeleteAuthAzMap()	Deletes an authentication and authorization directory map.
Sm_PolicyApi_GetAuthAzMap()	Gets the contents of an authentication and authorization directory map.

Authentication Scheme Functions

The following functions manage SiteMinder authentication schemes:

Function	Description
Sm_PolicyApi_AddScheme()	Creates or updates an authentication scheme.
Sm_PolicyApi_DeleteScheme()	Deletes an authentication scheme.
Sm_PolicyApi_GetScheme()	Gets the contents of an authentication scheme by OID.
Sm_PolicyApi_GetSchemeByName()	Gets the contents of an authentication scheme by name.

Certificate Mapping Functions

The following functions manage SiteMinder certificate mapping objects:

Function	Description
Sm_PolicyApi_CreateCertMap()	Creates or updates a certificate mapping object.
Sm_PolicyApi_DeleteCertMap()	Deletes a certificate map.
Sm_PolicyApi_GetCertMap()	Gets the contents of a certificate map.

Domain Functions

The following functions manage SiteMinder domain objects:

Function	Description
Sm_PolicyApi_AddDomain()	Creates or updates a domain.
Sm_PolicyApi_DeleteDomain()	Deletes the domain and any domain children (rules, responses, realms, and policies).
Sm_PolicyApi_GetDomain()	Gets the contents of the domain by OID.
Sm_PolicyApi_GetDomainByName()	Gets the contents of a specified domain by name.
Sm_PolicyApi_GetDomainObjects()	Gets the OIDs of domain objects for a specified object type within the specified domain.

Federation Functions

The following functions support the manipulation of Policy Store data (Affiliate Domain and Affiliate objects) required to generate SAML assertions.

Function	Description
Sm_PolicyApi_AddAdminToAffiliateDomain()	Adds an administrator to an affiliate domain.
Sm_PolicyApi_AddAffiliate()	Creates a new or update an existing affiliate object.
Sm_PolicyApi_AddAffiliateDomain()	Creates a new or updates an existing affiliate domain.
Sm_PolicyApi_AddAttributeToAffiliate()	Adds a new attribute to an affiliate.
Sm_PolicyApi_AddUserDirToAffiliateDomain()	Adds a user directory to an affiliate domain.
Sm_PolicyApi_AddUsersToAffiliate()	Adds a user directory entry to an affiliate.
Sm_PolicyApi_DeleteAffiliate()	Deletes an affiliate.
Sm_PolicyApi_DeleteAffiliateDomain()	Deletes an affiliate domain.
Sm_PolicyApi_GetAffiliate()	Gets an affiliate by OID.
Sm_PolicyApi_GetAffiliateByName()	Gets and affiliate by name.
Sm_PolicyApi_GetAffiliateDomain()	Gets an affiliate domain by OID.
Sm_PolicyApi_GetAffiliateDomainByName()	Gets an affiliate domain by name
Sm_PolicyApi_GetAffiliateDomainObjects()	Gets the OIDs of domain objects for a given object type within the affiliate domain.
Sm_PolicyApi_GetAffiliateDomainUserDirSearchOrder()	Gets the user directory search order for an affiliate domain.
Sm_PolicyApi_GetAffiliateUsers()	Gets the user directory entries for an affiliate.
Sm_PolicyApi_GetAllAffiliateAttributes()	Gets all attributes for an affiliate.
Sm_PolicyApi_GetAllAffiliates()	Gets all affiliates for an affiliate domain.
Sm_PolicyApi_GetGlobalObjects()	Gets affiliate domains. (Not exclusively a Federation function.)
Sm_PolicyApi_InitEx()	See Required Functions.
Sm_PolicyApi_RemoveAdminFromAffiliateDomain()	Removes an administrator from an affiliate domain.
Sm_PolicyApi_RemoveAttributeFromAffiliate()	Removes an attribute from an affiliate.
Sm_PolicyApi_RemoveUserDirFromAffiliateDomain()	Removes a user directory from an affiliate domain.
Sm_PolicyApi_RemoveUsersFromAffiliate()	Removes a user directory entry from an affiliate.
Sm_PolicyApi_SetAffiliateDomainUserDirSearchOrder()	Sets the user directory search order for an affiliate domain.

General Object Functions

The following functions act on multiple types of SiteMinder objects:

Function	Description
Sm_PolicyApi_GetGlobalObjects()	Gets the OIDs of global objects for a specified object type.
Sm_PolicyApi_RenameObject()	Renames an object.

Group Functions

The following functions manage SiteMinder group objects. You can create agent groups, response groups, and rule groups, as enumerated in Sm_PolicyApi_Groups_t.

Note: Groups of global objects are not supported.

A group can contain individual items or groups of its own type. For example, a rule group can contain rules and/or groups of rules.

Function	Description
Sm_PolicyApi_AddGroup()	Creates or updates an agent, response, or rule group object.
Sm_PolicyApi_AddToGroup()	Adds an agent, response, or rule item to a group.
Sm_PolicyApi_DeleteGroup()	Deletes a group.
Sm_PolicyApi_GetGroup()	Gets the contents of a group by OID.
Sm_PolicyApi_GetGroupByName()	Gets the contents of a group by name.
Sm_PolicyApi_GetGroupOids()	Gets the OIDs contained with a group.
Sm_PolicyApi_IsGroup()	Determines whether a specified item is contained within the group.
Sm_PolicyApi_RemoveFromGroup()	Removes the specified item from the group.

ODBC Query Scheme Functions

The following functions manage SiteMinder ODBC query schemes:

Function	Description
Sm_PolicyApi_CreateODBCQueryScheme()	Creates or updates an ODBC query scheme.
Sm_PolicyApi_DeleteODBCQueryScheme()	Deletes an ODBC query scheme.
Sm_PolicyApi_GetODBCQueryScheme()	Gets the contents of an ODBC query scheme by OID.
Sm_PolicyApi_GetODBCQuerySchemeByName()	Gets the contents of an ODBC query scheme by name.

Password Policy Functions

The following functions manage SiteMinder password policy objects:

Function	Description
Sm_PolicyApi_AddPasswordPolicy()	Creates or updates a password policy object.
Sm_PolicyApi_DeletePasswordPolicy()	Deletes a password policy.
Sm_PolicyApi_GetPasswordPolicy()	Gets the contents of a password policy by OID.
Sm_PolicyApi_GetPasswordPolicyByName()	Gets the contents of a password policy by name.

Policy Functions

The following functions manage SiteMinder policy and policy link objects. A policy link is an association of a policy, a rule, and optionally, a response.

Function	Description
Sm_PolicyApi_AddGlobalPolicy()	Creates or updates a global policy object.
Sm_PolicyApi_AddPolicy()	Creates or updates a policy object.
Sm_PolicyApi_AddPolicyLink()	Creates a policy link for the specified policy.
Sm_PolicyApi_DeletePolicy()	Deletes a policy.
Sm_PolicyApi_GetPasswordPolicyByName()	Gets the contents of a password policy by name.
Sm_PolicyApi_GetPolicy()	Gets the contents of a policy by OID.
Sm_PolicyApi_GetPolicyLinks()	Gets a linked list of all policy links associated with the specified policy.
Sm_PolicyApi_RemovePolicyLinkFromPolicy()	Removes a policy link from the specified policy.

Realm Functions

The following functions manage SiteMinder realms objects:

Function	Description
Sm_PolicyApi_AddRealm()	Creates or updates a realm object.
Sm_PolicyApi_DeleteRealm()	Deletes a realm.
Sm_PolicyApi_GetChildren()	Builds a hierarchical realm and rule tree.
Sm_PolicyApi_GetRealm()	Gets the contents of a realm by OID.
Sm_PolicyApi_GetRealmByName()	Gets the contents of a realm by name.

Registration Scheme Functions

The following functions manage SiteMinder registration schemes:

Function	Description
Sm_PolicyApi_AddRegistrationScheme()	Creates or updates a registration scheme.
Sm_PolicyApi_DeleteRegistrationScheme()	Deletes a registration scheme.
Sm_PolicyApi_GetRegistrationScheme()	Gets the contents of a registration scheme by OID.
Sm_PolicyApi_GetRegistration SchemeByName()	Gets the contents of a registration scheme by name.

Regular Expression Functions

The following functions manage SiteMinder regular expressions:

Function	Description
Sm_PolicyApi_AddRegularExpressionToPasswordPolicy()	Creates or updates a regular expression.
Sm_PolicyApi_RemoveRegularExpressionFromPasswordPolicy()	Deletes a regular expression.
Sm_PolicyApi_GetRegularExpressions()	Gets the regular expressions belonging to a given password policy.

Response Functions

The following functions manage SiteMinder response objects:

Function	Description
Sm_PolicyApi_AddGlobalResponse()	Creates or updates a global response object.
Sm_PolicyApi_AddResponse()	Creates or updates a response object.
Sm_PolicyApi_AddResponseAttr()	Creates a response attribute for the specified response.
Sm_PolicyApi_DeleteResponse()	Deletes a response.
Sm_PolicyApi_GetResponse()	Gets the contents of a response by OID.
Sm_PolicyApi_GetResponseAttrs()	Gets a linked list of response attributes for the specified response.
Sm_PolicyApi_GetResponseByName()	Gets the contents of a response by name.
Sm_PolicyApi_RemoveResponseAttr()	Disassociates a response attribute from the specified response.
Sm_PolicyApi_SetResponseInPolicyLink()	Sets a response or response group to a rule or rule group, or removes a response or response group from a rule or rule group.

Rule Functions

The following functions manage SiteMinder rule objects:

Function	Description
Sm_PolicyApi_AddGlobalRule()	Creates or updates a global rule object.
Sm_PolicyApi_AddRule()	Creates or updates a rule object.
Sm_PolicyApi_DeleteRule()	Deletes a rule.
Sm_PolicyApi_GetRule()	Gets the contents of a rule by OID.
Sm_PolicyApi_GetRuleByName()	Gets the contents of a rule by name.

SAML1.x Configuration Functions

The following functions provide support for SAML 1.x configuration settings:

Function	Description
Sm_PolicyApi_AddMessageConsumerPluginTo SAML1Scheme()	Adds or updates a message consumer plugin setting to a SAML1.x authentication scheme.
Sm_PolicyApi_AddRedirectURLTo SAML1xScheme()	Adds or updates a redirect URL to a SAML1.x authentication scheme.
Sm_PolicyApi_GetMessageConsumerPluginFrom SAML1Scheme()	Retrieves a message consumer plugin setting from a SAML 1.x authentication scheme.
Sm_PolicyApi_GetRedirectURLFromSAML1Scheme()	Retrieves a redirect URL setting from a SAML 1.x authentication scheme.

SAML 2.0 Attribute Authority Functions

The following functions managed attributes for a SAML Requester:

Function	Description
Sm_PolicyApi_AddAttributeToSAMLScheme()	Adds an attribute to a SAML Requester defined in a SAML 2.0 authentication scheme.
Sm_PolicyApi_GetAllSAMLSchemeAttributes()	Retrieves all attributes defined for a SAML Requester.
Sm_PolicyApi_RemoveAttributeFromSAMLScheme()	Removes an attribute from a SAML Requester defined in a SAML 2.0 authentication scheme.

SAML 2.0 Configuration Functions

The following functions manage SAML 2.0 affiliations, Service Providers, and Identity Providers.

Function	Description
Sm_PolicyApi_AddAttributeToSAMLSP()	Defines a SAML 2.0 attribute for the Service Provider.
Sm_PolicyApi_AddSAMLAffiliation()	Adds a new SAML affiliation object or modifies an existing one.
Sm_PolicyApi_AddSAMLScheme()	Adds a new SAML 2.0 authentication scheme object or modifies an existing one.
Sm_PolicyApi_AddSAMLServiceProvider()	Adds a new SAML 2.0 Service Provider object or modifies an existing one.
Sm_PolicyApi_AddUsersToSAMLServiceProvider()	Associates a user directory entry with SAML 2.0 Service Provider.
Sm_PolicyApi_DeleteSAMLAffiliation()	Deletes the specified SAML affiliation.
Sm_PolicyApi_DeleteSAMLServiceProvider()	Deletes the specified Service Provider.
Sm_PolicyApi_GetAffiliatedSAMLAuthSchemes()	Retrieves all the SAML authentication schemes associated with the specified SAML affiliation.
Sm_PolicyApi_GetAffiliatedSAMLServiceProviders()	Retrieves all the Service Providers associated with the specified SAML affiliation.
Sm_PolicyApi_GetAllSAMLAffiliations()	Retrieves all existing SAML affiliation objects.
Sm_PolicyApi_GetAllSAMLServiceProviders()	Retrieves all the Service Providers in the specified affiliate domain.
Sm_PolicyApi_GetAllSAMLSPAttributes()	Retrieves all the attributes associated with the specified Service Provider.
Sm_PolicyApi_GetSAML Affiliation()	Retrieves the SAML affiliation specified by its OID in the policy store.
Sm_PolicyApi_GetSAMLAffiliationById()	Retrieves the SAML affiliation specified by its unique affiliation identifier (URI).
Sm_PolicyApi_GetSAMLScheme()	Retrieves information about a SAML 2.0 authentication scheme.
Sm_PolicyApi_GetSAMLServiceProvider()	Retrieves the Service Provider specified by its OID in the policy store.
Sm_PolicyApi_GetSAMLServiceProviderById()	Retrieves the Service Provider specified by its unique provider identifier.
Sm_PolicyApi_GetSAMLServiceProviderUsers()	Retrieves the user directory entries associated with the specified Service Provider.
Sm_PolicyApi_RemoveAttributeFromSAMLSP()	Removes the specified SAML attribute from the Service Provider.
Sm_PolicyApi_RemoveUsersFromSAMLServiceProvider()	Removes the specified users from the Service Provider.

SAML 2.0 Indexed Endpoint Functions

The following functions manage indexed endpoints in the Service Provider:

Function	Description
Sm_PolicyApi_AddAssertionConsumerServiceToSAMLSP()	Adds a new indexed endpoint reference (with index, binding, and Assertion Consumer URL) to a Service Provider.
Sm_PolicyApi_GetAllSAMLSPAssertionConsumerService()	Gets a list of all Assertion Consumer Services present in the policy store.
Sm_PolicyApi_RemoveAssertionConsumerService()	Removes an indexed endpoint reference to an Assertion Consumer Service.

User Directory Functions

The following functions manage SiteMinder user directory objects:

Function	Description
Sm_PolicyApi_AddUserDirToDomain()	Associates a directory object with the specified domain.
Sm_PolicyApi_CreateUserDir()	Creates or updates a user directory object.
Sm_PolicyApi_DeleteUserDir()	Deletes a user directory.
Sm_PolicyApi_GetDirectoryContents()	Gets a linked list of user structures for the specified user directory.
Sm_PolicyApi_GetUserContext()	Allows callers of the Policy Management API to access user context information.
Sm_PolicyApi_GetUserDir()	Gets the contents of a user directory by OID.
Sm_PolicyApi_GetUserDirByName()	Gets the contents of a user directory by name.
Sm_PolicyApi_GetUserDirCapabilities()	Gets the capabilities of the user directory.
Sm_PolicyApi_GetUserDirSearchOrder()	Gets the OIDs of the user directory associated with the specified domain.
Sm_PolicyApi_LookupDirectoryEntry()	Finds a user specification in a particular user directory and based on the specified search pattern.
Sm_PolicyApi_RemoveUserDirFromDomain()	Disassociates a user directory from the specified domain.
Sm_PolicyApi_SetUserDirSearchOrder()	Rearranges the search order of the user directories associated with the specified domain.
Sm_PolicyApi_ValidateDirectoryEntry()	Validates a user specification in a given path and user directory.

User and User State Functions

The following functions perform operations on user state and on user entries in a SiteMinder user directory:

Field	Description
Sm_PolicyApi_AddUsersToPolicy()	Adds a user to the specified policy.
Sm_PolicyApi_DisableUser()	Disables a user.
Sm_PolicyApi_EnableUser()	Enables a user.
Sm_PolicyApi_GetDisabledUserState()	Gets the disabled state of a user.
Sm_PolicyApi_GetPasswordMsg()	Gets information about an error that occurred during an attempt to validate a new password.
Sm_PolicyApi_GetPolicyUsers()	Gets a linked list of structures for the users associated with the specified policy and optionally, user directory.
Sm_PolicyApi_GetUserGroups()	Gets the list of groups that a user is member of.
Sm_PolicyApi_RemoveUsersFromPolicy()	Disassociates the user from the specified policy.
Sm_PolicyApi_SetDisabledUserState()	Sets the disabled state of a user.
Sm_PolicyApi_SetPassword()	Changes or validates a user password.

User Password State Functions

The following functions manage SiteMinder password state objects:

Function	Description
Sm_PolicyApi_GetUserPasswordState()	Returns a UserPasswordState object.
Sm_PolicyApi_SetUserPasswordState()	Adds/Updates a UserPasswordState object.

Utility Functions

The following functions provide a variety of services, including memory, cache, and agent encryption key management:

Function	Description
Sm_PolicyApi_FlushRealm()	Flushes the specified realm from the resource cache.
Sm_PolicyApi_FlushUser()	Flushes the specified user from user cache.
Sm_PolicyApi_FreeMemory()	Frees memory allocated by the Policy Management API.
Sm_PolicyApi_FreeMemoryEx()	Frees memory allocated by the Policy Management API. Required for clients starting at version SM_POLICY_API_VERSION_6_0.
Sm_PolicyApi_FreeString()	Frees a single string allocated by the Policy Management API.
Sm_PolicyApi_FreeStringArray()	Frees string arrays allocated by the Policy Management API.
Sm_PolicyApi_ManagementCommand()	Performs user, key, and resource management services.

Variable Functions

The following methods manage variables.

Function	Description
Sm_PolicyApi_AddVariable()	Adds a variable object.
Sm_PolicyApi_DeleteVariable()	Deletes a variable object.
Sm_PolicyApi_GetVariable()	Gets a specified variable by OID.
Sm_PolicyApi_GetVariableByName()	Gets a specified variable by name.
Sm_PolicyApi_GetVariableType()	Gets a specified variable type by OID.
Sm_PolicyApi_GetVariableTypeByName()	Gets a specified variable type by name.

WS-Federation Functions

The following table lists the supported functions for Resource Partners and Account Partners:

Function	Description
Sm_PolicyApi_AddWSFEDResourcePartner()	Creates or updates a WS-Federation Resource Partner object.
Sm_PolicyApi_GetWSFEDResourcePartner()	Gets a WS-Federation Resource Partner object
Sm_PolicyApi_GetAllWSFEDResourcePartners()	Gets all WS-Federation Resource Partner objects for a domain as a linked list
Sm_PolicyApi_DeleteWSFEDResourcePartner()	Deletes a WS-Federation Resource Partner. This will then delete the agent, realm, rule, policy, and policy link objects associated with the Resource Partner object
Sm_PolicyApi_AddUsersToWSFEDResourcePartner()	Associates a user directory entry with a WS-Federation Resource Partner.
Sm_PolicyApi_RemoveUsersFromWSFEDResourcePartner()	Disssociates a user directory entry from a WS-Federation Resource Partner
Sm_PolicyApi_GetUsersFromWSFEDResourcePartner()	Gets the user directory entries associated with a WS-Federation Resource Partner
Sm_PolicyApi_AddWSFEDScheme()	Creates or updates a WS-Federation authentication scheme
Sm_PolicyApi_GetWSFEDScheme()	Gets a WS-Federation authentication scheme.

Function Declarations for the Policy Management API

Function declarations include the syntax and return values for each function in the Policy Management API for reference.

Sm_PolicyApi_AddAdmin()

Creates a new SiteMinder administrator object at a global scope. The administrator's attributes are contained in the pstructAdmin structure.

If the administrator object exists and bUpdate is true, the item is updated.

Type

Administrator function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddAdmin (
   void*                    pSessionHandle,
   Sm_PolicyApi_Admin_t*    pstructAdmin,
   const bool               bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructAdmin	I	A pointer to a completely filled-in administrator structure.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The administrator object was created successfully.
Sm_PolicyApi_Failure. The administrator object was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create an administrator object.
Sm_PolicyApi_InvalidOid:
- The administrator object identifier was not found during an update.
- The user directory object identifier was not found.
- The scheme object identifier was not found.

Sm_PolicyApi_AddAdminToAffiliateDomain()

Adds an administrator to an affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_AddAdminToAffiliateDomain (
   void*        pSessionHandle,
   const char*  pszAdminOid,
   const char*  pszAffiliateDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAdminOid	I	A null-terminated string containing the object identifier of an existing administrator.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.

Returns

Sm_PolicyApi_Success. The administrator was added to the affiliate domain.
Sm_PolicyApi_Failure. The administrator was not added to the affiliate domain.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete an affiliate domain.
Sm_PolicyApi_InvalidOid. The affiliate domain OID was not found during an update.
Sm_PolicyApi_DuplicateEntry. The specified administrator object identifier already exists in the affiliate domain

Sm_PolicyApi_AddAdminToDomain()

Gives the specified administrator permission to administer the specified domain, and associates the administrator object identified by szAdminOid with the domain identified by szDomainOid.

Type

Administrator function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddAdminToDomain (
   void*            pSessionHandle,
   const char*      pszAdminOid,
   const char*      pszDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAdminOid	I	A null-terminated string containing the object identifier of an existing administrator.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.

Returns

Sm_PolicyApi_Success. The administrator was added to the domain.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add an administrator to a domain.
Sm_PolicyApi_InvalidOid. The administrator object identifier or the domain object identifier was not found.
Sm_PolicyApi_DuplicateEntry. The specified administrator object identifier already exists in the domain.

Sm_PolicyApi_AddAffiliate()

Creates a new or updates an existing affiliate object. This function will also retrieve the PropertyCollection object based on the AffiliateDomain OID.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_AddAffiliate (
   void*                       pSessionHandle,
   Sm_PolicyApi_Affiliate_t*   pstructAffiliate,
   const bool                  bUpdate
);

Parameter

I/O

Description

pSessionHandle

A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.

pstructAffiliate

A pointer to a completely filled-in affiliate structure.

bUpdate

A flag to indicate that if an existing object is found, it should be updated.

Remarks

This function creates affiliate objects that are based on the artifact profile or the POST profile (see the Sm_PolicyApi_Affiliate_t field SAMLProfile). Creating an affiliate object based on the POST profile requires an API version of at least SM_POLICY_API_VERSION_6_0_2. If an earlier version is involved, the POST profile request is ignored (along with any POST-specific fields in Sm_PolicyApi_Affiliate_t) and an attempt is made to create an affiliate object based on the artifact profile.

Returns

Sm_PolicyApi_Success. The affiliate was created successfully.
Sm_PolicyApi_Failure. The affiliate was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create an affiliate.
Sm_PolicyApi_DomainNotFound. The affiliate domain OID was not found.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain.

Sm_PolicyApi_AddAffiliateDomain()

Creates a new or updates an existing affiliate domain. Sets bIsAffiliate to TRUE.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_AddAffiliateDomain (
   void*                           pSessionHandle,
   Sm_PolicyApi_AffiliateDomain_t  *pstructAffiliateDomain,
   const bool                      bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructAffiliate Domain	I	A pointer to a completely filled-in affiliate domain structure.
bUpdate	I	A boolean flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The affiliate domain was created successfully.
Sm_PolicyApi_Failure. The affiliate domain was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create an affiliate domain.
Sm_PolicyApi_DomainNotFound. The affiliate domain OID was not found during an update.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain.

Sm_PolicyApi_AddAgent()

Creates a new SiteMinder agent. The attributes of the agent are contained in the pstructAgent structure.

If the agent exists and the bUpdate flag is true, the item is updated.

You must specify an agent type with this call. To get the agent type OID for the agent, use Sm_PolicyApi_GetGlobalObjects().

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddAgent (
   void*                   pSessionHandle,
   Sm_PolicyApi_Agent_t*   pstructAgent,
   const bool              bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructAgent	I	A pointer to a completely filled-in agent structure.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The agent was created successfully.
Sm_PolicyApi_Failure. The agent was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create an agent.
Sm_PolicyApi_InvalidOid:
- The agent type OID was not found or is not of the specified agent type.
- The agent OID was not found. This happens when this function is called with bUpdate set to true and the pszOid field of Sm_PolicyApi_Agent_t holds the OID of the agent being updated.
Sm_PolicyApi_NotUnique. An agent with the same name exists.
Sm_PolicyApi_RadiusIpAddrNotUnique. Another RADIUS IP address exists that is the same.
Sm_PolicyApi_MissingProperty. One of the required fields is not set.

Sm_PolicyApi_AddAgentConfig()

Creates or modifies an agent configuration object in the policy store.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddAgentConfig (
   void*                            pSessionHandle,
   Sm_PolicyApi_AgentConfig_t*      pstructAgentConfig,
   const bool                       bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructAgentConfig	I	Address of a structure that defines the agent configuration object.
bUpdate	I	If true, the object is being updated.

Returns

Sm_PolicyApi_Success. The operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to an agent configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to add or modify an agent configuration object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_AddAgentConfigAssociation()

Adds or modifies a configuration parameter name and corresponding value in a specified agent configuration object.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddAgentConfigAssociation (
   void*                            pSessionHandle,
   const char*                      pszAgentConfigOid,
   Sm_PolicyApi_Association_t*      pstructAssociation,
   bool                             bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentConfigOid	I	Unique identifier of the agent configuration object.
pstructAssociation	I	The name/value pair to add or modify in the agent configuration object.
bUpdate	I	If true, the object is being updated.

Returns

Sm_PolicyApi_Success. The operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to an agent configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to add agent configuration object parameters.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_AddAssertionConsumerServiceToSAMLSP

Adds a new indexed endpoint, which includes an index, binding, and an Assertion Consumer Service URL, to the Service Provider.

Note: An existing indexed endpoint reference cannot be modified.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_AddAssertionConsumerServiceToSAMLSP (
   void*                               pSessionHandle,
   const Sm_PolicyApi_SAMLSPAssertionConsumerService_t* 
                pstructSAMLSPAssertionConsumerService,
   const char*                         pszSAMLSPOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructSAMLSPAssertion ConsumerService	I	A pointer to an Assertion Consumer Service structure.
pszSAMLSPOid	I	A pointer to a string containing the OID of the Service Provider.

Returns

Sm_PolicyApi_Success. The Assertion Consumer Service was added successfully.
Sm_PolicyApi_Failure - The Assertion Consumer Service was not added successfully.
Sm_PolicyApi_ACSDuplicateIndex - There is already an Assertion Consumer Service assigned to thei Service Provider with the same index value.
Sm_PolicyApi_InvalidHandle - There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession - There is no valid administrator session.
Sm_PolicyApi_NoPrivilege - The administrator does not have the privilege to add an Assertion Consumer Service.

Remarks

The following fields of the Sm_PolicyApi_SAMLSPAssertionConsumerService_t structure are evaluated:

The value of the index is a unique positive integer, less than 65535,
The Assertion Consumer URL starts with http:// or https://.
The binding is either HTTP-Post or HTTP_Artifact.

Sm_PolicyApi_AddAttributeToAffiliate()

Adds a new attribute to an affiliate.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_AddAttributeToAffiliate (
   void*                               pSessionHandle,
   const Sm_PolicyApi_AffiliateAttr_t* pstructAffiliateAttr,
   const char*                         pszAffiliateOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructAffiliate Attr	I	A pointer to a completely filled-in affiliate attribute structure.
pszAffiliateOid	I	A null-terminated string containing the object identifier of an existing affiliate.

Returns

Sm_PolicyApi_Success. The affiliate attribute was created successfully.
Sm_PolicyApi_Failure - The affiliate attribute was not created successfully.
Sm_PolicyApi_InvalidHandle - There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession - There is no valid administrator session.
Sm_PolicyApi_NoPrivilege - The administrator does not have the privilege to create an affiliate attribute.
Sm_PolicyApi_InvalidOid - The affiliate OID was not found.

Sm_PolicyApi_AddAttributeToSAMLScheme()

Adds an attribute, which can be requested from the configured Attribute Service, to a SAML 2.0 authentication scheme.

Syntax

int SM_EXTERN Sm_PolicyApi_AddAttributeToSAMLScheme(
   void*                                pHandle,
   const Sm_PolicyApi_Scheme_t*         pstructScheme,
   const Sm_PolicyApi_SAMLRequesterAttr_t*     pAttr
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructScheme	I	A pointer to a completely filled-in structure for a SAML 2.0 Scheme.
pAttr	I	A pointer to the Sm_PolicyApi_SAMLRequesterAttr_t structure containing the attribute to be added.

Returns

Sm_PolicyApi_Success. The attribute was added successfully.
Sm_PolicyApi_Failure. The attribute was not added successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add an attribute to a SAML Requester.
Sm_PolicyApi_SAMLIDP_IncorrectParameters. Supplied SAML provided properties are incomplete or incorrect.
Sm_PolicyApi_DuplicateAttribute. An attribute already exists with the same Name and NameFormat.

Sm_PolicyApi_AddAttributeToSAMLSP()

Defines a SAML 2.0 attribute for the Service Provider.

A SAML 2.0 attribute contains information about a principal who is trying to access a resource on the Service Provider-for example, the principal's user DN.

The defined attribute is included in an attribute statement for all SAML 2.0 assertions that are produced for the Service Provider.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddAttributeToSAMLSP (
   void*                                pHandle,
   const Sm_PolicyApi_SAMLSPAttr_t*     pstructSAMLSPAttr,
   const char*                          pszSAMLSPOid
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructSAMLSPAttr	I	A pointer to a completely filled-in attribute structure.
pszSAMLSPOid		A null-terminated string containing the object identifier of an existing Service Provider.

Returns

Sm_PolicyApi_Success. The attribute was added successfully.
Sm_PolicyApi_Failure. The attribute was not added successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add an attribute to a SAML Service Provider.
Sm_PolicyApi_DuplicateAttribute. An attribute already exists with the same Name and NameFormat.

Sm_PolicyApi_AddDomain()

Creates a new SiteMinder domain. Attributes of the domain are contained in the pstructDomain structure.

If the domain exists and the bUpdate flag is true, the item is updated.

Type

Domain function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddDomain (
   void*                    pSessionHandle,
   Sm_PolicyApi_Domain_t*   pstructDomain,
   const bool               bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructDomain	I	A pointer to a completely filled-in domain structure.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The domain was created successfully.
Sm_PolicyApi_Failure. The domain was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a domain.
Sm_PolicyApi_InvalidOid. The domain OID was not found during an update.

Sm_PolicyApi_AddGlobalPolicy()

Creates a new global policy in the object store. The policy attributes are contained in the pStructPolicy structure.

If the policy exists and the bUpdate flag is true, the item is updated.

Type

Policy function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddGlobalPolicy (
   void*                    pSessionHandle,
   Sm_PolicyApi_Policy_t*   pStructPolicy,
   const bool               bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pStructPolicy	I	A pointer to a completely filled policy structure. The structure's domain OID is ignored.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The global policy was created successfully.
Sm_PolicyApi_Failure. The global policy was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a global policy.
Sm_PolicyApi_NotImplemented: The client who called this function initialized the API with a version less than SM_POLICY_API_VERSION_6_0.

Sm_PolicyApi_AddGlobalResponse()

Creates a new global response in the object store.

Type

Rule function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddGlobalResponse (
   void*                      pSessionHandle,
   Sm_PolicyApi_Response_t*   pStructResponse,
   const bool                 bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pStructResponse	I	A pointer to a completely filled response structure. The structure's domain OID is ignored.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The global response was created successfully.
Sm_PolicyApi_Failure. The global response was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a global response.
Sm_PolicyApi_InvalidOid: A global response with a matching OID was not found during an update.
Sm_PolicyApi_NotImplemented: The client who called this function initialized the API with a version less than SM_POLICY_API_VERSION_6_0.

Sm_PolicyApi_AddGlobalRule()

Creates a new global rule in the object store.

Type

Rule function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddGlobalRule (
   void*                   pSessionHandle,
   Sm_PolicyApi_Rule_t*    pStructRule,
   const bool              bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pStructRule	I	A pointer to a completely filled-in rule structure. The realm OID in the structure is ignored.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The global rule was created successfully.
Sm_PolicyApi_Failure. The global rule was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a global rule.
Sm_PolicyApi_InvalidOid:
- A global rule with a matching OID was not found during an update.
- An agent or agent group with matching OID was not found.
Sm_PolicyApi_NotImplemented: The client who called this function initialized the API with a version less than SM_POLICY_API_VERSION_6_0.

Sm_PolicyApi_AddGroup()

Adds a new group object to the Siteminder policy store. The attributes of the group are contained in the pStructGroup structure.

Note: Groups of global objects are not supported.

The pszDomainOid parameter is required by a rule group or response group. An agent group does not require a domain OID because it is not a domain-based object.

If the group object exists and the bUpdate flag is true, the item is updated.

Type

Group function, global scope (agents) or domain scope (responses, rules).

Syntax

int SM_EXTERN Sm_PolicyApi_AddGroup (
   void*                    pSessionHandle,
   Sm_PolicyApi_Groups_t    dwGroup,
   const char*              pszDomainOid,
   Sm_PolicyApi_Group_t*    pStructGroup,
   const bool               bUpdate
);

Parameter	I/O	Description
pSession Handle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
dwGroup	I	Indicates the type of group to be added.
pszDomainOid	I	A null-terminated string containing the name of an existing domain. Required parameter for rule or response group. (Global rule or response groups are not supported.)
pStructGroup	I	A pointer to a completely filled-in group structure.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The add was successful.
Sm_PolicyApi_Failure. The add was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a group.
Sm_PolicyApi_InvalidOid. The domain OID was not found (for a domain-based group).
Sm_PolicyApi_BadGroup. The dwGroup parameter is not the rule, response, or agent group type.

Sm_PolicyApi_AddHostConfig()

Creates or updates a host configuration object in the policy store.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddHostConfig (
   void*                            pSessionHandle,
   Sm_PolicyApi_HostConfig_t*       pstructHostConfig,
   const bool                       bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructHostConfig	I	Address of structure that defines the host configuration object.
bUpdate	I	If true, the object is being updated.

Returns

Sm_PolicyApi_Success. The operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to a host configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to create or modify a host configuration object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_AddMessageConsumerPluginToSAML1xScheme()

Adds or updates a message consumer plugin setting to a SAML 1.x authentication scheme.

Syntax

int SM_EXTERN Sm_PolicyApi_AddMessageConsumerPluginToSAML1xScheme(
   void*    pHandle,
   char*    pszSchemeOID,
   char*    pluginClass,
   char*    pluginParam                        
);

Parameters

phandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszSchemeOid: [in] A pointer to the OID of the authentication scheme that is being updated.
pluginClass: [in] A pointer to the name of the message consumer plugin class to be set.
pluginParam: [in] A pointer to the parameters of the message consumer plugin class to be set.

Returns

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_SchemeNotFound. The authentication scheme corresponding to the OID was not found, or was not a SAML 1.x authentication scheme.
Sm_PolicyApi_InvalidOid. The OID of the authentication scheme is NULL.

Sm_PolicyApi_AddOneTimeUsePropToAffiliate()

Adds or updates the OneTimeUse property for an assertion in a SAML 1.x affiliate.

Syntax

int SM_EXTERN Sm_PolicyApi_AddOneTimeUsePropToAffiliate(
   void*    pHandle,
   char*    pszAffiliateOID,
   bool     bOneTimeUse
                           
);

Parameters

pHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid: [in] A pointer to the OID of an existing SMAL 1.x affiliate.
bOneTimeUse: [in] A Boolean value that specifies whether an assertion is used only once in this affiliate.

Returns

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_NoSession. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator did not have sufficient access privileges.

Sm_PolicyApi_AddPasswordPolicy()

Adds a password policy object.

Note the following about Sm_PolicyApi_PasswordPolicy_t:

When the password policy applies to an entire directory (bEntireDir is set to true), you must set pszPath and pszClass to an empty string. The Policy Management API returns Sm_PolicyAPI_BadArgument if these strings are not empty.
When the pszPasswordServicesRedirect field is set to an empty string, the Policy Management API sets it to a default URL:
```
/siteminderagent/forms/smpwservices.fcc
```

Type

Password policy function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddPasswordPolicy (
   void*                            pSessionHandle,
   Sm_PolicyApi_PasswordPolicy_t*   pstructPasswordPolicy,
   const bool                       bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructPassword Policy	I	The address of a pointer to a Sm_PolicyApi_PasswordPolicy_t structure containing information about password policy.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The create was successful.
Sm_PolicyApi_Failure. The create was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a password policy.
Sm_PolicyApi_InvalidOid:
- The password policy OID was not found during an update.
- The user directory OID was not found.
Sm_PolicyApi_BadArgument. The path and class are empty.

Sm_PolicyApi_AddPolicy()

Creates a new SiteMinder policy. The policy attributes are contained in the pStructPolicy structure.

If the policy exists and the bUpdate flag is true, the item is updated.

Type

Policy function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddPolicy (
   void*                    pSessionHandle,
   Sm_PolicyApi_Policy_t*   pStructPolicy,
   const bool               bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pStructPolicy	I	A pointer to a completely filled-in policy structure.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The policy was created successfully.
Sm_PolicyApi_Failure. The policy was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a policy.
Sm_PolicyApi_InvalidOid:
- The policy OID was not found during an update.
- The domain OID was not found.

Sm_PolicyApi_AddPolicyLink()

Creates a new SiteMinder policy link for the policy identified by pszPolicyOid.

A policy link object binds a policy to a rule and, optionally, a response. The attributes of the new policy link are contained in the pstructPolicyLink structure.

If the policy link exists and the bUpdate flag is true, the item is updated.

Type

Policy function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddPolicyLink (
   void*                         pSessionHandle,
   const                         pszPolicyOid, 
   Sm_PolicyApi_PolicyLink_t*    pstructPolicyLink
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPolicyOid	I	A null-terminated string containing the object identifier of an existing policy.
pstructPolicyLink	I	A pointer to a completely filled-in policy link structure.

Returns

Sm_PolicyApi_Success. The policy link was created successfully.
Sm_PolicyApi_Failure:
- The domain of a rule OID is not the same as the domain of the policy OID.
- The domain of a response OID is not the same as the domain of the policy OID.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a policy link.
Sm_PolicyApi_InvalidOid:
- The policy OID was not found.
- The rule or rule group OID was not found.
- The response or response group OID was not found.

Sm_PolicyApi_AddRealm()

Creates a new SiteMinder realm within the domain specified in pStructRealm. The pStructRealm structure also contains other attributes of the realm, including the agent or agent group that protects the realm.

Sm_PolicyApi_AddRealm() fails if a protecting agent or agent group is not specified.

If the new realm is a top-level realm, set pszParentRealmOid (in Sm_PolicyApi_Realm_t) to the domain OID. Otherwise, set pszParentRealmOid to the OID of the new realm's parent realm.

If the realm exists and the bUpdate flag is true, the existing item is updated.

It is the responsibility of the client application to meet the following conditions in order to add an authorization directory to a realm successfully:

The directory mapping between the authorization user directory and authentication user directory should exist.
Note: The Policy Management API checks only to see if the authorization user directory exists. It does not validate if there is a directory mapping for the given authorization user directory.
The associated authentication user directory should be present in the user directory collection of the domain.

Type

Realm function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddRealm (
   void*                    pSessionHandle,
   Sm_PolicyApi_Realm_t*    pStructRealm,
   const bool               bUpdate
);

Parameter

I/O

Description

pSessionHandle

A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.

pStructRealm

A pointer to a completely filled-in structure.

bUpdate

A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The realm was created successfully.
Sm_PolicyApi_Failure. The realm was not created successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a realm.
Sm_PolicyApi_InvalidOid:
- The realm OID was not found during an update.
- The domain OID was not found.
- The agent OID or agent group OID was not found.
- The scheme OID was not found.
- The parent OID could not be found. (The parent OID can be a realm OID or a domain OID.)

Sm_PolicyApi_AddRedirectURLToSAML1xScheme()

Adds or updates a redirect URL setting in a SAML 1.x authentication scheme.

Syntax

int SM_EXTERN Sm_PolicyApi_AddRedirectURLToSAML1xScheme(
        void*        pSessionHandle,
        const char*  pszSchemeOid,
        int          iTypeURL,
        char*        URL,
        int          redirectMode
);

Parameters

pSessionHandle

[in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.

pszSchemeOid

[in] A null-terminated string containing the object identifier of the authentication scheme being updated.

iTypeUrl

[in] An integer specifying the type of redirect URL, defined in Sm_PolicyAPI_SAML1_STATUS_REDIRECT_URL_TYPE_t as follows:

Sm_PolicyAPI_SAML1_STATUS_REDIRECT_URL_USER_NOT_FOUND_TYPE = 0
Sm_PolicyAPI_SAML1_STATUS_REDIRECT_URL_INVALID_SSO = 1
Sm_PolicyAPI_SAML1_STATUS_REDIRECT_URL_UNACCEPTABLE_USER_CREDENTIALS = 2

URL

[in] A pointer to the input redirect URL.

redirectMode

[in] An integer specifying the input redirect mode, which is either 0 for 302 No Data, or 1 for Http-Post.

Return Values

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_SchemeNotFound. The authentication scheme corresponding to the OID was not found, or was not a SAML 1.x authentication scheme.
Sm_PolicyApi_InvalidOid. The OID of the authentication scheme is NULL.

Sm_PolicyApi_AddRegistrationScheme()

Adds a registration scheme.

Type

Registration scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddRegistrationScheme (
   void*                         pSessionHandle,
   Sm_PolicyApi_RegistrationScheme_t* 
                                 pstructRegistrationScheme,
   const bool                    bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstruct Registration Scheme	I	The address of a pointer to Sm_PolicyApi_RegistrationScheme_t, which contains information about the registration scheme.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The registration scheme was created successfully.
Sm_PolicyApi_Failure. The registration scheme was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a registration scheme.
Sm_PolicyApi_InvalidOid:
- The registration scheme object identifier was not found during an update.
- The user directory object identifier was not found.

Sm_PolicyApi_AddRegularExpressionToPasswordPolicy()

Adds a regular expression to the referenced password policy. Implemented only if the session's version is set to SM_POLICY_API_VERSION_6_0.

Type

Regular Expression function.

Syntax

int SM_EXTERN    Sm_PolicyApi_AddRegularExpressionToPasswordPolicy (
   void*                              pSessionHandle,
   const char*                        pszPasswordPolicyOid,
   Sm_PolicyApi_RegularExpression_t*  pstructRegExpr
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPassword PolicyOid	I	The OID of the password policy to add the regular expression to.
pstructRegExpr	I	A pointer to the regular expression structure to add.

Returns

Sm_PolicyApi_Success. The regular expression was added successfully.
Sm_PolicyApi_Failure. The regular expression was not added successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a regular expression.
Sm_PolicyApi_InvalidOid: The password policy OID was not found.

Sm_PolicyApi_AddResponse()

Creates a new SiteMinder response. The attributes of the response itself are contained in the pStructResponse structure.

If the response exists, and the bUpdate flag is true, the item is updated.

Type

Response function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddResponse (
   void*                      pSessionHandle,
   Sm_PolicyApi_Response_t*   pStructResponse,
   const bool                 bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pStructResponse	I	A pointer to a completely filled-in response structure.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The response was created successfully.
Sm_PolicyApi_Failure. The response was not created successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a response.
Sm_PolicyApi_InvalidOid:
- The response OID was not found during an update.
- The domain OID was not found.
- The agent type OID was not found.

Sm_PolicyApi_AddResponseAttr()

Creates a new SiteMinder response attribute object within the response identified by pszResponseOid. The response attributes are contained in the pstructResponseAttr parameter.

Type

Response function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddResponseAttr (
   void*                         pSessionHandle,
   const char*                   pszResponseOid,
   Sm_PolicyApi_ResponseAttr_t*  pstructResponseAttr
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszResponseOid	I	A null-terminated string containing the object identifier of an existing response.
pstructResponseAttr	I	A pointer to a completely filled-in response structure.

Returns

Sm_PolicyApi_Success. The response attribute was added successfully.
Sm_PolicyApi_Failure. The response attribute was not added successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a response attribute.
Sm_PolicyApi_InvalidOid:

The response OID was not found.

The agent type attribute OID was not found.

Sm_PolicyApi_AddRule()

Creates a new SiteMinder rule. The attributes of the rule itself are contained in the structure referenced by pStructRule.

If the rule exists and the bUpdate flag is true, the item is updated.

Note: A rule is always associated with a realm. Rule names are unique within in a realm but not within a domain.

Type

Rule function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddRule (
   void*                   pSessionHandle,
   Sm_PolicyApi_Rule_t*    pStructRule,
   const bool              bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pStructRule	I	A pointer to a completed rule structure.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The rule was created successfully.
Sm_PolicyApi_Failure. The rule was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a rule.
Sm_PolicyApi_InvalidOid:
- The rule OID was not found during an update.
- The realm OID was not found.

Sm_PolicyApi_AddSAMLAffiliation()

Adds a new SAML affiliation object or modifies an existing one.

Type

SAML 2.0 Configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddSAMLAffiliation (
   void*                              pSessionHandle,
   Sm_PolicyApi_SAMLAffiliation_t*    pstructAffiliation,
   const bool                         bUpdate,
   char**                             pszErrMsg
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructAffiliation	I	A pointer to a completed SAML affiliation structure.
bUpdate	I	Specifies whether an update operation should be performed on an existing object.
pszErrMsg	O	String containing an error message if the affiliation is not added or updated successfully. The Policy Management API allocates memory for this parameter dynamically. It is the responsibility of the custom application to free it using a call to Sm_PolicyApi_FreeString(). If Sm_PolicyApi_MissingProperty or Sm_PolicyApi_InvalidProp are returned, this field contains the name of the property that is missing or invalid.

Returns

Sm_PolicyApi_Success. The operation was successful.
Sm_PolicyApi_Failure. The operation was not successful.
Sm_PolicyApi_InvalidProp. A specified property is invalid. The property name is returned in pszErrMsg.
Sm_PolicyApi_MissingProperty. A required property was not specified. The property name is returned in pszErrMsg.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a SAML affiliation.
Sm_PolicyApi_InsufficientData. Required properties for configuring the SAML affiliation were missing.

Sm_PolicyApi_AddSAMLScheme()

Adds a new SAML 2.0 authentication scheme object or modifies an existing one. This function also defines metadata properties for the associated Identity Provider. The metadata properties are stored with the authentication scheme.

Type

SAML 2.0 Configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddSAMLScheme

(
   void*                                     pHandle,
   Sm_PolicyApi_Scheme_t*                    pstructScheme,
   Sm_PolicyApi_SAMLProviderProp_t*          pProps,
   const bool                                bUpdate,
   char**                                    pszErrMsg
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructScheme	I	A pointer to a completed scheme structure.
pProps	I	SAML 2.0 metadata properties associated with the authentication scheme. If you do not assign a value to a property associated with a default value, the default will be assigned.
bUpdate	I	Specifies whether an update operation should be performed on an existing object.
pszErrMsg	O	String containing an error message if the authentication scheme is not added or updated successfully. The Policy Management API allocates memory for this parameter dynamically. It is the responsibility of the custom application to free it using a call to Sm_PolicyApi_FreeString().. If Sm_PolicyApi_MissingProperty or Sm_PolicyApi_InvalidProp are returned, this field contains the name of the property that is missing or invalid.

Returns

Sm_PolicyApi_Success. The SAML 2.0 authentication scheme operation was successful.
Sm_PolicyApi_Failure. The SAML 2.0 authentication operation was not successful
Sm_PolicyApi_InvalidProp. A specified property is invalid. The property name is returned in pszErrMsg.
Sm_PolicyApi_MissingProperty. A required property was not specified. The property name is returned in pszErrMsg.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a SAML 2.0 authentication scheme.
Sm_PolicyApi_SAMLIDP_IncorrectParameters. The supplied SAML provider properties are incomplete or incorrect.
Sm_PolicyApi_SAMLIDP_ProviderIdNotUnique. The supplied SAML provider ID is not unique.

Sm_PolicyApi_AddSAMLServiceProvider()

Adds a new SAML 2.0 Service Provider object or modifies an existing one.

If a Service Provider cannot be created, any associated objects created in the policy store during the attempt will be rolled back.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddSAMLServiceProvider
(
   void*                          pSessionHandle,
   Sm_PolicyApi_SAMLSP_t*         pstructSAMLSP,
   const bool                     bUpdate,
   char**                         pszErrMsg
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructSAMLSP	I	A pointer to a completed Service Provider structure.
bUpdate	I	Specifies whether an update operation should be performed on an existing object.
pszErrMsg	O	String containing an error message if the Service Provider is not added or updated successfully. The Policy Management API allocates memory for this parameter dynamically. It is the responsibility of the custom application to free it using a call to Sm_PolicyApi_FreeString(). If Sm_PolicyApi_MissingProperty or Sm_PolicyApi_InvalidProp are returned, this field contains the name of the property that is missing or invalid.

Returns

Sm_PolicyApi_Success. The Service Provider operation was successful.
Sm_PolicyApi_Failure. The Service Provider operation was not successful.
Sm_PolicyApi_InvalidProp. A specified property is invalid. The property name is returned in pszErrMsg.
Sm_PolicyApi_MissingProperty. A required property was not specified. The property name is returned in pszErrMsg.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a Service Provider.
Sm_PolicyApi_DomainNotFound. The affiliate domain OID was not found.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain.
Sm_PolicyApi_InsufficientSPData. Required properties for configuring the Service Provider were missing.

Sm_PolicyApi_AddScheme()

Creates a new SiteMinder authentication scheme. Attributes of the scheme are contained in the pstructScheme structure.

If the scheme exists and the bUpdate flag is true, the item is updated.

Type

Authentication scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddScheme (
   void*                    pSessionHandle,
   Sm_PolicyApi_Scheme_t*   pstructScheme,
   const bool               bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructScheme	I	A pointer to a completely filled-in scheme structure.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The scheme was created successfully.
Sm_PolicyApi_Failure. The scheme was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a scheme.
Sm_PolicyApi_InvalidOid. The scheme object identifier was not found during an update.

Sm_PolicyAPI_AddTargetConfigToSAML1xScheme

Adds a default target configuration setting in a SAML 1.x authentication scheme.

Syntax

The Sm_PolicyApi_AddTargetConfigToSAML1xScheme function has the following syntax:

int SM_EXTERN Sm_PolicyApi_AddTargetConfigToSAML1xScheme(
        void*        pHandle,
        const char*  pszSchemeOid,
        const char*  pszURL,
        int         iQPOverridesTarget
);

Parameters

The Sm_PolicyApi_AddTargetConfigToSAML1xScheme function accepts the following parameters:

pHandle

[in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.

pszSchemeOid

[in] A null-terminated string containing the object identifier of the authentication scheme being updated.

pszURL

[in] A pointer to a valid default target configuration URL.

iQPOverrides Target

[in] An integer specifying the value specified in the 'Query parameter override Default Target' check box.

Valid values for iQPOverridesTarget are:

0 specifies that the query parameter does not override the target.
1 specifies that the query parameter overrides the target.

Return Values

The Sm_PolicyApi_AddTargetConfigToSAML1xScheme function returns one of the following values:

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_SchemeNotFound. The authentication scheme corresponding to the OID was not found, or was not a SAML 1.x authentication scheme.
Sm_PolicyApi_InvalidOid. The OID of the authentication scheme is NULL.

Sm_PolicyApi_AddToGroup()

Adds an item to the group identified by pszGroupOid.

The item (which may be a group) and the group must exist and must be of the same type.

The pszDomainOid parameter is required by a rule group or response group. An agent group does not require a domain OID because it is not a domain-based object.

Type

Group function, global scope (agents) or domain scope (responses, rules).

Syntax

int SM_EXTERN Sm_PolicyApi_AddToGroup (
   void*                   pSessionHandle,
   Sm_PolicyApi_Groups_t   dwGroup,
   const char*             pszItemOid,
   const char*             pszGroupOid,
   const char*             pszDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
dwGroup	I	The type of group.
pszItemOid	I	A null-terminated string containing the object identifier of an existing item of the same type as the group.
pszGroupOid	I	A null-terminated string containing the object identifier of a group of the type indicated by dwGroup.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain. Required for rule and response objects.

Returns

Sm_PolicyApi_Success. The add was successful.
Sm_PolicyApi_Failure. The add was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a rule, response, or agent OID to its respective group.
Sm_PolicyApi_InvalidOid:
- The domain OID was not found (for a domain-based group).
- The group OID was not found.
- The rule, response, or agent OID or group OID was not found.
Sm_PolicyApi_BadGroup. Parameter dwGroup is not the rule, response, or agent type.

Sm_PolicyApi_AddTrustedHost()

Creates or modifies a trusted host object in the object store.

Use this function to register the trusted host "offline"-that is, without a connection between the agent and the Policy Server. When you use this function, you must run the SiteMinder smreghost tool to define the shared secret in the host configuration file (default name SmHost.conf). You define the shared secret with the -sh option of the smreghost tool.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddTrustedHost (
     void*                            pSessionHandle,
     Sm_PolicyApi_TrustedHost_t*      pstructTrustedHost,
     bool                             bUpdate,
     bool                             bGenSharedSecret
);

Parameter	I/O	Description
pSessionHandle	I	Specifies the identifier of the session.
pstructTrustedHost	I/O	The address of a structure of type Sm_PolicyApi_TrustedHost_t. The structure is filled by a caller prior to a function call.
bUpdate	I	Specifies whether the function was called to update the existing object in the object store.
bGenSharedSecret	I	Indicates whether to generate the shared secret.

Remarks

If bGenSharedSecret is true, the function generates a 128-byte value and updates the pszSecret field of pstructTrustedHost. If bGenSharedSecret is false, the value of the shared secret for a new or updated trusted host object is taken from the pszSecret field of the pstructTrustedHost structure.

If both bGenSharedSecret and bUpdate are true, the function ignores the value specified in the pszSecret field of pstructTrustedHost, generates a new value, and updates the object in the object store and in the pszSecret field of pstructTrustedHost.

If the function generates the shared secret, you must retrieve the generated shared secret in clear text so that you can define it in the -sh option of the smreghost tool. To retrieve the shared secret, call Sm_PolicyApi_GetTrustedHost().

In past releases, agent registration with the Policy Server always used 128-byte random ASCII shared secrets. The new model makes it possible to use a user-defined string value as a shared secret. This is a potential security weakness. The administrator who chooses offline agent host configuration must create a strong shared secret and store it safely. It is strongly recommended that you call the function Sm_PolicyApi_AddTrustedHost() with the bGenSharedSecret parameter set to true. This enforces automatic generation of a hard-to-guess shared secret.

Use of this function is not required to either create a trusted host or to define the host configuration. SiteMinder automatically creates and configures the trusted host during installation, and also when you run smreghost without using the -sh option.

Returns

Sm_PolicyApi_Success. The trusted host object was created or modified.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to a Trusted Host object.
Sm_PolicyApi_NoPrivilege. The caller does not have the proper privileges to add or modify a trusted host object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NotUnique. The shared secret already exists.
Sm_PolicyApi_NoSession. The API user is not properly logged in.
Sm_PolicyApi_InvalidProp. Invalid shared secret value specified.
Sm_PolicyApi_GenSharedSecretFailure. Failed to generate a 128‑byte shared secret value.

Sm_PolicyApi_AddUserDirToAffiliateDomain()

Adds a user directory to an existing affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_AddUserDirToAffiliateDomain (
   void*         pSessionHandle,
   const char*   pszUserDirOid,
   const char*   pszAffiliateDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.

Returns

Sm_PolicyApi_Success. The user directory was added to the affiliate domain successfully.
Sm_PolicyApi_Failure. The user directory was not added to the affiliate domain.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a user directory to an affiliate domain.
Sm_PolicyApi_InvalidOid. The affiliate domain OID or user directory OID was not found during an update.
Sm_PolicyApi_DuplicateEntry. The user directory exists in the user directory collection of the domain.

Sm_PolicyApi_AddUserDirToDomain()

Associates the directory object identified by pszUserDirOid with the domain identified by pszDomainOid. The directory object is appended to the end of the search order.

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddUserDirToDomain (
   void*          pSessionHandle,
   const char*    pszUserDirOid,
   const char*    pszDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.

Returns

Sm_PolicyApi_Success. The add operation was successful.
Sm_PolicyApi_Failure. The add operation was not successful.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a user directory to a domain.
Sm_PolicyApi_InvalidOid. A user directory or domain OID was not found.
Sm_PolicyApi_DuplicateEntry. The user directory exists in the user directory collection of the domain.

Sm_PolicyApi_AddUseSecureAuthPropToAffiliate()

Adds or updates the UseSecureAuthURL property to a SAML 1.x affiliate.

Syntax

int SM_EXTERN Sm_PolicyApi_AddUseSecureAuthPropToAffiliate(
   void*    pHandle,
   char*    pszAffiliateOID,
   bool     bUseSecureAuthURL
                           
);

Parameters

pHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid: [in] A pointer to the OID of an existing SMAL 1.x affiliate.
bUseSecureAuthURL: [in] A Boolean value that specifies whether to use a secure authentication URL for this affiliate.

Returns

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_NoSession. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator did not have sufficient access privileges.

Sm_PolicyApi_AddUsersToAffiliate()

Adds a user directory entry to an affiliate.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_AddUsersToAffiliate (
   void*               pSessionHandle,
   const char*         pszAffiliateOid,
   Sm_PolicyApi_User_t *pStructUsers,
   int                 iPolicyFlags
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid	I	A null-terminated string containing the object identifier of an existing affiliate.
pStructUsers	I	Pointer to a Sm_PolicyApi_User_t structure containing information about the user directory.
iPolicyFlags	I	A bit field that indicates whether the policy includes or excludes a user and whether the policy should be applied recursively. The bit definitions are listed in Figure 21 on page 112.

Returns

Sm_PolicyApi_Success. The user was added was successful.
Sm_PolicyApi_Failure. The user was not added successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a user.
Sm_PolicyApi_InvalidOid: The affiliate OID was not found.
Sm_PolicyApi_DuplicateEntry. The user is already part of the affiliate.

Sm_PolicyApi_AddUsersToPolicy()

Adds a user directory entry to the policy identified by pszPolicyOid. Only one user specification (which may be an aggregate) can be added at a time.

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_AddUsersToPolicy (
   void*                 pSessionHandle,
   const char*           pszPolicyOid,
   Sm_PolicyApi_User_t*  pStructUsers,
   int                   iPolicyFlags
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPolicyOid	I	A null-terminated string containing the object identifier of an existing policy to which a user is to be added.
pStructUsers	I	Pointer to a Sm_PolicyApi_User_t structure containing information about the user directory.
iPolicyFlags	I	A bit field that indicates whether the policy includes or excludes users, and whether the policy should be applied recursively. Bit definitions are listed in Policy Flags.

Returns

Sm_PolicyApi_Success. The add was successful.
Sm_PolicyApi_Failure. The user directory is not part of the domain user directory collection.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add users to the policy.
Sm_PolicyApi_InvalidOid:
- The policy OID was not found.
- The user directory OID was not found.
Sm_PolicyApi_DuplicateEntry. The user is already part of the policy.
Sm_PolicyApi_InConsistentANDBitMask. An existing user policy of this particular user directory under the policy has a different value of Sm_PolicyBehavior_AND_Mask set as against the one to be added.

Sm_PolicyApi_AddUsersToSAMLServiceProvider()

Associates a user directory entry with SAML 2.0 Service Provider.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddUsersToSAMLServiceProvider

(
   void*                          pSessionHandle,
   const char*                    pszProviderOid,
   Sm_PolicyApi_User_t*           pStructUsers,
   int                            iPolicyFlags
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid	I	A null-terminated string containing the object identifier of an existing SAML Service Provider.
pStructUsers	I	Pointer to a Sm_PolicyApi_User_t structure containing information about the user directory.
iPolicyFlags	I	A bit field that indicates whether: The policy created for the SAML Service Provider includes a user The policy should be applied recursively

Returns

Sm_PolicyApi_Success. The user was added successfully.
Sm_PolicyApi_Failure. The user was not added successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a user.
Sm_PolicyApi_InvalidOid. The Service Provider OID was not found.
Sm_PolicyApi_DuplicateEntry. The user is already part of the Service Provider.

Sm_PolicyApi_AddUsersToWSFEDResourcePartner()

Associates a user directory entry with WS-Federation Resource Partner.

Syntax

int SM_EXTERN Sm_PolicyApi_AddUsersToWSFEDResourcePartner (
        void* pSessionHandle,
        const char * pszProviderOid,
        Sm_PolicyApi_User_t *pStructUsers,
        int   iPolicyFlags
);

Parameters

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid: [in] A null-terminated string containing the object identifier of an existing WS-Federation Resource Partner.
pStructUsers: [in] A Pointer to a Sm_PolicyApi_User_t structure containing information about the user directory.
iPolicyFlags: [in] A bit field that indicates whether the policy created for WS-Federation Resource Partner includes or excludes a user and whether the policy should be applied recursively.

Return Values

Sm_PolicyApi_Success. The user was added successfully.
Sm_PolicyApi_Failure. The user was not added successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a user.
Sm_PolicyApi_InvalidOid. The Resource Partner OID was not found.
Sm_PolicyApi_DuplicateEntry. The user is already part of the Resource Partner.

Sm_PolicyApi_AddVariable()

Adds a variable object.

Type

Variable function.

Syntax

int SM_EXTERN Sm_PolicyApi_AddVariable (
   void*                      pSessionHandle,
   Sm_PolicyApi_Variable_t*   pstructVariable,
   const bool                 bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructVariable	I	A pointer to a Sm_PolicyApi_Variable_t structure containing information about the variable.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The add operation was successful.
Sm_PolicyApi_Failure. The add operation was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to add a variable.
Sm_PolicyApi_FeatureNotSupported. The client who called this function initialized the API with a version less than SM_POLICY_API_VERSION_6_0.

Sm_PolicyApi_AddWSFEDResourcePartner()

Creates a new or update an existing WS-Federation Resource Partner object. Validation of properties (values and dependencies on other properties) is performed.

Syntax

int SM_EXTERN Sm_PolicyApi_AddWSFEDResourcePartner (
        void* pSessionHandle,
        Sm_PolicyApi_WSFEDResourcePartner_t* structServiceProvider,
        const bool bUpdate,
        char **pszErrMsg
);

Parameters

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructServiceProvider: [in] A pointer to a completely filled-in WS-Federation Resource Partner structure.
bUpdate: [in] A flag to indicate that if an existing object is found, update it.
pszErrMsg: [out] When a call to this function returns a value of Sm_PolicyApi_SAML_UnknownProperty, Sm_PolicyApi_MissingProperty, or Sm_PolicyApi_InvalidProp, this variable contains the name of the property which produced the error. You release the memory allocated for this variable by using a call to Sm_PolicyApi_FreeString().

Return Values

Sm_PolicyApi_Success. The Resource Partner was created successfully.
Sm_PolicyApi_Failure. The Resource Partner was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create an affiliate.
Sm_PolicyApi_DomainNotFound. The affiliate domain OID was not found.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain.
Sm_PolicyApi_InsufficientRPData. Required properties for configuring the Resource Partner were missing.
Sm_PolicyApi_WSFED_UnknownProperty. An unknown property name was provided.
Sm_PolicyApi_WSFEDRP_AssertionConsumerDefaultMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_AuthenticationURLMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_DomainOidMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_APIDMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_NameMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_NameIdFormatMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_NameIdTypeMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_NameIdStaticMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_NameIdAttrNameMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_NameIdDNSpecMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_ProviderIdMissing. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_ProviderIdNotUnique. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_UnSupportedSAMLVersion. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_WSFEDRP_UnknownProperty. The property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_MissingProperty. A property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_InvalidProp.The value for a provided property is invalid.

Remarks

In the event that a Resource Partner cannot be created, any objects created in the policy store must be rolled back. In addition, the prefix string wsfed: will be used for the Name property to differentiate between affiliate: and samlsp:.

Sm_PolicyApi_AddWSFEDScheme()

Creates a new or updates an existing SiteMinder WSFED authentication scheme (WSFED auth scheme) object. Validation of properties (values and dependencies on other properties) is performed.

Syntax

int SM_EXTERN Sm_PolicyApi_AddWSFEDScheme(
        void* pSessionHandle,
        Sm_PolicyApi_Scheme_t* pstructScheme,
        Sm_PolicyApi_WSFEDProviderProp_t* pProps,
        const bool bUpdate,
        char **pszErrMsg
);

Parameters

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructScheme: [in] A pointer to a completely filled-in scheme structure.
pProps: [in] A pointer to a linked list of WSFED provider properties.
bUpdate: [in] A flag to indicate that if an existing object is found, it should be updated.
pszErrMsg: [out] When a call to this function returns a value of Sm_PolicyApi_WSFED_UnknownProperty, Sm_PolicyApi_MissingProperty or Sm_PolicyApi_InvalidProp, this variable contains the name of the property which produced the error. You release the memory allocated for this variable by using a call to SmPolicyApi_FreeString().

Return Values

Sm_PolicyApi_Success. The WSFED auth scheme was created successfully.
Sm_PolicyApi_Failure. The WSFED auth scheme was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a WSFED auth scheme.
Sm_PolicyApi_WSFEDAP_IncorrectParameters. Supplied WSFED Account Partner properties are incomplete or incorrect.
Sm_PolicyApi_WSFEDAP_ProviderIdNotUnique. Supplied WSFED Account Partner ID is not unique.
Sm_PolicyApi_WSFED_UnknownProperty. An unknown property name was provided.
Sm_PolicyApi_MissingProperty. A property which is required, potentially due to a dependency, was not provided.
Sm_PolicyApi_InvalidProp. The value for a provided property is invalid.

Sm_PolicyApi_ConvertFromLegacyAgent()

Converts a v4.x agent to a v5.x agent.

Calling this function is the equivalent of clearing the Support 4.x agents check box on the Agent Properties dialog box.

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_ConvertFromLegacyAgent (
   void*                   pSessionHandle,
   Sm_PolicyApi_Agent_t*   pStructAgent
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pStructAgent	I	A pointer to a completely filled-in agent structure.

Returns

Sm_PolicyApi_Success. The agent was converted successfully.
Sm_PolicyApi_Failure. The agent conversion failed.
Sm_PolicyApi_InvalidProp. One or more properties defined in pStructAgent are invalid.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to modify an agent.

Sm_PolicyApi_ConvertToLegacyAgent()

Converts a v5.x agent to a v4.x agent.

Calling this function is the equivalent of checking the Support 4.x agents check box on the Agent Properties dialog box.

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_ConvertToLegacyAgent (
   void*                   pSessionHandle,
   Sm_PolicyApi_Agent_t*   pStructAgent
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pStructAgent	I	A pointer to a completely filled-in agent structure.

Returns

Sm_PolicyApi_Success. The agent was converted successfully.
Sm_PolicyApi_Failure. The agent conversion failed.
Sm_PolicyApi_InvalidProp. One or more properties defined in pStructAgent are invalid.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to modify an agent.

Sm_PolicyApi_CreateAuthAzMap()

Creates an authentication and authorization directory mapping object.

Type

Authentication/Authorization map function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_CreateAuthAzMap (
   void*                       pSessionHandle,
   Sm_PolicyApi_AuthAzMap_t*   pAuthAzMap,
   const bool                  bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pAuthAzMap	I	The address of a pointer to information about authentication and authorization mapping.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The directory mapping object was created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a directory mapping object.
Sm_PolicyApi_InvalidOid:
- An authentication user directory OID was not found.
- An authorization user directory OID was not found.
- A directory-mapping object OID was not found.

Sm_PolicyApi_CreateCertMap()

Creates a certification mapping object.

Type

Certificate map function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_CreateCertMap (
   void*                      pSessionHandle,
   Sm_PolicyApi_CertMap_t*    pCertMap,
   const bool                 bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pCertMap	I	The address of a pointer to Sm_PolicyApi_CertMap_t, which contains information about certificate mapping.
Update	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The certificate mapping object was created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a certificate mapping object.
Sm_PolicyApi_InvalidOid. The user directory OID was not found or the certificate mapping object OID was not found during an update.
Sm_PolicyApi_Invalid. The directory type is not valid.

Sm_PolicyApi_CreateODBCQueryScheme()

Creates a new ODBC Query Scheme. An ODBC query scheme is used to create an ODBC directory. The attributes of the user directory are contained in the pstructODBCQueryScheme structure.

If the user ODBC query scheme object exists and the bUpdate flag is true, the item is updated.

Type

ODBC query scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_CreateODBCQueryScheme (
   void*                             pSessionHandle,
   Sm_PolicyApi_ODBCQueryScheme_t*   pstructODBCQueryScheme,
   const bool                        bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructODBCQueryScheme	I	A pointer to a completely filled-in ODBC query scheme.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

Returns

Sm_PolicyApi_Success. The ODBC Query Scheme was created successfully.
Sm_PolicyApi_Failure. The ODBC Query Scheme was not created successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create an ODBC Query Scheme.
Sm_PolicyApi_InvalidOid. The ODBC Query Scheme OID was not found. This happens when this function is called with bUpdate set to true and the pszOid field of Sm_PolicyApi_ODBCQueryScheme_t holds the OID of the ODBC Query Scheme being updated.
Sm_PolicyApi_NotUnique. An ODBC Query Scheme with the same name exists.
Sm_PolicyApi_MissingProperty. One of the required fields is not set.

Sm_PolicyApi_CreateUserDir()

Creates a new SiteMinder user directory object at global scope. The attributes of the user directory are contained in the pstructUserDir structure.

If the user directory object exists and the bUpdate flag is true, the item is updated.

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_CreateUserDir (
   void*                     pSessionHandle,
   Sm_PolicyApi_UserDir_t*   pstructUserDir,
   const bool                bUpdate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructUserDir	I	A pointer to a completely filled-in user directory structure.
bUpdate	I	A flag to indicate that if an existing object is found, it should be updated.

SM_PolicyAPI_UserDir_t Field Usage

The following table shows the SM_PolicyAPI_UserDir_t field that Sm_PolicyApi_CreateUserDir() uses for different types of user directories:

Field	User Directory Type

Field	ODBC	LDAP	WinNT	Custom
pszOid Object Identifier of the user directory being updated	X	X	X	X
pszName Required field.	X	X	X	X
pszDesc	X	X	X	X
pszNamespace Required field.	ODBC	LDAP	WinNT	Custom
pszServer Required field.	ODBC data source	IP address	NT Domain name	Name of shared library
pszODBCQuerySchemeOid Required field.	X
pszSearchRoot		X		parameter string
pszUserLookupStart		X
pszUserLookupEnd		X
bRequireCredentials	X	X	X	X
pszUsername Required field if bRequireCredentials is true.	X	X	X	X
pszPassword Required field if bRequireCredentials is true.	X	X	X	X
nSearchResults		X		Max results
nSearchScope		X
nSearchTimeout		X		Max time out
bSecureConnection		X		X
pszDisabledAttr	X	X		(Varies)
pszUniversalIDAttr	X	X	X	(Varies)
pszAnonymousId		X		(Varies)
pszPasswordData	X	X		(Varies)
pszPasswordAttribute	X	X		(Varies)
pszEmailAddressAttr
pszChallengeRespAttr		X		(Varies)

Note: With custom directories, fields indicated by the word varies may or may not apply to the user directory object being created.

Returns

Sm_PolicyApi_Success. The user directory was created successfully.
Sm_PolicyApi_Failure. The user directory was not created successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to create a user directory.
Sm_PolicyApi_InvalidOid:
- A user directory type with the specified OID was not found.
- A user directory OID cannot be found. This happens when this function is called with bUpdate set to true and pszOid holds the OID of the user directory that is being updated.
- You are creating an ODBC user directory and the OCBC Query Scheme OID was not found.
Sm_PolicyApi_NotUnique. A user directory of the same name exists.
Sm_PolicyApi_MissingProperty. One of the required fields is not set.

Sm_PolicyApi_DeleteAdmin()

Deletes the administrator object identified by pszAdminOid.

Type

Administrator function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteAdmin (
   void*          pSessionHandle,
   const char*    pszAdminOid
)

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAdminOid	I	A null-terminated string containing the object identifier of an existing administrator.

Returns

Sm_PolicyApi_Success. The delete operation was successful.
Sm_PolicyApi_Failure. The delete operation was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete an administrator object.
Sm_PolicyApi_InvalidOid. The administrator object identifier was not found.

Sm_PolicyApi_DeleteAffiliate()

Deletes an existing affiliate.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteAffiliate (
   void*          pSessionHandle,
   const char*    pszAffiliateOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid	I	A null-terminated string containing the object identifier of an existing affiliate.

Remarks

This function deletes affiliate objects that are based on the artifact profile or the POST profile (see the Sm_PolicyApi_Affiliate_t field SAMLProfile). Deletion of an affiliate object based on the POST profile requires an API version of at least SM_POLICY_API_VERSION_6_0_2. If an earlier version is involved, and the function specifies an affiliate object based on a POST profile, the request fails.

Returns

Sm_PolicyApi_Success. The affiliate was deleted successfully.
Sm_PolicyApi_Failure. The affiliate was not deleted successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete an affiliate.
Sm_PolicyApi_InvalidOid. The affiliate OID was not found.

Sm_PolicyApi_DeleteAffiliateDomain()

Deletes an existing affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteAffiliateDomain (
   void*          pSessionHandle,
   const char*    pszAffiliateDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.

Returns

Sm_PolicyApi_Success. The affiliate domain was deleted successfully.
Sm_PolicyApi_Failure. The affiliate domain was not deleted successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete an affiliate domain.
Sm_PolicyApi_InvalidOid. An affiliate with the specified OID was not found during an update.

Sm_PolicyApi_DeleteAgent()

Deletes the agent identified by pszAgentOid.

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteAgent (
   void*          pSessionHandle,
   const char*    pszAgentOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentOid	I	A null-terminated string containing the object identifier of an existing agent.

Returns

Sm_PolicyApi_Success. The agent was deleted successfully.
Sm_PolicyApi_Failure. The agent was not deleted successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete an agent.
Sm_PolicyApi_InvalidOid. An agent with the specified OID was not found.

Sm_PolicyApi_DeleteAgentConfig()

Deletes an agent configuration object.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteAgentConfig (
   void*            pSessionHandle,
   const char*      pszAgentConfigOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentConfigOid	I	Unique identifier of the agent configuration object to delete.

Returns

Sm_PolicyApi_Success. The delete operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to an agent configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to delete an agent configuration object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_DeleteAuthAzMap()

Deletes an authentication and authorization directory mapping object.

Type

Authentication/Authorization map function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteAuthAzMap (
   void*          pSessionHandle,
   const char*    pszAuthAzMapOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAuthAzMapOid	I	A null-terminated string containing the object identifier of the directory mapping object.

Returns

Sm_PolicyApi_Success. The delete operation was successful.
Sm_PolicyApi_Failure. The delete operation was unsuccessful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a directory mapping object.
Sm_PolicyApi_InvalidOid. The directory-mapping object OID was not found.

Sm_PolicyApi_DeleteCertMap()

Deletes a certificate mapping object.

Type

Certificate map function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteCertMap (
   void*         pSessionHandle,
   const char*   pszCertMapOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszCertMapOid	I	A null-terminated string containing the object identifier of the certificate mapping object.

Returns

Sm_PolicyApi_Success. The delete operation was successful.
Sm_PolicyApi_Failure. The delete operation was unsuccessful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a certificate mapping object.
Sm_PolicyApi_InvalidOid. A certificate mapping object with the specified OID was not found.

Sm_PolicyApi_DeleteDomain()

Deletes the domain identified by pszDomainOid as well as the domain's children (rules, responses, realms, and policies).

Type

Domain function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteDomain (
   void*          pSessionHandle,
   const char*    pszDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.

Returns

Sm_PolicyApi_Success. The domain was deleted successfully.
Sm_PolicyApi_Failure. The domain was not deleted successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a domain.
Sm_PolicyApi_InvalidOid. The domain OID was not found.

Sm_PolicyApi_DeleteHostConfig()

Deletes a host configuration object from the policy store.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteHostConfig (
   void*                  pSessionHandle,
   const char*            pszHostConfigOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszHostConfigOid	I	Unique identifier of the host configuration object to delete.

Returns

Sm_PolicyApi_Success. The delete operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to a host configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to delete a host configuration object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_DeleteGroup()

Deletes the group object identified by pszGroupOid.

The pszDomainOid parameter is required by a rule group or response group. An agent group does not require a domain OID because it is not a domain-based object.

Type

Group function, global scope (agents) or domain scope (responses, rules).

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteGroup (
   void*                  pSessionHandle,
   Sm_PolicyApi_Groups_t  dwGroup,
   const char*            pszGroupOid,
   const char*            pszDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
dwGroup	I	Indicates the type of the group to be deleted.
pszGroupOid	I	A null-terminated string containing the object identifier of the group and the type indicated by dwGroup.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain. Required parameter for rule or response group.

Returns

Sm_PolicyApi_Success. The delete was successful.
Sm_PolicyApi_Failure. The delete was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a rule group, response group, or agent group.
Sm_PolicyApi_InvalidOid:
- The group OID was not found.
- The domain OID was not found (for a domain-based group).
Sm_PolicyApi_BadGroup. The dwGroup parameter is not the rule, response, or agent type.

Sm_PolicyApi_DeleteODBCQueryScheme()

Deletes the ODBC query scheme identified by pszODBCQuerySchemeOid.

Type

ODBC query scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteODBCQueryScheme (
   void*          pSessionHandle,
   const char*    pszODBCQuerySchemeOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszODBCQuerySchemeOid	I	A null-terminated string containing the object identifier of an existing ODBC Query Scheme.

Returns

Sm_PolicyApi_Success. The delete operation was successful.
Sm_PolicyApi_Failure. The delete operation was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete an ODBC Query Scheme.
Sm_PolicyApi_InvalidOid. The ODBC Query Scheme OID was not found.

Sm_PolicyApi_DeletePasswordPolicy()

Deletes a password policy.

Type

Password policy function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeletePasswordPolicy (
   void*         pSessionHandle,
   const char*   pszPasswordPolicyOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPasswordPolicyOid	I	A null-terminated string containing the object identifier of a password policy.

Returns

Sm_PolicyApi_Success. The delete operation was successful.
Sm_PolicyApi_Failure. The delete operation was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a password policy.
Sm_PolicyApi_InvalidOid. The password policy OID was not found.

Sm_PolicyApi_DeletePolicy()

Deletes the policy identified by pszPolicyOid.

Type

Policy function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeletePolicy (
   void*         pSessionHandle, 
   const char*   pszPolicyOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPolicyOid	I	A null-terminated string containing the object identifier of an existing policy.

Returns

Sm_PolicyApi_Success. The policy was deleted successfully.
Sm_PolicyApi_Failure. The policy was not deleted successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession.l There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a policy.
Sm_PolicyApi_InvalidOid. The policy OID was not found.

Sm_PolicyApi_DeleteRealm()

Deletes the realm identified by pszRealOid.

Note: You cannot delete a realm while it is inked to rules.

Type

Realm function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteRealm (
   void*          pSessionHandle,
   const char*    pszRealmOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszRealmOid	I	A null-terminated string containing the object identifier of an existing realm.

Returns

Sm_PolicyApi_Success. The realm was deleted successfully.
Sm_PolicyApi_Failure. The realm was not deleted successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a realm.
Sm_PolicyApi_InvalidOid. The realm OID was not found.

Sm_PolicyApi_DeleteRegistrationScheme()

Deletes a registration scheme.

Type

Registration scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteRegistrationScheme (
   void*         pSessionHandle,
   const char*   pszRegistrationSchemeOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszRegistrationOid	I	A null-terminated string containing the object identifier of the registration scheme.

Returns

Sm_PolicyApi_Success. The registration scheme was deleted successfully.
Sm_PolicyApi_Failure. The registration scheme was not deleted successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a registration scheme.
Sm_PolicyApi_InvalidOid. The registration scheme OID was not found.

Sm_PolicyApi_DeleteResponse()

Deletes the response identified by pszResponseOid and any related response attributes.

Type

Response function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteResponse (
   void*          pSessionHandle,
   const char*    pszResponseOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszResponseOid	I	A null-terminated string containing the object identifier of an existing response.

Returns

Sm_PolicyApi_Success. The response was deleted successfully.
Sm_PolicyApi_Failure. The response was not deleted successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a response.
Sm_PolicyApi_InvalidOid. The response OID was not found.

Sm_PolicyApi_DeleteRule()

Deletes the rule identified by pszRuleOid.

Type

Rule function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteRule (
   void*          pSessionHandle,
   const char*    pszRuleOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszRuleOid	I	A null-terminated string containing the object identifier of an existing rule.

Returns

Sm_PolicyApi_Success. The rule was deleted successfully.
Sm_PolicyApi_Failure. The rule was not deleted successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a rule.
Sm_PolicyApi_InvalidOid. The rule OID was not found.

Sm_PolicyApi_DeleteSAMLAffiliation()

Deletes the SAML affiliation identified by pszAffiliationOid.

Type

SAML 2.0 Configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteSAMLAffiliation
(
   void*            pSessionHandle,
   const char*      pszAffiliationOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliationOid	I	A null-terminated string containing the object identifier of an existing SAML affiliation.

Returns

Sm_PolicyApi_Success. The SAML affiliation was deleted successfully.
Sm_PolicyApi_Failure. The SAML affiliation was not deleted successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a SAML affiliation.
Sm_PolicyApi_InvalidOID. The SAML affiliation's object identifier was not found.

Sm_PolicyApi_DeleteSAMLServiceProvider()

Deletes the Service Provider identified by pszProviderOid.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteSAMLServiceProvider(
void*            pSessionHandle,
const char*      pszProviderOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid	I	A null-terminated string containing the object identifier of an existing Service Provider.

Returns

Sm_PolicyApi_Success. The Service Provider was deleted successfully.
Sm_PolicyApi_Failure. The Service Provider was not deleted successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a Service Provider.
Sm_PolicyApi_InvalidOID. The Service Provider's object identifier was not found.

Sm_PolicyApi_DeleteScheme()

Deletes the authentication scheme identified by pszSchemeOid.

Type

Authentication scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteScheme (
   void*         pSessionHandle,
   const char*   pszSchemeOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszSchemeOid	I	A null-terminated string containing the object identifier of an existing authentication scheme.

Returns

Sm_PolicyApi_Success. The scheme was deleted successfully.
Sm_PolicyApi_Failure. The scheme was not deleted successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a scheme.
Sm_PolicyApi_InvalidOid. The scheme object identifier was not found.

Sm_PolicyApi_DeleteTrustedHost()

Deletes an existing trusted host object from the policy store.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteTrustedHost (
   void*            pSessionHandle,
   const char*      pszTrustedHostOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszTrustedHostOid	I	Unique identifier of the trusted host object to delete.

Returns

Sm_PolicyApi_Success. The delete operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to a trusted host object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to delete a trusted host object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_DeleteUserDir()

Deletes the user directory identified by pszUserDirOid.

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteUserDir (
   void*          pSessionHandle,
   const char*    pszUserDirOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.

Returns

Sm_PolicyApi_Success. The user directory was deleted successfully.
Sm_PolicyApi_Failure. The user directory was not deleted successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a user directory.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Sm_PolicyApi_DeleteVariable()

Deletes a variable object.

Type

Variable function.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteVariable (
   void*         pSessionHandle,
   const char*   pszVariableOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszVariableOid	I	A null-terminated string containing the object identifier of an existing variable.

Returns

Sm_PolicyApi_Success. The delete operation was successful.
Sm_PolicyApi_Failure. The delete operation was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to delete a variable.
Sm_PolicyApi_InvalidOid. The variable object identifier was not found.
Sm_PolicyApi_FeatureNotSupported. The client who called this function initialized the API with a version less than SM_POLICY_API_VERSION_6_0.

Sm_PolicyApi_DeleteWSFEDResourcePartner()

Deletes an existing WS-Federation Resource Partner object.

Syntax

int SM_EXTERN Sm_PolicyApi_DeleteWSFEDResourcePartner (
        void* pSessionHandle,
        const char * pszProviderOid,
);

Parameters

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid: [in] A null-terminated string containing the object identifier of an existing WS-Federation Resource Partner.

Return Values

Sm_PolicyApi_Success. The Resource Partner was retrieved successfully.
Sm_PolicyApi_Failure. The Resource Partner was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve an affiliate.
Sm_PolicyApi_InvalidOID. The Resource Partner OID was not found.

Sm_PolicyApi_DisableUser()

Disables a user for the reason Sm_Api_Disabled_AdminDisabled. It does not change other concurrent disabling reasons.

To make this function work, the attribute for tracking disabled users must be set in the user directory (the pszDisabledAttr field of Sm_PolicyApi_UserDir_t). You can also set the attribute using the Policy Server UI.

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_DisableUser (
   void*        pSessionHandle,
   const char*  pszUserDirOid,
   const char*  pszUserDN,
   char**       pszErrMsg
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of the user directory where the user may be found.
pszUserDN	I	The distinguished name of the user to be disabled.
pszErrMsg	O	String containing an error message if the user is not disabled successfully. You release the memory allocated for this variable by calling Sm_PolicyApi_FreeString().

Returns

Sm_PolicyApi_Success. The user was disabled successfully.
Sm_PolicyApi_Failure. The user was not disabled successfully or memory could not be allocated to the error message string.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to disable a user.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Sm_PolicyApi_EnableUser()

Enables a user by clearing all the disabled bits. It does not clear the qualifier bit Sm_Api_Disabled_PWMustChange.

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_EnableUser (
   void*           pSessionHandle,
   const char*     pszUserDirOid,
   const char*     pszUserDN,
   char**          pszErrMsg
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of the user directory where the user may be found.
pszUserDN	I	The distinguished name of the user to be enabled.
pszErrMsg	O	String containing an error message if the user is not enabled successfully. You release the memory allocated for this variable by calling Sm_PolicyApi_FreeString().

Returns

Sm_PolicyApi_Success. The user was enabled successfully.
Sm_PolicyApi_Failure. The user was not enabled successfully or memory could not be allocated to the error message string.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to enable a user.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Sm_PolicyApi_FlushRealm()

Flushes the specified realm identified by pszRealmOid from a resource cache.

Type

Utility function.

Syntax

int SM_EXTERN Sm_PolicyApi_FlushRealm (
   void*         pSessionHandle,
   const char*   pszRealmOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszRealmOid	I	A null-terminated string containing the object identifier of a realm.

Returns

Sm_PolicyApi_Success. The flush operation was successful.
Sm_PolicyApi_Failure. The flush operation was not successful.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to flush a realm.
Sm_PolicyApi_InvalidOid. The realm OID was not found.

Sm_PolicyApi_FlushUser()

Flushes a user from a User Cache.

Type

Utility function.

Syntax

int SM_EXTERN Sm_PolicyApi_FlushUser (
   void*         pSessionHandle,
   const char*   pszUserDirOid,
   const char*   pszUserDN,
   char**        pszErrMsg
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.
pszUserDN	I	A null-terminated string containing the name of a user in an existing user directory who is to be flushed from the user cache.
pszErrMsg	O	Error message returned by the Policy Management API. You release the memory allocated for this variable by using a call to Sm_PolicyApi_FreeString().

Returns

Sm_PolicyApi_Success. The flush operation was successful.
Sm_PolicyApi_Failure. The flush operation was not successful or memory could not be allocated to the error message string.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to flush a user.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Sm_PolicyApi_FreeMemory()

Note: This function is deprecated for clients starting at SM_POLICY_API_VERSION_6_0. Instead, use Sm_PolicyApi_FreeMemoryEx().

Call Sm_PolicyApi_FreeMemory() to free memory that was allocated by the Policy Management API. This includes the Sm_PolicyApi_Server_t structures allocated as part of the Sm_PolicyApi_HostConfig_t structure.

Type

Utility function.

Syntax

int SM_EXTERN Sm_PolicyApi_FreeMemory (void* pMem);

Parameter	I/O	description
pMem	I	A void pointer to memory that was allocated by the Policy Management API.

Returns

Sm_PolicyApi_Success or Sm_PolicyApi_Failure.

Sm_PolicyApi_FreeMemoryEx()

Call Sm_PolicyApi_FreeMemoryEx() to free memory that was allocated by the Policy Management API. This includes the Sm_PolicyApi_Server_t structures allocated as part of the Sm_PolicyApi_HostConfig_t structure.

Note: Clients starting at version SM_POLICY_API_VERSION_6_0 must use this function instead of Sm_PolicyApi_FreeMemory().

Type

Utility function.

Syntax

int SM_EXTERN Sm_PolicyApi_FreeMemoryEx (
   void* pInitHandle
   void* pMem
);

Parameter	I/O	description
pInitHandle	I	A void pointer that points to memory that was allocated by the Policy Management API.
pMem	I	A void pointer that points to memory that was allocated by the Policy Management API.

Returns

Sm_PolicyApi_Success. The operation was successful.
Sm_PolicyApi_Failure. The operation failed.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.

Sm_PolicyApi_FreeString()

Frees a single string that was allocated by the Policy Management API.

Type

Utility function.

Syntax

int SM_EXTERN Sm_PolicyApi_FreeString(
   char* pszString
);

Parameter	I/O	Description
pszString	I	A pointer to a null-terminated string.

Returns

This function always returns Sm_PolicyApi_Success.

Sm_PolicyApi_FreeStringArray()

Frees string arrays that were allocated by the Policy Management API.

Type

Utility function.

Syntax

int SM_EXTERN Sm_PolicyApi_FreeStringArray (
   char* pszStringArray[]
);

Parameter	I/O	Description
pszStringArray	I	A pointer to an array of pointers that point to null-terminated strings.

Returns

This function always returns Sm_PolicyApi_Success.

Sm_PolicyApi_GetAdmin()

Gets the contents of the administrator object identified by szAdminOid.

The results of this function are returned in a structure referenced by ppstructAdmin. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Administrator function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAdmin (
   void*                    pSessionHandle,
   const char*              pszAdminOid,
   Sm_PolicyApi_Admin_t**   ppstructAdmin
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAdminOid	I	A null-terminated string containing the object identifier of an existing administrator.
ppstructAdmin	O	The address of a pointer to an administrator structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_Admin_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an administrator object.
Sm_PolicyApi_InvalidOid. The administrator object ID was not found.

Sm_PolicyApi_GetAdminByName()

Gets the contents of the administrator object identified by szAdminName.

The results of this function are returned in a structure referenced by ppstructAdmin. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Administrator function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAdminByName (
   void*                    pSessionHandle,
   const char*              pszAdminName,
   Sm_PolicyApi_Admin_t**   ppstructAdmin
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAdminName	I	A null-terminated string containing the name of an existing administrator.
ppstructAdmin	O	The address of a pointer to an administrator structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_Admin_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an administrator object.
Sm_PolicyApi_NotFound. The administrator name was not found.

Sm_PolicyApi_GetAffiliate()

Gets an affiliate.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAffiliate (
   void*                       pSessionHandle,
   const char*                 pszAffiliateOid,
   Sm_PolicyApi_Affiliate_t**  ppstructAffiliate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid	I	A null-terminated string containing the object identifier of an existing affiliate.
ppstruct Affiliate	O	The address of a pointer to an affiliate structure.

Remarks

This function retrieves affiliate objects that are based on the artifact profile or the POST profile (see the Sm_PolicyApi_Affiliate_t field SAMLProfile). Retrieval of an affiliate object based on the POST profile requires an API version of at least SM_POLICY_API_VERSION_6_0_2. If an earlier version is involved, and the function specifies an affiliate object based on a POST profile, the request fails.

Returns

Sm_PolicyApi_Success. The affiliate was retrieved successfully.
Sm_PolicyApi_Failure. The affiliate was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve an affiliate.
Sm_PolicyApi_InvalidOID. The affiliate OID was not found.

Sm_PolicyApi_GetAffiliateByName()

Gets an affiliate.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAffiliateByName (
   void*                       pSessionHandle,
   const char*                 pszAffiliateOid,
   const char*                 pszAffiliateName,
   Sm_PolicyApi_Affiliate_t**  ppstructAffiliate
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid	I	A null-terminated string containing the object identifier of an existing affiliate.
pszAffiliateName	I	A null-terminated string containing the name of an existing affiliate.
ppstruct Affiliate	O	The address of a pointer to an affiliate structure.

Remarks

Returns

Sm_PolicyApi_Success. The affiliate was retrieved successfully.
Sm_PolicyApi_Failure. The affiliate was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve an affiliate.
Sm_PolicyApi_InvalidOID. The affiliate OID was not found.
Sm_PolicyApi_NotFound. The affiliate name was not found.

Sm_PolicyApi_GetAffiliateDomain()

Gets an affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAffiliateDomain (
   void*                            pSessionHandle,
   const char*                      pszAffiliateDomainOid,
   Sm_PolicyApi_AffiliateDomain_t** ppstructAffiliateDomain
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.
ppstruct AffiliateDomain	O	The address of a pointer to an affiliate domain structure.

Returns

Sm_PolicyApi_Success. The affiliate domain was retrieved successfully.
Sm_PolicyApi_Failure. The affiliate domain was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an affiliate domain.
Sm_PolicyApi_DomainNotFound. The affiliate domain OID was not found.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain.

Sm_PolicyApi_GetAffiliateDomainByName()

Gets an affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAffiliateDomainByName (
   void*                            pSessionHandle,
   const char*                      pszAffiliateDomainName,
   Sm_PolicyApi_AffiliateDomain_t** ppstructAffiliateDomain
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliate DomainName	I	A null-terminated string containing the name of an existing affiliate domain.
ppstruct AffiliateDomain	O	The address of a pointer to an affiliate domain structure.

Returns

Sm_PolicyApi_Success. The affiliate domain was retrieved successfully.
Sm_PolicyApi_Failure. The affiliate domain was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an affiliate domain.
Sm_PolicyApi_NotFound. The affiliate domain name was not found.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain.

Sm_PolicyApi_GetAffiliateDomainObjects()

Gets affiliate domain objects.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAffiliateDomainObjects (
   void*                         pSessionHandle,
   const char*                   pszAffiliateDomainOid,
   const Sm_PolicyApi_Objects_t  nObjectId,
   Sm_PolicyApi_Oid_t**          ppstructObject
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.
nObjectId	I	The type of domain object to retrieve. Valid types are for affiliate, admin, and user directory objects only.
ppstructObject	O	The address of a pointer to a Sm_PolicyApi_Oid_t structure

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. The get operation was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get affiliate domain objects.
Sm_PolicyApi_InvalidOID. The affiliate domain OID was not found.

Sm_PolicyApi_GetAffiliateDomainUserDirSearchOrder()

Gets the user directory search order for an affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAffiliateDomainUserDirSearchOrder (
   void*        pSessionHandle,
   const char*  pszAffiliateDomainOid,
   char**       pszArray[]
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.
pszArray	O	The returned array of user directory OIDs of the requested objects.

Returns

Sm_PolicyApi_Success. The function successfully returned the user directory search order.
Sm_PolicyApi_Failure. The function did not successfully return the user directory search order.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get user directory search order in an affiliate domain.
Sm_PolicyApi_InvalidOID. The affiliate domain OID was not found.

Sm_PolicyApi_GetAffiliatedSAMLAuthSchemes()

Retrieves all the SAML authentication schemes associated with the specified SAML affiliation.

Type

SAML 2.0 Configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAffiliatedSAMLAuthSchemes
(
   void*                         pSessionHandle,
   const char*                   pszAffiliationOid,
   Sm_PolicyApi_Scheme_t**       ppstructSchemes
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliationOid	I	A null-terminated string containing the object identifier of an existing SAML affiliation.
ppstructSchemes	O	The address of a pointer to SAML authentication scheme structures.

Returns

Sm_PolicyApi_Success. The SAML authentication schemes were retrieved successfully.
Sm_PolicyApi_Failure. The SAML authentication schemes were not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve SAML authentication schemes.
Sm_PolicyApi_InvalidOID. The SAML affiliation object identifier was not found.

Sm_PolicyApi_GetAffiliatedSAMLServiceProviders()

Retrieves all the Service Providers associated with the specified SAML affiliation.

Type

SAML 2.0 Configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAffiliatedSAMLServiceProviders
(
   void*                        pSessionHandle,
   const char*                  pszAffiliationOid,
   Sm_PolicyApi_SAMLSP_t**      ppstructSAMLSPs
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliationOid	I	A null-terminated string containing the object identifier of an existing SAML affiliation.
ppstructSAMLSPs	O	The address of a pointer to Service Provider structures.

Returns

Sm_PolicyApi_Success. Service Providers were retrieved successfully.
Sm_PolicyApi_Failure. Service Providers were not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve Service Providers.
Sm_PolicyApi_InvalidOID. The SAML affiliation object identifier was not found.

Sm_PolicyApi_GetAffiliateUsers()

Gets the user directory entries for an affiliate.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAffiliateUsers (
   void*               pSessionHandle,
   const char*         pszAffiliateOid,
   const char*         pszUserDirOid,
   Sm_PolicyApi_User_t **ppStructUsers
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid	I	A null-terminated string containing the object identifier of an existing affiliate.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.
ppStructUsers	O	The address of a pointer to a linked list of user structures.

Returns

Sm_PolicyApi_Success. The user was retrieved successfully.
Sm_PolicyApi_Failure. The user was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve users.
Sm_PolicyApi_InvalidOID. The affiliate OID or user directory OID was not found.

Sm_PolicyApi_GetAgent()

Gets the contents of the agent identified by pszAgentOid. The results of this function are returned in a structure referenced by ppstructAgent.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAgent (
   void*                    pSessionHandle,
   const char*              pszAgentOid,
   Sm_PolicyApi_Agent_t**   ppstructAgent
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentOid	I	A null-terminated string containing the object identifier of an existing agent.
ppstructAgent	O	The address of a pointer to an agent structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Agent_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an agent.
Sm_PolicyApi_InvalidOid. An agent with the specified OID not found.

Sm_PolicyApi_GetAgentByName()

Gets the contents of the agent identified by szAgentName. The results of this function are returned in a structure referenced by ppstructAgent.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAgentByName (
   void*                    pSessionHandle,
   const char*              pszAgentName,
   Sm_PolicyApi_Agent_t**   ppstructAgent
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentName	I	A null-terminated string containing the name of an existing agent.
ppstructAgent	O	The address of a pointer to an agent structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Agent_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an agent.
Sm_PolicyApi_NotFound. An agent with the specified name not found.

Sm_PolicyApi_GetAgentConfig()

Retrieves an existing agent configuration object.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAgentConfig (
   void*                            pSessionHandle,
   const char*                      pszAgentConfigOid,
   Sm_PolicyApi_AgentConfig_t**     ppstructAgentConfig
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentConfigOid	I	Unique identifier of the agent configuration object to retrieve.
ppstructAgentConfig	O	Address of a pointer to a structure that defines the agent configuration object. The function allocates the structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to an agent configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to retrieve an agent configuration object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.

Sm_PolicyApi_GetAgentConfigByName()

Retrieves an existing agent configuration object by pszAgentConfigName.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAgentConfigByName (

   void*                            pSessionHandle,
   const char*                      pszAgentConfigName,
   Sm_PolicyApi_AgentConfig_t**     ppstructAgentConfig
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentConfigName	I	Unique name of the agent configuration object to retrieve.
ppstructAgentConfig	O	Address of a pointer to a structure that defines the agent configuration object. The function allocates the structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_NotFound. The unique name does not correspond to an agent configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to retrieve an agent configuration object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_GetAgentConfigAssociations()

Retrieves a list of configuration parameters for an agent configuration object.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAgentConfigAssociations (
   void*                           pSessionHandle,
   const char*                     pszAgentConfigOid,
   Sm_PolicyApi_Association_t**    ppstructAssociations
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentConfigOid	I	Unique identifier of the agent configuration object.
ppstructAssociations	O	A list of name/value pairs representing the configuration parameters for the agent configuration object.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to an agent configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to retrieve configuration parameters for an agent configuration object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_GetAgentType()

Gets the contents of the agent type object identified by pszAgentTypeOid. The results of this function will be returned in a structure referenced by ppstructAgentType.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAgentType (
   void*                         pSessionHandle,
   const char*                   pszAgentTypeOid,
   Sm_PolicyApi_AgentType_t**    ppstructAgentType
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentTypeOid	I	A null-terminated string containing the object identifier of an existing agent type.
ppstructAgentType	O	The address of a pointer to an agent type structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_AgentType_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an agent type.
Sm_PolicyApi_InvalidOid. An agent type with the specified OID was not found.

Sm_PolicyApi_GetAgentTypeByName()

Gets the contents of the agent type object identified by pszAgentTypeName. The results of this function will be returned in a structure referenced by ppstructAgentType.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAgentTypeByName (
   void*                         pSessionHandle,
   const char*                   pszAgentTypeName,
   Sm_PolicyApi_AgentType_t**    ppstructAgentType
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAgentTypeName	I	A null-terminated string containing the name of an existing agent type.
ppstructAgentType	O	The address of a pointer to an agent type structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_AgentType_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an agent type.
Sm_PolicyApi_NotFound.An agent type with the specified name was not found.

Sm_PolicyApi_GetAgentTypeAttr()

Returns one or all agent attributes:

If pszOid is of type Sm_PolicyApi_AgentType_Prop, the function returns all agent attributes.
If pszOid is of type Sm_PolicyApi_AgentTypeAttr_Prop, the function returns an agent type attribute object.

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAgentTypeAttr (
   void*                            pSessionHandle,
   const char*                      pszOid,
   Sm_PolicyApi_AgentTypeAttr_t**   ppstructAgentTypeAttr
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszOid	I	A null-terminated string containing the object identifier of an existing agent type or agent type attribute.
ppstructAgentTypeAttr	O	The address of a pointer to an agent type attribute structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_AgentTypeAttr_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an agent type or an agent type attribute.
Sm_PolicyApi_InvalidOid. An agent type or an agent type attribute with the specified OID was not found.

Sm_PolicyApi_GetAgentTypeAttrByName()

Returns an agent type attribute object by name.

Type

Agent function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAgentTypeAttrByName (
   void*                            pSessionHandle,
   const char*                      szAgentTypeName,
   Sm_PolicyApi_AgentTypeAttr_t**   ppstructAgentTypeAttr
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
szAgentTypeName	I	A null-terminated string containing the name of an existing agent type attribute.
ppstructAgentTypeAttr	O	The address of a pointer to an agent type attribute structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_AgentTypeAttr_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an agent type or an agent type attribute.
Sm_PolicyApi_NotFound. An agent type attribute with the specified name was not found.

Sm_PolicyApi_GetAllAffiliateAttributes()

Gets all the attributes for an affiliate.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAllAffiliateAttributes (
   void*                           pSessionHandle,
   const char*                     pszAffiliateOid,
   Sm_PolicyApi_AffiliateAttr_t**  ppstructAffiliateAttr
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid	I	A null-terminated string containing the object identifier of an existing affiliate.
ppstruct AffiliateAttr	O	The address of a pointer to an affiliate attribute structure.

Returns

Sm_PolicyApi_Success. The affiliate attribute was retrieved successfully.
Sm_PolicyApi_Failure. The affiliate attribute was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve affiliate attributes.
Sm_PolicyApi_InvalidOID. The affiliate OID was not found.

Sm_PolicyApi_GetAllAffiliates()

Gets all affiliates in the specified affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAllAffiliates (
   void*                        pSessionHandle,
   const char*                  pszAffiliateDomainOid,
   Sm_PolicyApi_Affiliate_t**   ppstructAffiliates
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.
ppstruct Affiliates	O	The address of a pointer to an affiliate structure.

Returns

Sm_PolicyApi_Success. The affiliates were retrieved successfully.
Sm_PolicyApi_Failure. The affiliates were not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve affiliates.
Sm_PolicyApi_InvalidOID. The affiliate domain OID was not found.

Sm_PolicyApi_GetAllSAMLAffiliations()

Retrieves all existing SAML affiliation objects.

Type

SAML 2.0 Configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAllSAMLAffiliations
(
   void*                              pSessionHandle,
   Sm_PolicyApi_SAMLAffiliation_t**   ppstructAffiliations
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
ppstruct Affiliations	O	The address of a pointer to SAML affiliation structures.

Returns

Sm_PolicyApi_Success. The SAML affiliations were retrieved successfully.
Sm_PolicyApi_Failure. The SAML affiliations were not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve SAML affiliations.

Sm_PolicyApi_GetAllSAMLSchemeAttributes()

Returns a linked list of all attributes defined for a SAML Requester.

Syntax

int SM_EXTERN Sm_PolicyApi_AddAttributeToSAMLScheme(
   void*                                pHandle,
   const Sm_PolicyApi_Scheme_t*         pstructScheme,
   const Sm_PolicyApi_SAMLRequesterAttr_t*     pAttr
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructScheme	I	A pointer to a completely filled-in scheme structure.
pAttr	O	A pointer that will be assigned to the first Sm_PolicyApi_SAMLRequesterAttr_t structure in the returned list of attributes.

Returns

Sm_PolicyApi_Success. The SAML Requester attributes were returned successfully.
Sm_PolicyApi_Failure. The SAML Requester attributes were not returned successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to obtain SAML Requester attributes.
Sm_PolicyApi_SAMLIDP_IncorrectParameters. Supplied SAML provided properties are incomplete or incorrect.
Sm_PolicyApi_DuplicateAttribute. An attribute already exists with the same Name and NameFormat.

Sm_PolicyApi_GetAllSAMLServiceProviders()

Retrieves all the Service Providers in the specified affiliate domain.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAllSAMLServiceProviders
(
   void*                             pSessionHandle,
   const char*                       pszAffiliateDomainOid,
   Sm_PolicyApi_SAMLSP_t**           ppstructSAMLSPs
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.
ppstructSAMLSPs	O	The address of a pointer to Service Provider structures.

Returns

Sm_PolicyApi_Success. Service Providers were retrieved successfully.
Sm_PolicyApi_Failure. Service Providers were not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior
to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve Service Providers.
Sm_PolicyApi_InvalidOID. The affiliate domain object identifier was not found.

Sm_PolicyApi_GetAllSAMLSPAssertionConsumerService()

Retrieves a list of all the Assertion Consumer Services currently in the policy store.

Note: The list of Assertion Consumer Service structures that is returned by this function must be freed using the Sm_PolicyApi_FreeMemory function.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_GetAllSAMLSPAssertionConsumerService(
   void* pSessionHandle,
   const Sm_PolicyApi_SAMLSPAssertionConsumerService_t** 
                ppstructSAMLSPAssertionConsumerService,
   const char* pszSAMLSPOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
ppstructSAMLSPAssertion ConsumerServiceAttr	I	A pointer to an array of Assertion Consumer Service structures.
pszSAMLSPOid	I	A pointer to a string containing the OID of the Service Provider.

Returns

Sm_PolicyApi_Success. The array of Assertion Consumer Services was retrieved successfully.
Sm_PolicyApi_Failure - The array of Assertion Consumer Services was not retrieved successfully.
Sm_PolicyApi_InvalidHandle - There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession - There is no valid administrator session.
Sm_PolicyApi_NoPrivilege - The administrator does not have the privilege to remove Attributes from a SAML Service Provider.

Sm_PolicyApi_GetAllSAMLSPAttributes()

Retrieves all the attributes associated with the specified Service Provider.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAllSAMLSPAttributes
(
   void*                              pHandle,
   const char*                        pszSAMLSPOid,
   Sm_PolicyApi_SAMLSPAttr_t**        ppstructSAMLSPAttr
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszSAMLSPOid	I	A null-terminated string containing the object identifier of an existing Service Provider.
ppstructSAML SPAttr	O	The address of a pointer to attribute structures.

Returns

Sm_PolicyApi_Success. The attributes were retrieved successfully.
Sm_PolicyApi_Failure. The attributes were not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve attributes from a SAML Service Provider.

Sm_PolicyApi_GetAllWSFEDResourcePartners()

Retrieves all existing Resource Partner objects.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAllWSFEDResourcePartners (
        void* pSessionHandle,
        const char * pszAffiliateDomainOid,
        Sm_PolicyApi_WSFEDResourcePartner_t** ppResourcePartners
);

Parameters

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateDomainOid: [in] A null-terminated string containing the object identifier of an existing affiliate domain.
ppResourcePartners: [out] The address of the pointer to WS-Federation Resource Partner structures.

Return Values

Sm_PolicyApi_Success. The Resource Partner was retrieved successfully.
Sm_PolicyApi_Failure. The Resource Partner was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve an affiliate.
Sm_PolicyApi_InvalidOID. The affiliate domain OID was not found.

Sm_PolicyApi_GetAuthAzMap()

Gets the contents of an authentication and authorization directory mapping object.

Type

Authentication/Authorization map function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetAuthAzMap (
   void*                         pSessionHandle,
   const char*                   pszAuthAzMapOid,
   Sm_PolicyApi_AuthAzMap_t**    ppAuthAzMap
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAuthAzMapOid	I	A null-terminated string containing the object identifier of the directory mapping object.
pszAuthAzMap	O	The address of a pointer to an Sm_PolicyApi_AuthAzMap_t structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_AuthAzMap_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a directory mapping object.
Sm_PolicyApi_InvalidOid. The directory-mapping OID was not found.

Sm_PolicyApi_GetCertMap()

Retrieves a certificate mapping object.

Type

Certificate map function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetCertMap (
   void*                        pSessionHandle,
   const char*                  pszCertMapOid,
   Sm_PolicyApi_CertMap_t**     ppCertMap
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszCertMapOid	I	A null-terminated string containing the object identifier of the certificate mapping object.
ppCertMap	O	The address of a pointer to an Sm_PolicyApi_CertMap_t structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_CertMap_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a certificate mapping object.
Sm_PolicyApi_InvalidOid. A certificate mapping object matching the specified OID was not found.

Sm_PolicyApi_GetChildren()

Builds the hierarchical realm and rule tree.

This function retrieves a list of OIDs. The OIDs are of type realms, or realms and rules. If the function is called with a domain OID, it retrieves a list of top-level realm OIDs. If the function is called with a realm OID, it retrieves a list of realm and rule OIDs under that realm. The iObjectId field in Sm_PolicyApi_Oid_t specifies the type of OID.

If there are no children for the domain or realm OID, the function returns an empty list.

Type

Realm function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetChildren (
   void*                  pSessionHandle,
   const char*            pszOid,
   Sm_PolicyApi_Oid_t**   ppStructObject
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszOid	I	A null-terminated string containing the object identifier of a domain or a realm.
ppStructObject	O	The address of a pointer to a Sm_PolicyApi_Oid_t structure.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_Oid_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a list of realms and rules.
Sm_PolicyApi_InvalidOid. The domain or realm OID was not found.
Sm_PolicyApi_NoChildren. The domain has no realms or the realm has no realms or rules.

Sm_PolicyApi_GetDirectoryContents()

Retrieves a linked list of user structures (referenced by ppStructUsers) for a particular user directory.

The granularity of the response to this function is governed by the following registry entry:

HKLM\SOFTWARE\Wow6423Node\Netegrity\SiteMinder\CurrentVersion\Ds\ClassFilters

Free the memory allocated for the returned structures by calling Sm_PolicyApi_FreeMemoryEx().

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetDirectoryContents (
   void*                     pSessionHandle,
   const char*               pszUserDirOid,
   Sm_PolicyApi_User_t**     ppStructUserSpec
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.
ppStructUserSpec	O	The address of a pointer to a user structure.

Returns

Sm_PolicyApi_Success. The retrieve operation was successful.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Sm_PolicyApi_GetDisabledUserState()

Retrieves the disabled state of a user.

To make this function work successfully, you must specify a directory attribute to track disabled users. This attribute is specified in the disabled flag of the user directory. The disabled reasons are enumerated in Sm_Api_DisabledReason_t, which is defined in SmApi.h.

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_GetDisabledUserState (
   void*                      pSessionHandle,
   const char*                pszUserDirOid,
   const char*                pszUserDN,
   Sm_Api_DisabledReason_t*   nDisabledReason,
   char**                     pszErrMsg
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory where the user may be found.
pszUserDN	I	A null-terminated string containing the distinguished name of a user whose disabled state is to be changed.
nDisabledReason	O	Reason for disabling or enabling a user. Reasons are enumerated in Sm_Api_DisabledReason_t, which is defined in SmApi.h.
pszErrMsg	O	The error message is held in this string if the retrieval was not successful. You release the memory allocated for this variable by calling Sm_PolicyApi_FreeString().

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure:
- The disable state was not retrieved.
- Memory could not be allocated to pszErrMsg.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get disabled user state.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Sm_PolicyApi_GetDomain()

Gets the contents of the domain identified by pszDomainOid. The results of this function are returned in a structure referenced by ppstructDomain.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Domain function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetDomain (
   void*                      pSessionHandle,
   const char*                pszDomainOid,
   Sm_PolicyApi_Domain_t**    ppstructDomain
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.
ppstructDomain	O	The address of a pointer to a domain structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_Domain_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a domain.
Sm_PolicyApi_InvalidOid. The domain OID was not found.

Sm_PolicyApi_GetDomainByName()

Gets the contents of the domain identified by pszDomainName. The results of this function are returned in a structure referenced by ppstructDomain.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Domain function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetDomainByName (
   void*                      pSessionHandle,
   const char*                pszDomainName,
   Sm_PolicyApi_Domain_t**    ppstructDomain
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszDomainName	I	A null-terminated string containing the name of an existing domain.
ppstructDomain	O	The address of a pointer to a domain structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_Domain_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a domain.
Sm_PolicyApi_NotFound. The domain name was not found.

Sm_PolicyApi_GetDomainObjects()

Retrieves the OIDs of domain objects for a given object type within the domain identified by pszDomainOid. The returned values are contained in the Sm_PolicyApi_Oid_t structure.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Domain function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetDomainObjects (
   void*                         pSessionHandle,
   const char*                   pszDomainOid,
   const Sm_PolicyApi_Objects_t  nObjectId,
   Sm_PolicyApi_Oid_t**          ppstructObject
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.
nObjectId	I	The type of domain object to retrieve, as enumerated in Sm_PolicyApi_Objects_t.
ppstructObject	O	The address of a pointer to a Sm_PolicyApi_Oid_t structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_Oid_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get domain-based objects.
Sm_PolicyApi_InvalidOid. The domain OID was not found.

Sm_PolicyApi_GetGlobalObjects()

Retrieves the object identifiers of global objects of a specified type. Beginning at SiteMinder v6.0, this function will accept rule, policy, and response properties as global objects, and will return global rules, policies, and responses.

The returned values are contained in structure Sm_PolicyApi_Oid_t. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Note: In releases prior to SiteMinder v4.5, the functionality provided by Sm_PolicyApi_GetGlobalObjects() was provided by Sm_PolicyApi_GetGlobalObjectNames().

Type

General object function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetGlobalObjects (
   void*                          pSessionHandle,
   const Sm_PolicyApi_Objects_t   nObjectId,
   Sm_PolicyApi_Oid_t**           ppstructObject
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
nObjectId	I	The type of global object to retrieve. Object types are enumerated in Sm_PolicyApi_Objects_t.
ppstructObject	O	The address of a pointer to a Sm_PolicyApi_Oid_t structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Oid_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get global objects.
Sm_PolicyApi_Invalid. A non-global object identifier was specified.

Sm_PolicyApi_GetGlobalPolicyByName()

Gets a specified global policy.

The results of this function are returned in a structure referenced by ppstructPolicy. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Administrator function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetGlobalPolicyByName (
   void*                    pHandle,
   const char*              szPolicyName,
   Sm_PolicyApi_Policy_t**  ppstructPolicy
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
szPolicyName	I	Unique name that corresponds to a global policy.
ppstructPolicy	O	The address of a pointer to a policy structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Policy_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a policy.
Sm_PolicyApi_NotFound. The policy name was not found.

Sm_PolicyApi_GetGlobalResponseByName()

Gets the specified global response.

The results of this function are returned in a structure referenced by ppstructResponse.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Administrator function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetGlobalResponseByName (
   void*                     pHandle,
   const char*               szResponseName,
   Sm_PolicyApi_Response_t**   ppstructReponse
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
szResponseName	I	Unique name that corresponds to a global response.
ppstructResponse	O	The address of a pointer to a response structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Response_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a scheme.
Sm_PolicyApi_NotFound. The global response name was not found.

Sm_PolicyApi_GetGlobalRuleByName()

Gets the specified global rule.

The results of this function are returned in a structure referenced by ppstructRule.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Administrator function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetGlobalRuleByName (
   void*                     pHandle,
   const char*               szRuleName,
   Sm_PolicyApi_Rule_t**   ppstructRule
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
szRuleName	I	Unique name that corresponds to a global rule.
ppstructRule	O	The address of a pointer to a response structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Rule_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a scheme.
Sm_PolicyApi_NotFound. The global rule name was not found.

Sm_PolicyApi_GetGroup()

Gets the contents of the group object identified by pszGroupOid. The results of this function are returned in a structure referenced by ppStructGroup.

The pszDomainOid parameter is required by a rule or response group. An agent group does not require a domain OID because it is not a domain-based object.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Group function, global scope (agents) or domain scope (responses, rules).

Syntax

int SM_EXTERN Sm_PolicyApi_GetGroup (
   void*                   pSessionHandle,
   Sm_PolicyApi_Groups_t   dwGroup,
   const char*             pszGroupOid,
   const char*             pszDomainOid,
   Sm_PolicyApi_Group_t**  ppStructGroup
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
dwGroup	I	The type of group to be retrieved.
pszGroupOid	I	A null-terminated string containing the object identifier of the group object being retrieved.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain. Required parameter for rule or response groups.
ppStructGroup	O	The address of a pointer to a group structure.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. The get was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get the contents of a group.
Sm_PolicyApi_InvalidOid:
- The group OID was not found.
- The domain OID was not found (for a domain-based group).
Sm_PolicyApi_BadGroup. The dwGroup parameter is not the rule, response, or agent type.

Sm_PolicyApi_GetGroupByName()

Gets the contents of the group object identified by pszGroupName. The results of this function are returned in a structure referenced by ppStructGroup.

The pszDomainOid parameter is required by a rule or response group. An agent group does not require a domain OID because it is not a domain-based object.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Group function, global scope (agents) or domain scope (responses, rules).

Syntax

int SM_EXTERN Sm_PolicyApi_GetGroupByName (
   void*                   pSessionHandle,
   Sm_PolicyApi_Groups_t   dwGroup,
   const char*             pszGroupName,
   const char*             pszDomainOid,
   Sm_PolicyApi_Group_t**  ppStructGroup
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
dwGroup	I	The type of group to be retrieved.
pszGroupOid	I	A null-terminated string containing the object identifier of the group object being retrieved.
pszDomainName	I	A null-terminated string containing the name of an existing domain. Required parameter for rule or response groups.
ppStructGroup	O	The address of a pointer to a group structure.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. The get was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get the contents of a group.
Sm_PolicyApi_InvalidOid. The domain OID was not found (for a domain-based group).
SmPolicyApi_Notfound. The group name was not found.
Sm_PolicyApi_BadGroup. The dwGroup parameter is not the rule, response, or agent type.

Sm_PolicyApi_GetGroupOids()

Retrieves the object identifiers contained within a group object. The results of this function are returned in a structure referenced by ppStructObjects.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

pszDomainOid is required by a rule group or response group. An agent group does not require a domain OID because it is not a domain-based object.

Note: At releases prior to SiteMinder v4.5, the functionality provided by Sm_PolicyApi_GetGroupOids() was provided by Sm_PolicyApi_GetGroupNames().

Type

Group function, global scope (agents) or domain scope (responses, rules).

Syntax

int SM_EXTERN Sm_PolicyApi_GetGroupOids (
   void*                   pSessionHandle,
   Sm_PolicyApi_Groups_t   dwGroup,
   const char*             pszGroupOid,
   const char*             pszDomainOid,
   Sm_PolicyApi_Oid_t**    ppStructObjects
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
dwGroup	I	Indicates the type of the group from which to retrieve object identifiers.
pszGroupOid	I	A null-terminated string containing the object identifier of a group of the type indicated by dwGroup.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain. Required parameter for rule or response group.
ppStructObjects	O	A pointer to the address of an object structure.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. The get was not successful or memory could not be allocated to Sm_PolicyApi_Oid_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get group OIDs.
Sm_PolicyApi_InvalidOid:
- The group OID was not found.
- The domain OID was not found (for a domain-based group).
Sm_PolicyApi_BadGroup. Parameter dwGroup is not the rule, response, or agent type.

Sm_PolicyApi_GetHostConfig()

Retrieves an existing host configuration object.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetHostConfig (
   void*                              pSessionHandle,            
   const char*                        pszHostConfigOid,
   Sm_PolicyApi_HostConfig_t**        ppstructHostConfig
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszHostConfigOid	I	Unique identifier of the host configuration object to retrieve.
ppstructHostConfig	O	Address of a pointer to a structure that defines the host configuration object. The function allocates the structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to a host configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to get a host configuration object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_GetHostConfigByName()

Retrieves an existing host configuration object.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetHostConfigByName (
   void*                              pSessionHandle,            
   const char*                        pszHostConfigName,
   Sm_PolicyApi_HostConfig_t**        ppstructHostConfig
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszHostConfigName	I	Unique name of the host configuration object to retrieve.
ppstructHostConfig	O	Address of a pointer to a structure that defines the host configuration object. The function allocates the structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_NotFound. The unique name does not correspond to a host configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to get a host configuration object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyAPI_GetMessageConsumerPluginFromSAML1xScheme()

Gets a message consumer plugin setting from a SAML 1.x authentication scheme.

Syntax

int SM_EXTERN Sm_PolicyApi_GetMessageConsumerPluginFromSAML1xScheme(
   void*    pHandle,
   char*    pszSchemeOID,
   char**   pluginClass,
   char**   pluginParam                        
);

Parameters

phandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszSchemeOid: [in] A pointer to the OID of the authentication scheme that is being updated.
pluginClass: [out] A pointer to the name of the plugin class to be read in from the authentication scheme,
pluginParam: [out] A pointer to the parameters of the plugin class to be read in from the authentication scheme.

Returns

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_SchemeNotFound. The authentication scheme corresponding to the OID was not found, or was not a SAML 1.x authentication scheme.
Sm_PolicyApi_InvalidOid. The OID of the authentication scheme is NULL.

Sm_PolicyApi_GetODBCQueryScheme()

Gets the contents of the ODBC Query Scheme object identified by pszODBCQuerySchemeOid.

The results of this function are returned in a structure referenced by pstructODBCQueryScheme. Free the memory allocated for this structure calling Sm_PolicyApi_FreeMemoryEx().

Type

ODBC query scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetODBCQueryScheme (
   void*                             pSessionHandle,
   const char*                       pszODBCQuerySchemeOid,
   Sm_PolicyApi_ODBCQueryScheme_t**  pstructODBCQueryScheme
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszODBCQuerySchemeOid	I	A null-terminated string containing the object identifier of an existing ODBC Query Scheme.
pstructODBCQueryScheme	O	The address of a pointer to a ODBC query scheme.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_ODBCQueryScheme_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an ODBC Query Scheme.
Sm_PolicyApi_InvalidOid. The ODBC Query Scheme OID was not found.

Sm_PolicyApi_GetODBCQuerySchemeByName()

Gets the contents of the ODBC Query Scheme object identified by pszODBCQuerySchemeName.

The results of this function are returned in a structure referenced by pstructODBCQueryScheme. Free the memory allocated for this structure calling Sm_PolicyApi_FreeMemoryEx().

Type

ODBC query scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetODBCQuerySchemeByName (
   void*                             pSessionHandle,
   const char*                       pszODBCQuerySchemeName,
   Sm_PolicyApi_ODBCQueryScheme_t**  pstructODBCQueryScheme
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszODBCQuerySchemeName	I	A null-terminated string containing the name of an existing ODBC Query Scheme.
pstructODBCQueryScheme	O	The address of a pointer to a ODBC query scheme.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_ODBCQueryScheme_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get an ODBC Query Scheme.
Sm_PolicyApi_NotFound. The ODBC Query Scheme name was not found.

Sm_PolicyApi_GetOneTimeUsePropFromAffiliate()

Retrieves the value of the OneTimeUse property for an assertion in a SAML 1.x affiliate.

Syntax

int SM_EXTERN Sm_PolicyApi_GetOneTimeUsePropFromAffiliate(
   void*    pHandle,
   char*    pszAffiliateOID,
   bool     &bOneTimeUse
                           
);

Parameters

pHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid: [in] A pointer to the OID of an existing SMAL 1.x affiliate.
bOneTimeUse: [in] A Boolean value that specifies whether an assertion is used only once in this affiliate.

Returns

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_NoSession. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator did not have sufficient access privileges.

Sm_PolicyApi_GetPasswordMsg()

Gets information about an error that occurred during an attempt to validate a new password.

Call this function when Sm_PolicyApi_SetPassword() returns the error code Sm_PolicyApi_InvalidPasswordSyntax.

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_GetPasswordMsg (
   void*                              pSessionHandle,
   const char*                        pszPasswordMsg,
   unsigned int*                      nVersion,
   unsigned int*                      nMsgId,
   unsigned int*                      nArgs,
   Sm_PolicyApi_PasswordMsgField_t**  ppStructMsgField
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPasswordMsg	I	Encoded error message returned in the pszErrMsg parameter of the function Sm_PolicyApi_SetPassword().
nVersion	O	The version of the SiteMinder password services.
nMsgId	O	The password services message identifier retrieved for the encoded error message. Message identifiers are enumerated in Sm_PolicyApi_PasswordMsgId_t.
nArgs	O	The number of fields in the Sm_PolicyApi_PasswordMsgField_t structure referenced by ppStructMsgField.
ppStructMsgField	O	The address of a pointer to an Sm_PolicyApi_PasswordMsgField_t structure containing the password error message information.

Remarks

SiteMinder password services errors contain a unique message identifier. A message identifier (enumerated in Sm_PolicyApi_PasswordMsgId_t) is returned in the nMsgId parameter of the function Sm_PolicyApi_GetPasswordMsg().

Further, each message identifier is associated with additional information about the error. This additional information is referenced by a field identifier (enumerated in Sm_PolicyApi_PasswordMsgFieldId_t).

For example, suppose an administrator sets the minimum length of a password to seven characters. If a user tries to validate a new password containing just six characters, the following events can occur:

As a result of the failed password validation attempt, Sm_PolicyApi_SetPassword() returns Sm_PolicyApi_InvalidPasswordSyntax.
The Policy Management application responds by calling Sm_PolicyApi_GetPasswordMsg(), passing the encoded error message returned from Sm_PolicyApi_SetPassword() in the pszPasswordMsg parameter.
When Sm_PolicyApi_GetPasswordMsg() returns:
- nMsgId contains Sm_PolicyApi_PasswordMsgId_PasswordShort
- ppStructMsgField points to an Sm_PolicyApi_PasswordMsgField_t structure containing the following additional information about the password error:

Field	Value and Meaning
iStructId	Sm_PolicyApi_PasswordMsgField_ID. The error information relates to a password policy.
nId	Sm_PolicyApi_PasswordMsgField_Id_Min. The error violates a minimum character requirement for the password (the minimum password length).
nType	Sm_PolicyApi_FieldType_Int. The error description is an integer, so nValue is filled and pszMsg is not.
pszMsg	"". Not applicable to this error.
nValue	7. The minimum password length. The length of the requested password was less than this value.

Sm_PolicyApi_GetPasswordPolicy()

Gets the contents of a password policy object.

Type

Password policy function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetPasswordPolicy (
   void*                           pSessionHandle,
   const char*                     pszPasswordPolicyOid,
   Sm_PolicyApi_PasswordPolicy_t** ppstructPasswordPolicy
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPassword PolicyOid	I	A null-terminated string containing the object identifier of the password policy.
ppstruct PasswordPolicy	O	The address of a pointer to Sm_PolicyApi_PasswordPolicy_t.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_PasswordPolicy_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a password policy.
Sm_PolicyApi_InvalidOid. The password policy OID was not found.

Sm_PolicyApi_GetPasswordPolicyByName()

Gets the contents of a password policy object.

Type

Password policy function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetPasswordPolicyByName (
   void*                           pSessionHandle,
   const char*                     pszPasswordPolicyName,
   Sm_PolicyApi_PasswordPolicy_t** ppstructPasswordPolicy
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPassword PolicyName	I	A null-terminated string containing the name of the password policy.
ppstruct PasswordPolicy	O	The address of a pointer to Sm_PolicyApi_PasswordPolicy_t.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_PasswordPolicy_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a password policy.
Sm_PolicyApi_NotFound. The password policy name was not found.

Sm_PolicyApi_GetPolicy()

Gets the contents of the policy identified by pszPolicyOid.

The results of this function are returned in a structure referenced by ppstructPolicy. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Policy function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetPolicy (
   void*                    pSessionHandle,
   const char*              pszPolicyOid,
   Sm_PolicyApi_Policy_t**  ppstructPolicy
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPolicyOid	I	A null-terminated string containing the object identifier of an existing policy.
ppstructPolicy	O	The address of a pointer to a policy structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Policy_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a policy.
Sm_PolicyApi_InvalidOid. The policy OID was not found.

Sm_PolicyApi_GetPolicyByName()

Gets the contents of the policy identified by pszPolicyName and the corresponding pszDomainOid of the Domain in which the policy exists.

The results of this function are returned in a structure referenced by ppstructPolicy. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Policy function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetPolicyByName (
   void*                    pSessionHandle,
   const char*              szDomainOid,
   const char*              pszPolicyName,
   Sm_PolicyApi_Policy_t**  ppstructPolicy
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
szDomainOid	I	A null-terminated string containing the object identifier of an existing domain.
pszPolicyName	I	A null-terminated string containing the name of an existing policy.
ppstructPolicy	O	The address of a pointer to a policy structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Policy_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a policy.
Sm_PolicyApi_InvalidOid. The Domain OID was not found.
Sm_PolicyApi_NotFound. The policy name was not found.

Sm_PolicyApi_GetPolicyLinks()

Returns a linked list of all of the policy links that are associated with the policy identified by pszPolicyOid.

The linked list returned is referenced by the ppstructPolicyLink structure. Free the memory allocated to these structures by calling Sm_PolicyApi_FreeMemoryEx().

Type

Policy function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetPolicyLinks (
   void*                        pSessionHandle,
   const char*                  pszPolicyOid,
   Sm_PolicyApi_PolicyLink_t**  ppstructPolicyLink
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPolicyOid	I	A null-terminated string containing the object identifier of an existing policy.
ppstructPolicyLink	O	The address of a policy link structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory is not allocated to Sm_PolicyApi_PolicyLink_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a list of policy links.
Sm_PolicyApi_InvalidOid. The policy OID was not found.

Sm_PolicyApi_GetPolicyUsers()

Returns a linked list of Sm_PolicyApi_User_t structures corresponding to the users who are associated with the policy identified by pszPolicyOid and who optionally belong to the user directory identified by pszUserDirOid. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_GetPolicyUsers (
   void*                   pSessionHandle,
   const char*             pszPolicyOid,
   const char*             pszUserDirOid,
   Sm_PolicyApi_User_t**   ppStructUsers
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPolicyOid	I	A null-terminated string containing the object identifier of an existing policy.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory. This parameter is optional. If it is empty, the function returns all the policy users under the specified policy. If it is specified, the function returns policy users who belong to this directory under the specified policy.
ppStructUsers	O	The address of a pointer to a linked list of user structures.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_User_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get users from the policy.
Sm_PolicyApi_InvalidOid:
- The policy OID was not found.
- The user directory OID was not found.

Sm_PolicyApi_GetRealm()

Gets the contents of the realm identified by pszRealmOid.

The results of this function are returned in a structure referenced by ppstructRealm. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Realm function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetRealm (
   void*                    pSessionHandle,
   const char*              pszRealmOid, 
   Sm_PolicyApi_Realm_t**   ppstructRealm
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszRealmOid	I	A null-terminated string containing the object identifier of an existing realm.
ppstructRealm	O	The address of a pointer to a realm structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_Realm_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a realm.
Sm_PolicyApi_InvalidOid. The realm OID was not found.

Sm_PolicyApi_GetRealmByName()

Gets the contents of the realm identified by pszRealmName, and the corresponding pszDomainOrParentRealmOid of the Domain in which the Realm exists, or the Oid of the Parent Realm in the case of a child Realm.

The results of this function are returned in a structure referenced by ppstructRealm. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Realm function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetRealmByName (
   void*                    pSessionHandle,
   const char*              pszRealmOid, 
   Sm_PolicyApi_Realm_t**   ppstructRealm
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
szDomainOr ParentRealm Oid	I	A null-terminated string containing the object identifier of an existing Domain or Realm
pszRealmName	I	A null-terminated string containing the name of an existing realm.
ppstructRealm	O	The address of a pointer to a realm structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_Realm_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a realm.
Sm_PolicyApi_InvalidOid. The Domain or parent Realm OID was not found.
Sm_PolicyApi_NotFound The Realm name was not found.

Sm_PolicyAPI_GetRedirectURLFromSAML1xScheme()

Retrieves a redirect URL setting from a SAML 1.x authentication scheme.

Syntax

int SM_EXTERN Sm_PolicyApi_GetRedirectURLFromSAML1xScheme(
        void*        pSessionHandle,
        const char*  pszSchemeOid,
        int          iTypeURL,
        char**       URL,
        int          &redirectMode
);

Parameters

pSessionHandle

[in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.

pszSchemeOid

[in] A null-terminated string containing the object identifier of the authentication scheme being updated.

iTypeUrl

[in] An integer specifying the type of redirect URL, defined in Sm_PolicyAPI_SAML1_STATUS_REDIRECT_URL_TYPE_t as follows:

Sm_PolicyAPI_SAML1_STATUS_REDIRECT_URL_USER_NOT_FOUND_TYPE = 0
Sm_PolicyAPI_SAML1_STATUS_REDIRECT_URL_INVALID_SSO = 1
Sm_PolicyAPI_SAML1_STATUS_REDIRECT_URL_UNACCEPTABLE_USER_CREDENTIALS = 2

URL

[out] A pointer to the redirect URL from the authentication scheme

redirectMode

[out] An integer specifying the input redirect mode, which is either 0 for 302 No Data, or 1 for Http-Post.

Return Values

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_SchemeNotFound. The authentication scheme corresponding to the OID was not found, or was not a SAML 1.x authentication scheme.
Sm_PolicyApi_InvalidOid. The OID of the authentication scheme is NULL.

Sm_PolicyApi_GetRegistrationScheme()

Gets a registration scheme.

Type

Registration scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetRegistrationScheme (
   void*                         pSessionHandle,
   const char*                   pszRegistrationSchemeOid,
   Sm_PolicyApi_RegistrationScheme_t** 
                                 ppstructRegistrationScheme
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszRegistration SchemeOid	I	A null-terminated string containing the object identifier of the registration scheme.
ppstruct Registration Scheme	O	The address of a pointer to Sm_PolicyApi_RegistrationScheme_t.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_RegistrationScheme_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a registration scheme.
Sm_PolicyApi_InvalidOid. A registration scheme OID was not found.

Sm_PolicyApi_GetRegistrationSchemeByName()

Gets a registration scheme.

Type

Registration scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetRegistrationSchemeByName (
   void*                         pSessionHandle,
   const char*                   pszRegistrationSchemeName,
   Sm_PolicyApi_RegistrationScheme_t** 
                                 ppstructRegistrationScheme
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszRegistration SchemeName	I	A null-terminated string containing the name of the registration scheme.
ppstruct Registration Scheme	O	The address of a pointer to Sm_PolicyApi_RegistrationScheme_t.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_RegistrationScheme_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a registration scheme.
Sm_PolicyApi_NotFound. A registration scheme name was not found.

Sm_PolicyApi_GetRegularExpressions()

Gets a list of regular expressions belonging to the referenced password policy. Implemented only if the session's version is set to SM_POLICY_API_VERSION_6_0.

Type

Regular Expression function.

Syntax

int SM_EXTERN    Sm_PolicyApi_GetRegularExpressions (
   void*                               pSessionHandle,
   const char*                         pszPasswordPolicyOid,
   Sm_PolicyApi_RegularExpression_t**  ppstructRegExpr
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPassword PolicyOid	I	The OID of the password policy.
ppstructRegExpr	O	Pointer to a linked list of regular expressions belonging to the referenced password policy.

Returns

Sm_PolicyApi_Success. The regular expression list was retrieved successfully.
Sm_PolicyApi_Failure. The regular expression list was not retrieved successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get regular expressions.
Sm_PolicyApi_InvalidOid: The password policy OID was not found.

Sm_PolicyApi_GetResponse()

Gets the contents of the response identified by pszResponseOid.

The results of this function are returned in a structure referenced by ppstructResponse. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Response function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetResponse (
   void*                      pSessionHandle,
   const char*                pszResponseOid,
   Sm_PolicyApi_Response_t**  ppstructResponse
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszResponseOid	I	A null-terminated string containing the object identifier of an existing response.
ppstructResponse	O	The address of a pointer to a response structure.

Returns

Sm_PolicyApi_Success. The get operation was completed successfully.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Response_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a response.
Sm_PolicyApi_InvalidOid. The response OID was not found.

Sm_PolicyApi_GetResponseByName()

Gets the contents of the response identified by pszResponseName and the corresponding pszDomainOid of the Domain in which the response exists.

The results of this function are returned in a structure referenced by ppstructResponse. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Response function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetResponseByName (
   void*                      pSessionHandle,
   const char*                szDomainOid,
   const char*                pszResponseName,
   Sm_PolicyApi_Response_t**  ppstructResponse
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
szDomainOid		A null-terminated string containing the object identifier of an existing Domain.
pszResponseName	I	A null-terminated string containing the name of an existing response.
ppstructResponse	O	The address of a pointer to a response structure.

Returns

Sm_PolicyApi_Success. The get operation was completed successfully.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Response_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a response.
Sm_PolicyApi_InvalidOid. The Domain OID was not found.
Sm_PolicyApi_NotFound. The response name was not found.

Sm_PolicyApi_GetResponseAttrs()

Retrieves a linked list of the response attributes that are associated with the response identified by pszResponseOid.

The linked list that is returned is referenced by the ppstructResponseAttr structure. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Response function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetResponseAttrs (
   void*                           pSessionHandle,
   const char*                     pszResponseOid,
   Sm_PolicyApi_ResponseAttr_t**   ppstructResponseAttr
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszResponseOid	I	A null-terminated string containing the object identifier of an existing response.
ppstructResponseAttr	O	A pointer to a response attribute structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_ResponseAttr_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a list of response attributes.
Sm_PolicyApi_InvalidOid. The response OID was not found.

Sm_PolicyApi_GetRule()

Gets the contents of the rule identified by pszRuleOid.

The results are returned in a structure referenced by ppstructRule. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Rule function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetRule (
   void*                    pSessionHandle,
   const char*              pszRuleOid,
   Sm_PolicyApi_Rule_t**    ppstructRule
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszRuleOid	I	A null-terminated string containing the object identifier of an existing rule.
ppstructRule	O	The address of a pointer to a Sm_PolicyApi_Rule_t structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Rule_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a rule.
Sm_PolicyApi_InvalidOid. The rule OID was not found.

Sm_PolicyApi_GetRuleByName()

Gets the contents of the rule identified by pszRuleName.

The results are returned in a structure referenced by ppstructRule. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Rule function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetRuleByName (
   void*                    pSessionHandle,
   const char*              szRealmOid,
   const char*              pszRuleName,
   Sm_PolicyApi_Rule_t**    ppstructRule
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
szRealmOid	I	A null-terminated string containing the object identifier of an existing Realm.
pszRuleName	I	A null-terminated string containing the name of an existing rule.
ppstructRule	O	The address of a pointer to a Sm_PolicyApi_Rule_t structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Rule_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a rule.
Sm_PolicyApi_InvalidOid. The Realm OID was not found.
Sm_PolicyApi_NotFound. The rule name was not found.

Sm_PolicyApi_GetSAMLAffiliation()

Retrieves the SAML affiliation specified by its object identifier in the policy store.

Type

SAML 2.0 Configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetSAMLAffiliation
(
   void*                               pSessionHandle,
   const char*                         pszAffiliationOid,
   Sm_PolicyApi_SAMLAffiliation_t**    ppstructAffiliation
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliationOid	I	A null-terminated string containing the policy store object identifier of an existing SAML affiliation.
ppstruct Affiliation	O	The address of a pointer to a SAML affiliation structure.

Returns

Sm_PolicyApi_Success. The SAML affiliation was retrieved successfully.
Sm_PolicyApi_Failure. The SAML affiliation was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve a SAML affiliation.
Sm_PolicyApi_InvalidOID. The SAML affiliation OID was not found.

Sm_PolicyApi_GetSAMLAffiliationById()

Retrieves the SAML affiliation specified by its unique affiliation identifier (URI).

Type

SAML 2.0 Configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetSAMLAffiliationById
(
   void*                               pSessionHandle,
   const char*                         pszAffiliationID,
   Sm_PolicyApi_SAMLAffiliation_t**    ppstructAffiliation
);

Parameter

I/O

Description

pSessionHandle

A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.

pszAffiliationID

A null-terminated string containing the unique affiliation identifier of an existing SAML affiliation.

The affiliation identifier is specified in SAML_KEY_AFFILIATION_ID.

ppstruct
Affiliation

The address of a pointer to a SAML affiliation structure.

Returns

Sm_PolicyApi_Success. The SAML affiliation was retrieved successfully.
Sm_PolicyApi_Failure. The SAML affiliation was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve a SAML affiliation.

Sm_PolicyApi_GetSAMLScheme()

Retrieves information about a SAML 2.0 authentication scheme and the metadata properties of the associated Identity Provider.

Type

SAML 2.0 Configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetSAMLScheme
(
   void*                                  pHandle,
   const char*                            pszSchemeOid,
   Sm_PolicyApi_Scheme_t**                ppstructScheme,
   Sm_PolicyApi_SAMLProviderProp_t**      ppProps
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszSchemeOid	I	A null-terminated string containing the object identifier of an existing SAML authentication scheme.
ppstructScheme	O	The address of a pointer to a SAML authentication scheme structure.
ppProps	O	The address of a pointer to a SAML 2.0 metadata properties structure. For information about these properties, see SAML 2.0 Authentication Scheme Properties.

Returns

Sm_PolicyApi_Success. The authentication scheme was retrieved successfully.
Sm_PolicyApi_Failure. The authentication scheme was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior
to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve an authentication scheme.
Sm_PolicyApi_InvalidOID. The authentication scheme OID was not found.

Sm_PolicyApi_GetSAMLServiceProvider()

Retrieves the Service Provider specified by its object identifier in the policy store.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetSAMLServiceProvider
(
   void*                             pSessionHandle,
   const char*                       pszProviderOid,
   Sm_PolicyApi_SAMLSP_t**           pstructSAMLSP
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid	I	A null-terminated string containing the policy store object identifier of an existing Service Provider.
ppstructSAMLSP	O	The address of a pointer to a Service Provider structure.

Returns

Sm_PolicyApi_Success. The Service Provider was retrieved successfully.
Sm_PolicyApi_Failure. The Service Provider was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior
to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve a Service Provider.
Sm_PolicyApi_InvalidOID. The Service Provider OID was not found.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain.

Sm_PolicyApi_GetSAMLServiceProviderById()

Retrieves the Service Provider specified by its unique provider identifier.

Type

SAML 2.0 Configuration function, domain scope

Syntax

int SM_EXTERN Sm_PolicyApi_GetSAMLServiceProvider
(
   void*                             pSessionHandle,
   const char*                       pszProviderId,
   Sm_PolicyApi_SAMLSP_t**           pstructSAMLSP
);

Parameter

I/O

Description

pSessionHandle

A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.

pszProviderId

A null-terminated string containing the unique provider identifier of an existing Service Provider.

The provider identifier is specified in SAML_KEY_SPID.

ppstructSAMLSP

The address of a pointer to a Service Provider structure.

Returns

Sm_PolicyApi_Success. The Service Provider was retrieved successfully.
Sm_PolicyApi_Failure. The Service Provider was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior
to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve a Service Provider.
Sm_PolicyApi_InvalidOID. The Service Provider OID was not found.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain.

Sm_PolicyApi_GetSAMLServiceProviderUsers()

Retrieves the user directory entries associated with the specified Service Provider.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetSAMLServiceProviderUsers
(
   void*                        pSessionHandle,
   const char*                  pszProviderOid,
   const char*                  pszUserDirOid,
   Sm_PolicyApi_User_t**        ppStructUsers
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid	I	A null-terminated string containing the policy store object identifier of an existing Service Provider.
pszUserDirOid	I	A null-terminated string containing the policy store object identifier of an existing user.
ppStructUsers	O	The address of a pointer to user structures.

Returns

Sm_PolicyApi_Success. The users were retrieved successfully.
Sm_PolicyApi_Failure. The users were not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve users.
Sm_PolicyApi_InvalidOid. The affiliate OID was not found.

Sm_PolicyApi_GetScheme()

Gets the contents of the authentication scheme identified by pszSchemeOid. The results of this function are returned in a structure referenced by ppstructScheme.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Authentication scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetScheme (
   void*                     pSessionHandle,
   const char*               pszSchemeOid,
   Sm_PolicyApi_Scheme_t**   ppstructScheme
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszSchemeOid	I	A null-terminated string containing the object identifier of an existing scheme.
ppstructScheme	O	The address of a pointer to a scheme structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Scheme_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a scheme.
Sm_PolicyApi_InvalidOid. The scheme OID was not found.

Sm_PolicyApi_GetSchemeByName()

Gets the contents of the authentication scheme identified by pszSchemeName. The results of this function are returned in a structure referenced by ppstructScheme.

Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Authentication scheme function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetSchemeByName (
   void*                     pSessionHandle,
   const char*               pszSchemeName,
   Sm_PolicyApi_Scheme_t**   ppstructScheme
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszSchemeName	I	A null-terminated string containing the name of an existing scheme.
ppstructScheme	O	The address of a pointer to a scheme structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Scheme_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a scheme.
Sm_PolicyApi_NotFound. The scheme name was not found.

Sm_PolicyApi_GetSharedSecretPolicy()

Gets the current SharedSecretPolicy.

Returns the current shared secret policy object. There will always be exactly one such object, so it is not necessary to specify its OID.

Type

Agent configuration.

Syntax

int SM_EXTERN Sm_PolicyApi_GetSharedSecretPolicy (
   void*                                pSessionHandle,
   Sm_PolicyApi_SharedSecretPolicy_t**  ppstructSecretPolicy
);

Parameter	I/O	Description
pSessionHandle	I	The current Policy API session handle.
ppstructSecret Policy	I/O	Address of pointer to shared secret policy structure

Returns

Sm_PolicyApi_Success. The operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidHandle. The session handle was invalid.
Sm_PolicyApi_NoSession. The user is not logged in.
Sm_PolicyApi_NoPrivilege. User does not have rights to manage objects.

Sm_PolicyApi_GetTargetConfigFromSAML1xScheme

Retrieves a target configuration setting from a SAML 1.x authentication scheme.

Syntax

The Sm_PolicyApi_GetTargetConfigFromSAML1xScheme function has the following syntax:

int SM_EXTERN Sm_PolicyApi_GetTargetConfigFromSAML1xScheme(
        void*        pHandle,
        const char*  pszSchemeOid,
        char**       pszDefaultTarget,
        int*         iQPOverridesTarget
);

Parameters

The Sm_PolicyApi_GetTargetConfigFromSAML1xScheme function accepts the following parameters:

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszSchemeOid: [in] A null-terminated string containing the object identifier of the authentication scheme being updated.
pszDefaultTarget: [out] Specifies the target configuration. The calling program must free up this memory by calling the Sm_PolicyApi_FreeMemory() function.
iQPOverridesTarget: [out] Specifies the value of the 'Query parameter override Default Target' check box. The calling program is responsible for passing allocated memory.

Return Values

The Sm_PolicyApi_GetTargetConfigFromSAML1xScheme function returns one of the following values:

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_SchemeNotFound. The authentication scheme corresponding to the OID was not found, or was not a SAML 1.x authentication scheme.
Sm_PolicyApi_InvalidOid. The OID of the authentication scheme is NULL.

Sm_PolicyApi_GetTrustedHost()

Retrieves an existing trusted host object.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetTrustedHost (
   void*                           pSessionHandle,
   const char*                     pszTrustedHostOid,
   Sm_PolicyApi_TrustedHost_t**    ppstructTrustedHost
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszTrustedHostOid	I	Unique identifier of the trusted host object to retrieve.
ppstructTrustedHost	O	Address of a pointer to a structure that defines the trusted host object. The function allocates the structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to a trusted host object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to get a trusted host object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_GetTrustedHostByName()

Retrieves an existing trusted host object.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetTrustedHostByName (
   void*                           pSessionHandle,
   const char*                     pszTrustedHostName,
   Sm_PolicyApi_TrustedHost_t**    ppstructTrustedHost
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszTrustedHostName	I	Unique name of the trusted host object to retrieve.
ppstructTrustedHost	O	Address of a pointer to a structure that defines the trusted host object. The function allocates the structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_NotFound. The unique name does not correspond to a trusted host object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to get a trusted host object.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_GetUseSecureAuthPropFromAffiliate()

Retrieves the value of the UseSecureAuthURL property from a SAML 1.x affiliate.

Syntax

int SM_EXTERN Sm_PolicyApi_GetUseSecureAuthPropFromAffiliate(
   void*    pHandle,
   char*    pszAffiliateOID,
   bool     &bUseSecureAuthURL
                           
);

Parameters

pHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid: [in] A pointer to the OID of an existing SMAL 1.x affiliate.
bUseSecureAuthURL: [in] A Boolean value that specifies whether to use a secure authentication URL for this affiliate.

Returns

Sm_PolicyApi_Success. The action was completed successfully.
Sm_PolicyApi_Failure. The action was unsuccessful.
Sm_PolicyApi_NoSession. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator did not have sufficient access privileges.

Sm_PolicyApi_GetUserContext()

Allows callers of the Policy Management API to access user context information.

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetUserContext (
   void                         *pSessionHandle,
   const char                   *lpszUserDirOid,
   const char                   *lpszUserPath,
   const char                   *lpszSessionID,
   Sm_PolicyApi_UserContext_t   **ppPolicyApiUserContext);
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
lpszUserDirOid	I	A null-terminated string containing the object identifier of the user directory for the user specified in lpszUserPath.
lpszUserPath	I	The distinguished name of the user.
lpszSessionID	I	A unique identifier of the session. After a successful login, the session ID is returned in the lpszSessionId field of the structure Sm_AgentApi_Session_t. If the session ID is not known, assign an empty string ("") to this parameter.
ppPolicyApi UserContext	O	The user context information that SiteMinder passes to the function.

Remarks

This function allows an application to access information about a user without having to connect to the underlying user directory. To retrieve the user information, the application calls the functions in the Sm_Api_UserContext_t structure, which is returned in ppPolicyApiUserContext.For example:

Calling fGetProp or fSetProp to get or set a user attribute.
Calling fAuthenticate to verify a user's password.
Calling fGetProp to search the directory and examine the results to verify that the correct user has been found.
Calling fGetProp to retrieve an attribute for a user who is not the logged-in user.

Important! After calling Sm_GetUserContext(), release the allocated memory by calling Sm_PolicyApi_FreeMemoryEx(). Otherwise, you can possibly see some Policy Server performance degradation.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. The get operation was not successful.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_Invalid. The specified user or directory was not valid.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a user directory.

Sm_PolicyApi_GetUserDir()

Gets the contents of the user directory identified by pszUserDirOid.

The results of this function are returned in a structure referenced by ppstructUserDir. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetUserDir (
   void*                      pSessionHandle,
   const char*                pszUserDirOid,
   Sm_PolicyApi_UserDir_t**   ppstructUserDir
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.
ppstructUserDir	O	Address of a pointer to a user directory structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_UserDir_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a user directory.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Sm_PolicyApi_GetUserDirByName()

Gets the contents of the user directory identified by pszUserDirName

The results of this function are returned in a structure referenced by ppstructUserDir. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetUserDirByName (
   void*                      pSessionHandle,
   const char*                pszUserDirName,
   Sm_PolicyApi_UserDir_t**   ppstructUserDir
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirName	I	A null-terminated string containing the name of an existing user directory.
ppstructUserDir	O	Address of a pointer to a user directory structure.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Memory could not be allocated for Sm_PolicyApi_UserDir_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get a user directory.
Sm_PolicyApi_NotFound. The user directory name was not found.

Sm_PolicyApi_GetUserDirCapabilities()

Retrieves the user directory capabilities.

The user directory capabilities are enumerated in Sm_DirectoryCapability_t in SmApi.h.

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetUserDirCapabilities (
   void*             pSessionHandle,
   const char*       pszUserDirOid,
   unsigned long*    pCapabilities
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of the user directory where the lookup has to be performed.
pCapabilities	O	The address of a pointer to an unsigned long that will hold information about directory capability. Directory capabilities are enumerated in Sm_DirectoryCapability_t, which is defined in the header file SmApi.h. See Figure 12 on page 103.

Returns

Sm_PolicyApi_Success. The retrieve was successful.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve user directory capability.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Sm_PolicyApi_GetUserDirSearchOrder()

Retrieves the OIDs of the user directory objects that are associated with the domain identified by pszDomainOid.

The retrieved list of OIDs is stored in the pszArray string array in the order in that they are searched by SiteMinder. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeStringArray().

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_GetUserDirSearchOrder (
   void*         pSessionHandle,
   const char*   pszDomainOid,
   char**        pszArray[]
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.
pszArray	O	The returned array of user directory OIDs of the requested objects.

Returns

Sm_PolicyApi_Success. The function successfully returned the user directory search order.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get user directory search order in a domain.
Sm_PolicyApi_InvalidOid. The domain OID was not found.

Sm_PolicyApi_GetUserGroups()

Gets the list of groups that a user is member of.

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_GetUserGroups (
   void *          pSessionHandle,
   const char *    pszUserDirOid,
   const char *    pszUserDN,
   const bool      bRecursive,
   char**          pszGroups[]
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	The user's object identifier.
pszUserDN	I	The user's distinguished name.
bRecursive	I	Value indicating whether to search just one level or all levels. If you specify True, all levels are searched.
pszGroups	O	Array that will contain the groups that the user belongs to. Free the memory allocated for the array by calling Sm_PolicyApi_FreeStringArray().

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. The get operation was not successful.
Sm_PolicyApi_Invalid. There was no valid directory for the specified user OID and DN.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_InvalidOid. The directory OID was not found (for a directory-based group).
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to get the groups.

Sm_PolicyApi_GetUserPasswordState()

Returns Sm_Api_UserPasswordState_t. The memory for the Sm_Api_UserPasswordState_t object should be allocated by the calling function.

Type

Password state function.

Syntax

int SM_EXTERN Sm_PolicyApi_GetUserPasswordState (
   void       *pSessionHandle,
   const char *pszUserDirOid,
   const char *pszUserDN,
   Sm_PolicyApi_UserPasswordState_t *pPasswordState
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	Unique object identifier that corresponds to a particular User Directory.
pszUserDN	I	Specifies the DN of the user within the user directory.
pPasswordState	O	The user password state object.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_BadArgument. The input password state pointer is NULL.
Sm_PolicyApi_NoSession. The API user is not properly logged in.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to User Directory object.
Sm_PolicyApi_UserDirNotFound. Failed to retrieve User Directory object from policy store.
Sm_PolicyApi_ErrorUserDir. Invalid User Directory object or wrong user DN.
Sm_PolicyApi_NoPrivilege. The caller does not have the proper privileges.

Sm_PolicyApi_GetUsersFromWSFEDResourcePartner()

Gets the user directory entries associated with a WS-Federation Resource Partner.

Syntax

int SM_EXTERN Sm_PolicyApi_GetUsersFromWSFEDResourcePartner (
        void* pSessionHandle,
        const char * pszProviderOid,
        const char * pszUserPolicyOid,
       Sm_PolicyApi_User_t ** ppStructUsers
);

Parameters

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid: [in] A null-terminated string containing the object identifier of an existing WS-Federation Resource Partner.
pszUserPolicyOid: [in] A null-terminated string containing the object identifier of an existing policy user.
ppStructUsers: [out] The address of a pointer to a linked list of user structures.

Return Values

Sm_PolicyApi_Success. The user directory was added successfully.
Sm_PolicyApi_Failure. The user directory was not added successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve users.
Sm_PolicyApi_InvalidOid. The affiliate OID was not found.

Sm_PolicyApi_GetVariable()

Gets a specified variable.

The results of this function are returned in a structure referenced by ppstructVariable. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Variable function.

Syntax

int SM_EXTERN Sm_PolicyApi_GetVariable (
   void*                       pSessionHandle,
   const char*                 pszVariableOid,
   Sm_PolicyApi_Variable_t**   ppstructVariable
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszVariableOid	I	Unique object identifier that corresponds to a variable.
ppstructVariable	O	The address of a pointer to a variable structure.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Variable_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to obtain a variable.
Sm_PolicyApi_InvalidOid. The variable object identifier was not found.
Sm_PolicyApi_FeatureNotSupported. The client who called this function initialized the API with a version less than SM_POLICY_API_VERSION_6_0.

Sm_PolicyApi_GetVariableByName()

Gets a specified variable.

The results of this function are returned in a structure referenced by ppstructVariable. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Variable function.

Syntax

int SM_EXTERN Sm_PolicyApi_GetVariableByName (
   void*                       pSessionHandle,
   const char*                 pszVariableName,
   Sm_PolicyApi_Variable_t**   ppstructVariable
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing Domain.
pszVariableName	I	Unique name that corresponds to a variable.
ppstructVariable	O	The address of a pointer to a variable structure.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Variable_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to obtain a variable.
Sm_PolicyApi_InvalidOid. The Domain OID was not found.
Sm_PolicyApi_NotFound. The variable name was not found.
Sm_PolicyApi_FeatureNotSupported. The client who called this function initialized the API with a version less than SM_POLICY_API_VERSION_6_0.

Sm_PolicyApi_GetVariableType()

Gets a specified variable type.

The results of this function are returned in a structure referenced by ppstructVariable. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Variable function.

Syntax

int SM_EXTERN Sm_PolicyApi_GetVariableType (
   void*                           pSessionHandle,
   const char*                     pszVariableTypeOid,
   Sm_PolicyApi_VariableType_t**   ppstructVariableType
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszVariableOid	I	Unique object identifier that corresponds to a variable type.
ppstructVariable	O	The address of a pointer to a variable structure.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Variable_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to obtain the variable type.
Sm_PolicyApi_InvalidOid. The variable type object identifier was not found.
Sm_PolicyApi_FeatureNotSupported. The client who called this function initialized the API with a version less than SM_POLICY_API_VERSION_6_0.

Sm_PolicyApi_GetVariableTypeByName()

Gets a specified variable type.

The results of this function are returned in a structure referenced by ppstructVariable. Free the memory allocated for this structure by calling Sm_PolicyApi_FreeMemoryEx().

Type

Variable function.

Syntax

int SM_EXTERN Sm_PolicyApi_GetVariableTypeByName (
   void*                           pSessionHandle,
   const char*                     pszVariableTypeName,
   Sm_PolicyApi_VariableType_t**   ppstructVariableType
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszVariableName	I	Unique name that corresponds to a variable type.
ppstructVariable	O	The address of a pointer to a variable structure.

Returns

Sm_PolicyApi_Success. The get was successful.
Sm_PolicyApi_Failure. Memory could not be allocated to Sm_PolicyApi_Variable_t.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to obtain the variable type.
Sm_PolicyApi_NotFound The variable type object identifier was not found.
Sm_PolicyApi_FeatureNotSupported. The client who called this function initialized the API with a version less than SM_POLICY_API_VERSION_6_0.

Sm_PolicyApi_GetWSFEDResourcePartner()

Gets an existing Resource Partner object.

Syntax

int SM_EXTERN Sm_PolicyApi_GetWSFEDResourcePartner (
        void* pSessionHandle,
        const char * pszProviderOid;
        Sm_PolicyApi_WSFEDResourcePartner_t** pstructServiceProvider
);

Parameters

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid: [in] A null-terminated string containing the object identifier of an existing WS-Federation Resource Partner.
pstructServiceProvider: [out] The address of the pointer to WS-Federation Resource Partner structure.

Return Values

Sm_PolicyApi_Success. The Resource Partner was retrieved successfully.
Sm_PolicyApi_Failure. The Resource Partner was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve an affiliate.
Sm_PolicyApi_InvalidOID. The Resource Partner OID was not found.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain

Sm_PolicyApi_GetWSFEDScheme()

Gets an existing WSFED authentication scheme object.

Syntax

int SM_EXTERN Sm_PolicyApi_GetWSFEDScheme (
        void* pSessionHandle,
        const char * pszProviderOid,
        Sm_PolicyApi_Scheme_t** ppstructScheme,
        Sm_PolicyApi_WSFEDProviderProp_t** ppProps
);

Parameters

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid: [in] A null-terminated string containing the object identifier of an existing WSFED auth scheme.
ppstructScheme: [out] The address of the pointer to SiteMinder auth scheme structure.
ppProps: [out] The address of the pointer to linked list WSFED provider properties.

Return Values

Sm_PolicyApi_Success. The authentication scheme was retrieved successfully.
Sm_PolicyApi_Failure. The authentication scheme was not retrieved successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to retrieve an affiliate.
Sm_PolicyApi_InvalidOID. The provider OID was not found.

Sm_PolicyApi_Init()

Initializes the connection to the SiteMinder policy store and establishes the init handle.

You can specify an initialization flag that will affect the API's behavior.

This function must be called once per API client session. It must be the first function called in the session.

Type

Required function.

Syntax

int SM_EXTERN Sm_PolicyApi_Init (
   void**                           ppInitHandle,
   const Sm_PolicyApi_InitFlags_t   nInitFlag
);

Parameter	I/O	Description
ppInitHandle	O	A pointer to an internal Policy Management API data structure that contains client session information. This init handle is returned on successful initialization and is used as an input parameter to every call to Sm_PolicyApi_Login() and Sm_PolicyApi_Release().
nInitFlag	I	Value affecting the behavior of the API.

Returns

Sm_PolicyApi_Success. The initialization of the Policy Store connection was successful.
Sm_PolicyApi_Failure. The initialization of the Policy Store connection was unsuccessful or memory could not be allocated.

Sm_PolicyApi_InitEx()

Initializes a connection to the SiteMinder policy store and establishes the init handle based on a supplied version.

Type

Required function.

Syntax

int SM_EXTERN Sm_PolicyApi_InitEx (
   void**                           ppInitHandle,
   const Sm_PolicyApi_InitFlags_t   nInitFlag,
   const unsigned                   version
)

Parameter	I/O	Description
ppInitHandle	O	A pointer to an internal Policy Management API data structure that contains client session information.
nInitFlag	I	Value affecting the behavior of the API.
version	I	Version of the Policy Management API to initialize.

Returns

Sm_PolicyApi_Success. The initialization of the Policy Store connection was successful.
Sm_PolicyApi_Failure. The initialization of the Policy Store connection was unsuccessful or memory could not be allocated.

Sm_PolicyApi_IsGroup()

Determines whether an item is a group.

Type

Group function, global scope (agents) or domain scope (responses, rules).

Syntax

int SM_EXTERN Sm_PolicyApi_IsGroup (
   void*                   pSessionHandle,
   Sm_PolicyApi_Groups_t   dwGroup,
   const char*             pszOid,
   const char*             pszDomainOid,
   bool*                   bIsGroup
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
dwGroup	I	Indicates the type of the object.
pszOid	I	A null-terminated string containing the object identifier of the item to check.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.
bIsGroup	O	A pointer to a boolean value. true if the pszOid object is a group.

Returns

Sm_PolicyApi_Success. The OID is a group.
Sm_PolicyApi_Failure. The OID is not a group.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to find out if a rule, response, or agent OID is a group.
Sm_PolicyApi_InvalidOid:
- The domain OID was not found (for a domain-based group).
- The group OID was not found.
- The rule, response, or agent OID or group OID was not found.
Sm_PolicyApi_BadGroup. Parameter dwGroup is not the rule, response, or agent type.

Sm_PolicyApi_Login()

After initialization, a successful call to Sm_PolicyApi_Login() is a prerequisite to making any further function calls. This function checks the administrator's login credentials (username and password). If the API detects an uninitialized or improperly initialized init handle, an error is generated. If the administrator is authenticated, the function initializes internal data structures and resources. Once the administrator is logged in, the Policy Server initializes a session handle, which is used as an input parameter to all the Policy Management API functions.

Internally, the session handle contains data structures and context information required for the operation of the Policy Management API, including the client session data (from the init handle) and the administrator session data. The data structures and context information are transparent to the caller.

You can call Sm_PolicyApi_Login() to initialize a session handle without checking the administrator's credentials or without specifying any administrator. To log in under either of these circumstances, set the parameter nCheckCreds to false. See the description of the nCheckCreds parameter for more information.

This function can be called more than once during the client session and depends on the successful initialization of the Policy Store connection.

Type

Required function.

Syntax

int SM_EXTERN Sm_PolicyApi_Login (
   void*           pInitHandle,
   void**          ppSessionHandle,
   int             nCheckCreds,
   const char*     pszUserName,
   const char*     pszPassword,
   const char*     pszClientIP,
   char**          pszUserMsg,
   char**          pszErrMsg
);

Parameter	I/O	Description
pInitHandle	I	A pointer to an internal Policy Management API data structure. This is the init handle returned by Sm_PolicyApi_Init().
ppSessionHandle	O	A pointer to an internal Policy Management API data structure (a different instance of the structure from pInitHandle). The structure contains administrator session data. The session handle is transparent to the caller.
nCheckCreds	I	Flag indicating whether to check the credentials of the administrator, as follows: If nCheckCreds is false and an empty string ( "" ) is passed in pszUserName, no credential checking is done, and the caller is granted all administrator rights. If nCheckCreds is false and a user name is passed in pszUserName, no credential checking is done. However, the passed name must be that of a valid SiteMinder administrator. The caller is granted rights defined for the administrator. If nCheckCreds is true, both the user name and the password are verified and should match a valid SiteMinder administrator. The caller is granted rights defined for the administrator.
pszUserName	I	User Name of the Policy Management API administrator. If you pass in an empty string ( "" ) and set nCheckCreds to false, no administrator name and password are required. The caller is granted all administrator rights.
pszPassword	I	Password of the Policy Management API administrator.
pszClientIP	I	IP address of the machine the administrator is logging from.
pszUserMsg	O	User message returned by the Policy Management API. You release the memory allocated for this variable by calling Sm_PolicyApi_FreeString().
pszErrMsg	O	Error message returned by the Policy Management API. You release the memory allocated for this variable by calling Sm_PolicyApi_FreeString().

Returns

Sm_PolicyApi_Success. The login was successful.
Sm_PolicyApi_Failure. Memory cannot be allocated.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have privileges to some or all the domains.
Sm_PolicyApi_ErrorLogin. The authentication failed.

Example

See the Sm_PolicyApi_Login() call in the example application smpolicyapiexample.cpp.

Sm_PolicyApi_Logout()

Logs out an administrator session.

Type

Required function.

Syntax

int SM_EXTERN Sm_PolicyApi_Logout (
   void* pSessionHandle
);

Parameter	I/O	Description
pSessionHandle	I	The session handle that was returned by Sm_PolicyApi_Login() after successful login of the administrator.

Returns

Sm_PolicyApi_Success. The logout was successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.

Sm_PolicyApi_LookupDirectoryEntry()

Looks up the user specification in a user directory.

pszSearchPattern holds the search pattern for the lookup. User directory searches vary for each type of user directory namespaces.

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_LookupDirectoryEntry (
   void*                   pSessionHandle,
   const char*             pszUserDirOid,
   const char*             pszSearchPattern,
   Sm_PolicyApi_User_t**   ppStructUserSpec
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of the user directory where lookup is to be performed.
pszSearchPattern	I	A null-terminated string containing the search pattern for the lookup. Information about the search expression grammar for different namespace types appears in the section below.
ppStructUserSpec	O	The address of a pointer to a user structure.

Search Expression Grammar for an LDAP Namespace

The search in an LDAP user directory can be based on an attribute-value pair or on an LDAP search expression.

For an attribute-value pair, the format of pszSearchPattern is:

<attribute-name>=<value>

For example if <attribute-name> is disabled and <value> is 0, the LDAP search filter is:

Base:'o=airius.com',

Filter:

'(&
      (|(objectclass=organizationalPerson)
      (objectclass=inetOrgPerson)
      (objectclass=organization)
      (objectclass=organizationalUnit)
      (objectclass=groupOfNames)
      (objectclass=groupOfUniqueNames)
      (objectclass=group)
      )
      (disabled=0)
)'

If the search uses an LDAP search expression, pszSearchPattern will hold the LDAP search expression. For example, if the search expression is 'uid=user1111', the LDAP search filter is:

Base:'o=airius.com',

Filter:

'(&
      (|(objectclass=organizationalPerson)
      (objectclass=inetOrgPerson)
      (objectclass=organization)
      (objectclass=organizationalUnit)
      (objectclass=groupOfNames)
      (objectclass=groupOfUniqueNames)
      (objectclass=group)
      )
      (uid=user1111)
)'

Search Expression Grammar for ODBC, WinNT and Custom Namespaces

You can search in an ODBC user directory for users, groups, or both. The search is based on attribute-value pairs.

The format of pszSearchPattern is:

[ <class>= ] <value>

In the format example:

<class> is an empty-string or user or group. An empty-string implies user and group.
<value> is a wildcard string.

Returns

Sm_PolicyApi_Success. The lookup was successful.
Sm_PolicyApi_Failure. The user specification lookup failed or memory could not be allocated to Sm_PolicyApi_User_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.
Sm_PolicyApi_UserDirNotValid. There is no connection to the user directory or the user directory provider has not been loaded.

Sm_PolicyApi_ManagementCommand()

Performs user, key, and resource management activities.

The Policy Management API supports the types of management commands that are enumerated in Sm_PolicyApi_ManagementCommands_t.

Type

Utility function.

Syntax

int SM_EXTERN Sm_PolicyApi_ManagementCommand (
  void*                             pSessionHandle,
  Sm_PolicyApi_ManagementCommand_t* pstructManagementCommand
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructManagementCommand	I	The address of a pointer to a management command structure.

Returns

Sm_PolicyApi_Success. The management command was issued successfully.
Sm_PolicyApi_Failure. The management command was not issued successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to call Sm_PolicyApi_ManagementCommand().
Sm_PolicyApi_Invalid. An invalid management command was specified.

Sm_PolicyApi_Release()

Disconnects from the policy store and releases memory and resources held by the API.

This function must be the last function called by the API client session. This function must be called once per client session.

Note: Failure to call this function will result in a memory leak.

Type

Required function.

Syntax

int SM_EXTERN Sm_PolicyApi_Release(void* pInitHandle);

Parameter	I/O	Description
pInitHandle	I	The init handle that was returned by Sm_PolicyApi_Init() after successful initialization of the client session.

Returns

This function always returns Sm_PolicyApi_Success.

Sm_PolicyApi_RemoveAdminFromAffiliateDomain()

Removes an administrator from an affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveAdminFromAffiliateDomain (
   void*         pSessionHandle,
   const char*   pszAdminOid,
   const char*   pszAffiliateDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAdminOid	I	A null-terminated string containing the object identifier of an existing administrator.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.

Returns

Sm_PolicyApi_Success. The administrator was removed from the affiliate domain.
Sm_PolicyApi_Failure. The administrator was not removed from the affiliate domain.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove an administrator from an affiliate domain.
Sm_PolicyApi_InvalidOID. The affiliate domain OID was not found during an update.
Sm_PolicyApi_NotFound. The administrator object identifier could not be found in the affiliate domain collection.

Sm_PolicyApi_RemoveAdminFromDomain()

Disassociates the administrator object identified by pszAdminOid from the domain identified by szDomainOid.

Type

Administrator function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveAdminFromDomain (
   void*          pSessionHandle,
   const char*    pszAdminOid,
   const char*    pszDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAdminOid	I	A null-terminated string containing the object identifier of an existing administrator.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.

Returns

Sm_PolicyApi_Success. The administrator was removed successfully from a domain.
Sm_PolicyApi_Failure. The administrator was not removed successfully from a domain.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove an administrator from a domain.
Sm_PolicyApi_InvalidOid. The administrator object identifier or the domain object identifier was not found.
Sm_PolicyApi_NotFound, if
- There are no administrator object identifiers in the domain collection.
- The administrator object identifier could not be found in the domain collection.

Sm_PolicyApi_RemoveAgentConfigAssociation()

Removes a configuration parameter name/value pair from the specified agent configuration object.

Type

Agent configuration function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveAgentConfigAssociation (
   void*                  pSessionHandle,
   const char*            pszAssociationOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAssociationOid	I	Unique identifier of the name/value pair to remove.

Returns

Sm_PolicyApi_Success. The operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidOid. The unique ID does not correspond to an agent configuration object.
Sm_PolicyApi_NoPrivilege. The caller does not have the privilege to remove agent configuration object parameters.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_NoSession. The API user is not properly logged in.

Sm_PolicyApi_RemoveAssertionConsumerServiceFromSAMLSP()

Removes an existing indexed endpoint reference to an Assertion Consumer Service from the policy store. The index, binding type, and Assertion Consumer Service URL must match an existing Assertion Consumer Service.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveAssertionConsumerServiceToSAMLSP (
   void*                               pSessionHandle,
   const Sm_PolicyApi_SAMLSPAssertionConsumerService_t* 
                pstructSAMLSPAssertionConsumerService,
   const char*                         pszSAMLSPOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructSAMLAssertionConsumerService	I	A pointer to an Assertion Consumer Service structure.
pszSAMLSPOid	I	A pointer to a string containing the OID of the Service Provider.

Returns

Sm_PolicyApi_Success. The Assertion Consumer Service was removed successfully.
Sm_PolicyApi_Failure - The Assertion Consumer Service was not removed successfully.
Sm_PolicyApi_ACSIndexedEndpointNotFound - There is no Assertion Consumer Service that matches the Assertion Consumer Service to be removed..
Sm_PolicyApi_InvalidHandle - There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession - There is no valid administrator session.
Sm_PolicyApi_NoPrivilege - The administrator does not have the privilege to remove Attributes from a SAML Service Provider.

Sm_PolicyApi_RemoveAttributeFromAffiliate()

Removes an attribute from an affiliate.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveAttributeFromAffiliate (
   void*                               pSessionHandle,
   const Sm_PolicyApi_AffiliateAttr_t* pstructAffiliateAttr,
   const char*                         pszAffiliateOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructAffiliate Attr	I	A pointer to an affiliate attribute structure.
pszAffiliateOid	I	A null-terminated string containing the object identifier of an existing affiliate.

Returns

Sm_PolicyApi_Success. The affiliate attribute was removed successfully.
Sm_PolicyApi_Failure. The affiliate attribute was not removed successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove an affiliate attribute.
Sm_PolicyApi_InvalidOID. The affiliate OID was not found.

Sm_PolicyApi_RemoveAttributeFromSAMLScheme()

Removes a configured attribute from a SAML authentication scheme.

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveAttributeFromSAMLScheme(
   void*                                pHandle,
   const Sm_PolicyApi_Scheme_t*         pstructScheme,
   const Sm_PolicyApi_SAMLRequesterAttr_t*     pAttr
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructScheme	I	A pointer to a completely filled-in scheme structure.
pAttr	I	A pointer to the Sm_PolicyApi_SAMLRequesterAttr_t structure containng the attribute to be removed.

Returns

Sm_PolicyApi_Success. The attribute was removed successfully.
Sm_PolicyApi_Failure. The attribute was not removed successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove an attribute to a SAML Requester.
Sm_PolicyApi_SAMLIDP_IncorrectParameters. Supplied SAML provided properties are incomplete or incorrect.
Sm_PolicyApi_NoSuchAttribute. An attribute with a matching Name and NameFormat does not exist.

Sm_PolicyApi_RemoveAttributeFromSAMLSP()

Removes the specified SAML attribute from the Service Provider.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveAttributeFromSAMLSP
(
   void*                               pHandle,
   const Sm_PolicyApi_SAMLSPAttr_t*    pstructSAMLSPAttr,
   const char*                         pszSAMLSPOid
);

Parameter	I/O	Description
pHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pstructSAMLSPAttr	I	A pointer to a SAML attribute structure
pszSAMLSPOid	I	The Service Provider's object identifier in the policy store.

Returns

Sm_PolicyApi_Success. The attribute was removed successfully.
Sm_PolicyApi_Failure. The attribute was not removed successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove an SAML attribute from a Service Provider.
Sm_PolicyApi_NoSuchAttribute. No attribute exists with the Name and NameFormat provided.

Sm_PolicyApi_RemoveFromGroup()

Removes an item from a group.

The item and the group must exist and must be of the same type, and the item must be contained in the group.

The pszDomainOid parameter is required by rule and response groups. An agent group does not require a domain OID because it is not a domain-based object.

Type

Group function, global scope (agents) or domain scope (responses, rules).

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveFromGroup (
   void*                   pSessionHandle,
   Sm_PolicyApi_Groups_t   dwGroup,
   const char*             pszItemOid,
   const char*             pszGroupOid,
   const char*             pszDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
dwGroup	I	Indicates the type of the group.
pszItemOid	I	A null-terminated string containing the object identifier of an existing item; must be the same type as the group.
pszGroupOid	I	A null-terminated string containing the object identifier of the group.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain. Required by rule and response groups.

Returns

Sm_PolicyApi_Success. The remove was successful.
Sm_PolicyApi_Failure. The remove was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove a rule, response, or agent OID from its respective group.
Sm_PolicyApi_InvalidOid:
- The domain OID was not found (for a domain-based group).
- The group OID was not found.
- The rule, response, or agent OID or group OID was not found.
Sm_PolicyApi_BadGroup. Parameter dwGroup is not the rule, response, or agent type.

Sm_PolicyApi_RemovePolicyLinkFromPolicy()

By removing the policy link identified by pszPolicyLinkOid from the policy identified by pszPolicyOid, this function effectively removes the rule from the policy.

A policy link object binds a policy to a rule and, optionally, a response.

Note: In releases prior to SiteMinder v4.5, the functionality provided by Sm_PolicyApi_RemovePolicyLinkFromPolicy() was provided by Sm_PolicyApi_RemoveRuleFromPolicy().

Type

Policy function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_RemovePolicyLinkFromPolicy (
   void*          pSessionHandle,
   const char*    pszPolicyLinkOid,
   const char*    pszPolicyOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPolicyLinkOid	I	A null-terminated string containing the object identifier of an existing policy link under pszPolicyOid.
pszPolicyOid	I	A null-terminated string containing the object identifier of an existing policy.

Returns

Sm_PolicyApi_Success. The policy link was removed successfully.
Sm_PolicyApi_Failure. The policy link was not removed successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove a policy link.
Sm_PolicyApi_InvalidOid:
- The policy OID was not found.
- The policy link OID was not found.

Sm_PolicyApi_RemoveRegularExpressionFromPasswordPolicy()

Removes a Regular Expression from the referenced password policy. Implemented only if the session's version is set to SM_POLICY_API_VERSION_6_0.

Type

Regular Expression function.

Syntax

int SM_EXTERN    Sm_PolicyApi_RemoveRegularExpressionFromPasswordPolicy(
   void*        pSessionHandle,
   const char*  pszRegularExpressionOid,
   const char*  pszPasswordPolicyOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszRegular ExpressionOid	I	The OID of the regular expression to be removed.
pszPassword PolicyOid	I	The OID of the password policy to remove the expression from.

Returns

Sm_PolicyApi_Success. The regular expression was removed successfully.
Sm_PolicyApi_Failure. The regular expression was not removed successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove regular expressions.
Sm_PolicyApi_InvalidOid: The password policy OID was not found.

Sm_PolicyApi_RemoveResponseAttr()

Disassociates the response attribute defined by the pstructResponseAttr structure from the response identified by pszResponseAttrOid. The attribute name and attribute value must match in order for the remove to occur.

Type

Response function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveResponseAttr (
   void*          pSessionHandle,
   const char*    pszResponseAttrOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszResponseAttrOid	I	A null-terminated string containing the object identifier of an existing response attribute.

Returns

Sm_PolicyApi_Success. The remove operation was successful.
Sm_PolicyApi_Failure. The remove operation was not successful.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove a response attribute.
Sm_PolicyApi_InvalidOid. The response attribute OID was not found.

Sm_PolicyApi_RemoveUserDirFromAffiliateDomain()

Removes a user directory from an existing affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveUserDirFromAffiliateDomain(
   void*        pSessionHandle,
   const char*  pszUserDirOid,
   const char*  pszAffiliateDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.

Returns

Sm_PolicyApi_Success. The user directory was removed from the affiliate domain successfully.
Sm_PolicyApi_NotFound. The domain does not have the user directory.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove a user directory from an affiliate domain.
Sm_PolicyApi_InvalidOID. The user directory OID or affiliate domain OID was not found during an update.

Sm_PolicyApi_RemoveUserDirFromDomain()

Disassociates the user directory identified by pszUserDirOid from the domain identified by pszDomainOid.

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveUserDirFromDomain (
   void*          pSessionHandle,
   const char*    pszUserDirOid,
   const char*    pszDomainOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.

Returns

Sm_PolicyApi_Success. The remove operation was successful.
Sm_PolicyApi_NotFound. The domain does not have any user directories.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove a user directory from a domain.
Sm_PolicyApi_InvalidOid. A user directory or domain OID was not found.

Sm_PolicyApi_RemoveUsersFromAffiliate()

Removes a user directory entry from an affiliate.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveUsersFromAffiliate (
   void*        pSessionHandle,
   const char*  pszAffiliateOid,
   const char*  pszUserPolicyOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliateOid	I	A null-terminated string containing the object identifier of an existing affiliate.
pszUserPolicyOid	I	A null-terminated string containing the object identifier of an existing policy user.

Returns

Sm_PolicyApi_Success. The user was removed successfully.
Sm_PolicyApi_Failure. The user was not removed successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove a user.
Sm_PolicyApi_InvalidOID. The affiliate OID or user policy OID was not found.

Sm_PolicyApi_RemoveUsersFromPolicy()

Disassociates the user identified by pszUserPolicyOid from the policy identified by pszPolicyOid. Only one user specification (which may be an aggregate) can be removed at a time.

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveUsersFromPolicy (
   void*          pSessionHandle,
   const char*    pszPolicyOid,
   const char*    pszUserPolicyOid
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPolicyOid	I	A null-terminated string containing the object identifier of an existing policy from which a user is to be removed.
pszUserPolicyOid	I	A null-terminated string containing the object identifier of an existing policy user.

Remarks

This function is successful only when the pointer to Sm_PolicyApi_User_t is obtained with the Sm_PolicyApi_GetPolicyUsers() function. If the user is retrieved with Sm_PolicyApi_LookupDirectoryEntry(), Sm_PolicyApi_GetDirectoryContents(), or Sm_PolicyApi_ValidateDirectoryEntry(), pszUserPolicyOid will be invalid and the call will fail.

Returns

Sm_PolicyApi_Success. The remove operation was successful.
Sm_PolicyApi_Failure. The remove operation was not successful.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove a user from the policy.
Sm_PolicyApi_InvalidOid:
- The policy OID was not found.
- The user policy OID was not found.

Sm_PolicyApi_RemoveUsersFromSAMLServiceProvider()

Removes the specified users from the Service Provider.

Type

SAML 2.0 Configuration function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_AddUsersToSAMLServiceProvider
(
   void*                             pSessionHandle,
   const char*                       pszProviderOid,
   Sm_PolicyApi_User_t*              pStructUsers,
   int                               iPolicyFlags
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid	I	A null-terminated string containing the Service Provider's object identifier.
pStructUsers	I	The users to remove from the Service Provider.
iPolicyFlags	I	A bit field that indicates whether: The policy created for the SAML Service Provider includes a user The policy should be applied recursively

Returns

Sm_PolicyApi_Success. The users were removed successfully.
Sm_PolicyApi_Failure. The users were not removed successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove a user.
Sm_PolicyApi_InvalidOid. The Service Provider OID was not found.

Sm_PolicyApi_RemoveUsersFromWSFEDResourcePartner()

Dissociates a user directory entry from WS-Federation Resource Partner.

Syntax

int SM_EXTERN Sm_PolicyApi_RemoveUsersFromWSFEDResourcePartner (
        void* pSessionHandle,
        const char * pszProviderOid,
        const char * pszUserPolicyOid
);

Parameters

pSessionHandle: [in] A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszProviderOid: [in] A null-terminated string containing the object identifier of an existing WS-Federation Resource Partner.
pszUserPolicyOid: [in] A null-terminated string containing the object identifier of an existing policy user.

Return Values

Sm_PolicyApi_Success. The user directory was removed a successfully.
Sm_PolicyApi_Failure. The user directory was not removed successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to remove a user.
Sm_PolicyApi_InvalidOid. The Resource Partner OID was not found.

Sm_PolicyApi_RenameObject()

Renames a domain or global object.

This function requires the Object Identifier (OID) of the object to be renamed. You can retrieve the object identifier by performing the Get operation on the object.

Type

General object function.

Syntax

int SM_EXTERN Sm_PolicyApi_RenameObject (
   void*          pSessionHandle,
   const char*    pszOid,
   const char*    pszNewName
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszOid	I	Object Identifier of the object to be renamed.
pszNewName	I	New name for the object.

Returns

Sm_PolicyApi_Success. The object was renamed successfully.
Sm_PolicyApi_Failure. The object was not renamed successfully.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to rename an object.
Sm_PolicyApi_InvalidOid. The OID was not found.

Sm_PolicyApi_SetAffiliateDomainUserDirSearchOrder()

Sets the user directory search order for an affiliate domain.

Type

Federation function

Syntax

int SM_EXTERN Sm_PolicyApi_SetAffiliateDomainUserDirSearchOrder (
   void*         pSessionHandle,
   const char*   pszAffiliateDomainOid,
   char**        pszArray[]
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszAffiliate DomainOid	I	A null-terminated string containing the object identifier of an existing affiliate domain.
pszArray	I	An array of user directory OIDs, in the desired order.

Returns

Sm_PolicyApi_Success. The function successfully set the user directory search order.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to set user directory search order in an affiliate domain.
Sm_PolicyApi_InvalidOID. The affiliate OID was not found.
Sm_PolicyApi_DomainNotAffiliate. The domain is not an affiliate domain.
Sm_PolicyApi_WrongNumberOfElements. The number of user directories in the affiliate domain collection is different from the number of elements in the array.

Sm_PolicyApi_SetDisabledUserState()

Sets the disabled state of a user. You can also enable a user with this function.

To make this function work, the attribute for tracking disabled users must be set in the user directory (the pszDisabledAttr field of structure Sm_PolicyApi_UserDir_t). You can also set the attribute using the Policy Server User Interface.

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_SetDisabledUserState (
   void*                            pSessionHandle,
   const char*                      pszUserDirOid,
   const char*                      pszUserDN,
   const Sm_Api_DisabledReason_t    nDisabledReason,
   char**                           pszErrMsg
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of an existing user directory.
pszUserDN	I	The distinguished name of the user whose disabled state is to be changed.
nDisabledReason	I	Reason for disabling or enabling a user. The reasons are enumerated in Sm_Api_DisabledReason_t, which is defined in SmApi.h. It is the responsibility of the caller to set the correct state. Multiple reasons can exist concurrently. When a user is enabled, all the flags in the disabled mask should be cleared.
pszErrMsg	O	The error message is held in the string if the operation was not successful. You release the memory allocated for this variable by calling Sm_PolicyApi_FreeString().

Returns

Sm_PolicyApi_Success. The disable user state was set successfully.
Sm_PolicyApi_Failure:
- User state was not disabled.
- Memory could not be allocated to pszErrMsg.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to set disabled user state.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Examples

To disable a user for password expiration:

nDisabledReason = Sm_Api_Disabled_DisabledMask &
      Sm_Api_Disabled_PWExpired;

To disable a user for administrative reasons:

enum Sm_Api_DisabledReason_t nDisabledReason;

iRes =  Sm_PolicyApi_GetDisabledUserState (pSessionHandle,
                                           pszUserDirOid,
                                           pszUserDN,
                                           &nDisabledReason,
                                           &pszGetErrMsg);

if (iRes != Sm_PolicyApi_Success)
{
    cout << "Error: " << pszGetErrMsg << endl;
}

// Set admin disabled reason bit.
nDisabledReason=(Sm_Api_DisabledReason_t) (nDisabledReason | 
      Sm_Api_Disabled_AdminDisabled);

// Set Disable user state
iRes = Sm_PolicyApi_SetDisabledUserState(pSessionHandle,
                                         pszUserDirOid,
                                         pszUserDN,
                                         nDisabledReason,
                                         &pszSetErrMsg);

To enable a user and clear all disable reason bits:

enum Sm_Api_DisabledReason_t nDisabledReason;
iRes = Sm_PolicyApi_GetDisabledUserState(pSessionHandle,
                                         pszUserDirOid,
                                         pszUserDN,
                                         &nDisabledReason,
                                         &pszGetErrMsg);

if (iRes != Sm_PolicyApi_Success)
{
   if (pszGetErrMsg)
   {
      cout << "Error: " << pszGetErrMsg << endl;
   }
}
// Clear all the disable reason bits.
nDisabledReason=(Sm_Api_DisabledReason_t)
      (nDisabledReason & (~Sm_Api_Disabled_DisabledMask));

// Set Disable user state to enable
iRes = Sm_PolicyApi_SetDisabledUserState(pSessionHandle,
                                         pszUserDirOid,
                                         pszUserDN,
                                         nDisabledReason,
                                         &pszSetErrMsg);

Sm_PolicyApi_SetPassword()

Changes the password of a user account. It can also be used to validate a new password or an old password without changing the password.

To validate a new password, you must set SiteMinder Password services for the directory, and you must identify a password attribute in the SiteMinder user directory.

Type

User and user state function.

Syntax

int SM_EXTERN Sm_PolicyApi_SetPassword (
   void*          pSessionHandle,
   const char*    pszUserDirOid,
   const char*    pszUserDN,
   const char*    pszNewPassword,
   const char*    pszOldPassword,
   bool           bChangePassword,
   bool           bValidateNewPassword,
   bool           bValidateOldPassword,
   char**         pszErrMsg
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of the user directory where the user may be found.
pszUserDN	I	The distinguished name of the user whose password is to be changed and/or whose new or old password is to be validated.
pszNewPassword	I	New user password to validate or change.
pszOldPassword	I	Old user password to validate or change.
bChangePassword	I	If true, the password is changed to the new password and is recorded in the user's password history. If an error occurs, the function returns an error code.
bValidateNewPassword	I	If true, the new password is checked to make sure it satisfies all password policy requirements. If the new password is in violation of any password policies, pszErrMsg is set and the function returns an error code.
bValidateOldPassword	I	If true, the old password is used to authenticate the user. If authentication fails, the function returns an error code.
pszErrMsg	O	String containing an error message if the user password change or validation was not successful. You release the memory allocated for this variable by calling Sm_PolicyApi_FreeString().

Returns

Sm_PolicyApi_Success. The change or validation was successful.
Sm_PolicyApi_Failure. The change or validation was not successful or memory could not be allocated to the error message string.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_InvalidPasswordSyntax. Returned when both of these conditions exist:
- bValidateNewPassword is true.
- The new password did not satisfy the password policy requirements set for the specified directory.
For information about the error, call Sm_PolicyApi_GetPasswordMsg() and pass to it the encoded error message (pszErrMsg) returned from Sm_PolicyApi_SetPassword().
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to set or validate user passwords.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Sm_PolicyApi_SetResponseInPolicyLink()

Alters the policy link described by the ppstructPolicyLink structure.

This function sets a response or a response group to a rule or rule group. It can also be used to remove a response or response group from a policy link. To remove a response or response group from a policy link, set the pszResponseOid in Sm_PolicyApi_PolicyLink_t to an empty string.

Type

Response function, domain scope.

Syntax

int SM_EXTERN Sm_PolicyApi_SetResponseInPolicyLink (
   void*                       pSessionHandle,
   const char*                 pszPolicyOid,
   Sm_PolicyApi_PolicyLink_t*  ppstructPolicyLink
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszPolicyOid	I	A null-terminated string containing the object identifier of an existing policy.
ppstructPolicyLink	I	The address of a policy link structure.

Returns

Sm_PolicyApi_Success. The response was successfully set or removed in a policy link.
Sm_PolicyApi_Failure. The response cannot be set or removed in a policy link.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to set a policy link.
Sm_PolicyApi_InvalidOid:
- The policy OID was not found.
- The rule or rule group OID was not found.
- The response or response group OID was not found.
Sm_PolicyApi_DoesNotExist. There are no policy links in the policy collection.

Sm_PolicyApi_SetSharedSecretPolicy()

Sets the current SharedSecretPolicy. There will always be exactly one such object, so it is not necessary to provide the bUpdate boolean flag.

Type

Agent configuration.

Syntax

int SM_EXTERN Sm_PolicyApi_SetSharedSecretPolicy (
   void*                               pSessionHandle,
   Sm_PolicyApi_SharedSecretPolicy_t*  ppstructSecretPolicy
);

Parameter	I/O	Description
pSessionHandle	I	The current Policy API session handle.
ppstructSecret Policy	I/O	The shared secret policy structure.

Returns

Sm_PolicyApi_Success. The operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidHandle. The session handle was invalid.
Sm_PolicyApi_NoSession. The user is not logged in.
Sm_PolicyApi_NoPrivilege. User does not have rights to manage objects.

Sm_PolicyApi_SetUserDirSearchOrder()

Rearranges the search order of the user directory objects associated with the domain identified by pszDomainOid.

The ordered list of names is specified in the pszArray string array. The user directories in this array must match in OID and number (but not order) the list of user directory names that were retrieved by a call to Sm_PolicyApi_GetUserDirSearchOrder().

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_SetUserDirSearchOrder (
   void*          pSessionHandle,
   const char*    pszDomainOid,
   char**         pszArray[]
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszDomainOid	I	A null-terminated string containing the object identifier of an existing domain.
pszArray	I	An array of user directory OIDs, in the desired order.

Returns

Sm_PolicyApi_Success. The user directory search order was set successfully.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_NoPrivilege. The administrator does not have the privilege to set user directory search order in a domain.
Sm_PolicyApi_InvalidOid. The domain OID was not found.
Sm_PolicyApi_WrongNumberOfElements. The number of user directories in the domain collection is different from the number of elements in the array.

Sm_PolicyApi_SetUserPasswordState()

Add or update a UserPasswordState object.

If there is no PasswordState associated with the user, a new PasswordState will be created. Otherwise, the UserPasswordState will be updated.

Type

Password state function.

Syntax

int SM_EXTERN Sm_PolicyApi_SetUserPasswordState (
   void                             *pSessionHandle,
   const char                       *pszUserDirOid,
   const char                       *pszUserDN,
   Sm_PolicyApi_UserPasswordState_t *pPasswordState
   bool bEmptyHistory
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	Unique object identifier that corresponds to a particular User Directory.
pszUserDN	I	Specifies the distinguished name of the user within the user directory.
pPasswordState	I/O	The user password state object. If this parameter changes the user directory setting for the last time the password was changed, and the password is reset outside of SiteMinder, the password policy preventing password reuse may not work as expected. If this parameter is set to NULL, the function returns Sm_PolicyApi_Failure.
bEmptyHistory	I	Specifies whether this function should clear the existing password history. If this parameter is set to true, the field tLastPWChange field of structure Sm_PolicyApi_UserPasswordState_t is implicitly reset to zero.

Returns

Sm_PolicyApi_Success. The get operation was successful.
Sm_PolicyApi_Failure. Generalized failure.
Sm_PolicyApi_InvalidHandle. The session pointer is not valid.
Sm_PolicyApi_BadArgument. The input password state pointer is NULL.
Sm_PolicyApi_NoSession. The API user is not properly logged in.
Sm_PolicyApi_InvalidOid. The unique id does not correspond to User Directory object.
Sm_PolicyApi_UserDirNotFound. Failed to retrieve User Directory object from policy store.
Sm_PolicyApi_ErrorUserDir. Invalid User Directory object or wrong user DN.
Sm_PolicyApi_NoPrivilege. The caller does not have the proper privileges.

Sm_PolicyApi_ValidateDirectoryEntry()

Validates a user specification in a user directory.

Type

User directory function, global scope.

Syntax

int SM_EXTERN Sm_PolicyApi_ValidateDirectoryEntry (
   void*                  pSessionHandle,
   const char*            pszUserDirOid,
   const char*            pszPath,
   Sm_PolicyApi_User_t**  ppUserEntry
);

Parameter	I/O	Description
pSessionHandle	I	A pointer to an internal Policy Management API data structure. The structure holds information about the administrator session and the client session.
pszUserDirOid	I	A null-terminated string containing the object identifier of the user directory.
pszPath	I	A null-terminated string containing the path of a user.
ppUserEntry	O	The address of a pointer to a user structure.

Returns

Sm_PolicyApi_Success. The validation was successful.
Sm_PolicyApi_Failure:
- The policy resolution of the user path in pszPath is not of type Sm_PolicyResolution_User.
- There is no connection to the user directory or the user directory provider has not been loaded.
- Memory could not be allocated to Sm_PolicyApi_User_t.
Sm_PolicyApi_NoSession. There is no valid administrator session.
Sm_PolicyApi_InvalidHandle. There was no valid initialization prior to this call.
Sm_PolicyApi_InvalidOid. The user directory OID was not found.

Authentication Scheme Configuration

When you configure an authentication scheme programmatically, you provide information that would otherwise be provided through the Authentication Scheme Properties dialog of the Policy Server UI. You provide this information through the fields in the structure Sm_PolicyApi_Scheme_t.

Note: The following categories of information can be used for different purposes in different authentication schemes. For example, with the TeleID authentication scheme, the shared secret is used to supply the encryption seed.

Scheme type
SiteMinder provides a number of standard authentication scheme types (also known as templates). Each authentication scheme type is configured differently.
Description
Brief description of the authentication scheme.
Protection level
Protection level values can range from 1 through 1000. The higher the number, the greater the degree of protection provided by the scheme.
Library
An authentication scheme library performs authentication processing for the associated authentication scheme type. Each predefined authentication scheme is shipped with a default library. Optionally, you can use a custom library instead of the default.
Parameter
Additional information that the authentication scheme requires, such as the URL of an HTML login page. With some authentication schemes, the parameter information is constructed from field values in the Scheme Type Setup tab of the Authentication Scheme Properties dialog. To see how a parameter string is constructed for a given scheme type, open this dialog, select the appropriate scheme type, provide values to the fields in the Scheme Type Setup tab, and view the constructed parameter in the Advanced tab.
Shared Secret
Information that is known to both the authentication scheme and the Policy Server. Different authentication schemes use different kinds of secrets. Most schemes use no secret.
Is template?
A flag that specifies whether the authentication scheme is a template.

Note: Setting an authentication scheme as a template with the C Policy Management API was deprecated in SDK v6.0 SP3.
Is used by administrator?
A flag that specifies whether the authentication scheme can be used to authenticate administrators.
Save Credentials?
A flag that specifies whether to save the user's credentials.
Is RADIUS?
A flag that specifies whether the scheme can be used with RADIUS agents.
Ignore password check?
A flag that specifies whether password policies for the scheme are enabled. If True (1), password policies are disabled.

Note: The Ignore password check flag must be set to True for anonymous authentication schemes.

Anonymous Template

Use this table when configuring an authentication scheme based on the scheme type Anonymous. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Note: The Ignore password check flag must be set to True for anonymous authentication schemes.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_Anonymous The scheme type Anonymous.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=0 Set to 0. Not applicable to this scheme type.
Library	pszLib="smauthanon" The default library for this scheme type.
Parameter	pszParam=param A string containing the guest DN. Policies associated with the guest DN must apply to anonymous users.
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

Basic Over SSL Template

Use this table when configuring an authentication scheme based on the scheme type Basic over SSL. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_BasicOverSSL The scheme type Basic over SSL.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 10.
Library	pszLib="smauthcert" The default library for this scheme type.
Parameter	pszParam=param A string containing the domain or IP address of the SSL server and the name of the SSL Credentials Collector (SCC). Format: https://server/SCC?basic The following example uses the default SCC: https://my.server.com/siteminderagent/ nocert/smgetcred.scc?basic
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0) for this scheme.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

Basic Template

Use this table when configuring an authentication scheme based on the scheme type Basic. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_Basic The scheme type Basic.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthdir" The default library for this scheme type.
Parameter	pszParam="" Set to an empty string. Not applicable to this scheme.
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=1 Set to true (1)-scheme can be used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=1 Set to true (1)-scheme can be used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

Custom Template

Use this table when configuring an authentication scheme based on the scheme type Custom. You create custom schemes using the Authentication API. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_Custom The scheme type Custom.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 0 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib=customLibName The name of the custom shared library you created using the Authentication API.
Parameter	pszParam=param Any string of one or more parameters required by your custom authentication scheme. For a custom authentication scheme that uses SSL, you must supply a URL that points to a SiteMinder Web Agent library required for the SSL-based authentication.
Shared secret	pszSecret=secret The shared secret, if any, that your custom authentication scheme uses for encryption of credentials.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=flag Set to true (1) to specify that the scheme can be used to authenticate administrators, or to false (0) to specify that the scheme cannot be used to authenticate administrators. Default is 0.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

HTML Form Template

Use this table when configuring an authentication scheme based on the scheme type HTML Form. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_HTMLForm The scheme type HTML Form.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthhtml" The default library for this scheme type.
Parameter	pszParam=param A string containing a user attribute list plus the location of the forms credential collector (FCC). The attribute list must begin with AL= and use commas as the list delimiter character, and it must end with a semicolon-for example: AL=Password,SSN,age,zipcode; The complete parameter format is: attr-list;https:/server/fcc The following example uses the default FCC: AL=PASSWORD,SSN,age,zipcode; http://my.server.com/siteminderagent/ forms/login.fcc
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=flag Set to true (1) to indicate that user credentials should be saved, or false (0) to indicate that user credentials should not be saved. Default is 0.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

Impersonation Template

Use this table when configuring an authentication scheme based on the scheme type Impersonation. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_Impersonation The scheme type Impersonation.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthimpersonate" The default library for this scheme type.
Parameter	pszParam=param A string containing a user attribute list plus the location of the forms credential collector (FCC). The attribute list must begin with AL= and use commas as the list delimiter character, and it must end with a semicolon-for example: AL=Password,SSN,age,zipcode; The complete parameter format is: attr-list;https:/server/fcc The following example uses the default FCC: AL=PASSWORD,SSN,age,zipcode; http://my.server.com/siteminderagent/ forms/imp.fcc
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

RADIUS CHAP/PAP Template

Use this table when configuring an authentication scheme based on the scheme type RADIUS CHAP/PAP. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_RadiusChapPap The scheme type RADIUS CHAP/PAP.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthchap" The default library for this scheme type.
Parameter	pszParam=param A string containing the name of a user directory attribute. This attribute is used as the clear text password for authentication.
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=1 Set to true (1)-scheme can be used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

RADIUS Server Template

Use this table when configuring an authentication scheme based on the scheme type RADIUS Server. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_RadiusServer The scheme type RADIUS Server.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthradius" The default library for this scheme type.
Parameter	pszParam=param A string containing the IP address and port of the RADIUS server-for example: 123.123.12.12:1645 The default UDP port is 1645.
Shared secret	pszSecret=secret The user attribute that the RADIUS Server will use as the clear text password.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=1 Set to true (1)-scheme can be used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=1 Set to true (1)-scheme can be used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

SafeWord HTML Form Template

Use this table when configuring an authentication scheme based on the scheme type SafeWord HTML Form. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_SafeWordHTMLForm The scheme type SafeWord HTML Form.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 10.
Library	pszLib="smauthenigmahtml" The default library for this scheme type.
Parameter	pszParam=param A string containing the name and location of the forms credentials collector. This example shows the default credentials collector: http://my.server.com/ siteminderagent/forms/safeword.fcc
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=1 Set to true (1)-scheme can be used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=1 Set to true (1)-scheme can be used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

SafeWord Template

Use this table when configuring an authentication scheme based on the scheme type SafeWord. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_SafeWordServer The scheme type SafeWord.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 10.
Library	pszLib="smauthenigma" The default library for this scheme type.
Parameter	pszParam="" Set to an empty string. Not applicable to this scheme.
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=1 Set to true (1)-scheme can be used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=1 Set to true (1)-scheme can be used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

SAML Artifact Template

Use this table when configuring a SAML authentication scheme based on the profile type artifact for communicating security assertions. With the artifact profile type, the URL for retrieving the SAML assertion is referenced within the AssertionRetrievalURL portion of the Parameter string.

The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning

Scheme type	nType=Sm_Api_SchemeType_SAMLArtifact The scheme type SAML Artifact.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthsaml" The default library for this scheme type.
Parameter	pszParam=param The following required parameters: Name. The name of the affiliate. RedirectMode. The way in which the SAML Credentials Collector redirects to the target resource. One of the following numeric values: 0. Meaning: 302 No Data. 1. Meaning: 302 Cookie Data. 2. Meaning: Server Redirect. 3. Meaning: Persist Attributes.
Parameter
	SRCID. The 20-byte source ID for the site that produces the SAML assertion. The ID is located at the SAML producer's site in the properties file AMAssertionGenerator.properties. AssertionRetrievalURL. The URL for obtaining the assertion from the SAML assertion producer's site. Audience. The URI of the document that describes the agreement between the portal and the affiliate. This value is compared with the audience value specified in the SAML assertion. Issuer. The SAML issuer specified in the assertion. AttributeXPath. A standard XPath query run against the SAML assertion. The query obtains the data that is substituted in a search specification that looks up a user-for example: //saml:AttributeValue/SM:/SMContent /SM:Smlogin/SM:Username.text()
	This query gets the text of the Username element. SAMLVersion. The SAML version in use: 1.0 or 1.1. RetrievalMethod. One of these values: 0. Meaning: Basic authentication. 1. Meaning: Client certificate authentication. Attribute. The search string for looking up a user in a user directory of the specified type. Use a percent sign ( % ) to indicate where the value returned from the XPath query should be inserted. For example, if you specify attribute LDAP:uid=%s, and user1 is returned from the query, the search string used for LDAP directories is uid=user1. At least one attribute must be specified.
	Format of the parameter string is as follows. Separate name/value pairs with semi-colons ( ; ). The format example includes LDAP and ODBC attributes: Name=name;RedirectMode=0\|1\|2;SRCID=srcid; AssertionRetrievalURL=url;Audience=audience; Issuer=issuer;AttributeXpath=XPathQuery; SAMLVersion=1.0\|1.1;RetrievalMethod=0\|1; attribute=LDAP:srchSpc;attribute=ODBC:srchSpc
Shared secret	pszSecret=secret The password for the affiliate site.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

SAML POST Template

Use this table when configuring a SAML authentication scheme based on the profile type POST for communicating security assertions. With the POST profile type, the generated SAML assertion is POSTed to the URL specified in the AssertionConsumerURL portion of the Parameter string.

The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_SAMLPOST The scheme type SAML POST.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthsaml" The default library for this scheme type.
Parameter	pszParam=param The following required parameters: Name. The name of the affiliate. SAMLProfile. The profile type: POST. SAMLVersion. The SAML version in use. The POST profile requires version 1.1. RedirectMode. The way in which the SAML Credentials Collector redirects to the target resource. One of the following numeric values: 0. Meaning: 302 No Data. 1. Meaning: 302 Cookie Data. 2. Meaning: Server Redirect. 3. Meaning: Persist Attributes AssertionConsumerURL. The URL to be sent the generated assertion. Audience. The URI of the document that describes the agreement between the portal and the affiliate. This value is compared with the audience value specified in the SAML assertion. Issuer. The SAML issuer specified in the assertion.
Parameter (con't)	AttributeXPath. A standard XPath query run against the SAML assertion. The query obtains the data that is substituted in a search specification that looks up a user-for example: //saml:AttributeValue/SM:/SMContent /SM:Smlogin/SM:Username.text() This query gets the text of the Username element. attribute. The search string for looking up a user in a user directory of the specified type. Use a percent sign ( % ) to indicate where the value returned from the XPath query should be inserted. For example, if you specify attribute LDAP:uid=%s, and user1 is returned from the query, the search string used for LDAP directories is uid=user1. At least one attribute must be specified. Format of the parameter string is as follows. Separate name/value pairs with semi-colons ( ; ). The format example includes LDAP and ODBC attributes: Name=name;SAMLProfile=POST; SAMLVersion=1.1;RedirectMode=0\|1\|2; AssertionConsumerURL=consumerUrl; Audience=audience;Issuer=issuer; AttributeXpath=XPathQuery; attribute=LDAP:srchSpc;attribute=ODBC:srchSpc
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

SAML 2.0 Template

Use this table when configuring a SAML authentication scheme based on the SAML 2.0 scheme type. A Service Provider uses this authentication scheme to transparently validate a user based on the information in a SAML 2.0 assertion. This transparent validation allows functionality such as single sign-on and single logout.

When you configure a SAML 2.0 authentication scheme, you also define metadata properties for the associated Identity Provider-that is, the Identity Provider that supplies the assertion to the Service Provider.

The properties of the Identity Provider are stored with the authentication scheme object as a separate set of properties. As a result, two structures are used to configure a SAML 2.0 authentication scheme:

The structure fields referenced in the following table are in Sm_PolicyApi_Scheme_t.
The metadata properties for the associated Identity Provider are defined through Sm_PolicyApi_SAMLProviderProp_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_SAML2 The scheme type SAML 2.0.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthsaml" The default library for this scheme type.
Parameter	pszParam="" Set to an empty string. SiteMinder assigns a parameter value. The parameter is a reference to the SAML 2.0 metadata properties for the associated Identity Provider. The properties are defined through Sm_PolicyApi_SAMLProviderProp_t.
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

More Information:

Custom Agents and Single Sign-On

SecurID HTML Form Template

Use this table when configuring an authentication scheme based on the scheme type SecurID HTML Form. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_ACEServerHTMLForm The scheme type SecurID HTML Form.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 15.
Library	pszLib="smauthacehtml" The default library for this scheme type.
Parameter	pszParam=param A string containing the name of the attribute that contains the ACE IDs, the Web server where the forms credential collector (FCC) is installed, and the target executable file required for processing SecurID authentication with forms support. It also specifies whether an SSL connection is required. Format: attr;https://server/target Note: The "s" in "https" is optional, depending on whether you want an SSL connection. The following example uses the default for processing SecurID authentication with forms support: ace_id;https://my.server.com/ siteminderagent/forms/smpwservices.fcc .
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

SecurID Template

Use this table when configuring an authentication scheme based on the scheme type SecurID. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_ACEServer The scheme type SecurID.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 15.
Library	pszLib="smauthace" The default library for this scheme type.
Parameter	pszParam=param A string containing the attribute in the authentication user directory that contains the ACE Server user ID.
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=1 Set to true (1)-scheme can be used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=1 Set to true (1)-scheme can be used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

smauthetsso authentication scheme

This authentication scheme is similar to the SiteMinder X.509 certification scheme, but with an eSSO cookie as the authentication credential instead of an X.509 credential.

If this scheme is configured for either cookieorbasic or cookieorforms mode, and both an eSSO cookie and login name and password credentials are passed to it, the eSSO cookie is ignored, and the login name and password are used to authenticate the user to SiteMinder.

When the eSSO cookie is the only credential, the authentication scheme uses the ETWAS API to connect to the configured eSSO Policy Server to validate the cookie and extract the user Distinguished Name (DN) from it.

Use this table when configuring an smauthetsso authentication scheme, which is based on the Custom scheme type. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_Custom Uses the Custom scheme type
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 0 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthetsso" The name of the library of this authentication scheme.
Parameter	pszParam=param An ordered set of tokens, separated by semi-colons: <Mode>[; <Target>]; <Admin>; <eTPS_Host> You can add spaces to make the string easier to read. <Mode> specifies the type of credentials that the authenticaion scheme will accept. The following values are possible: cookie -- Only eTrust SSO Cookies are acceptable cookieorbasic -- If an eTrust SSO Cookie is not provided, a login name and password are requested by using Basic Authentication. cookieorforms -- If an eTrust SSO Cookie is not provided, a login name and password are requested by using Forms Authentication. <Target> is valid only with cookieorforms mode. This is identical to the Target field for standard HTML Forms Authentication Scheme. <Admin> specifies the login ID of an administrator for the eTrust Policy Server. The password for this administrator has been specified in the Shared Secret field. <eTPO_Host> specifies the name of the amchine on which the Policy Server is installed. SiteMinder will authenticate itself as <Admin> to the eTrust Policy Server on the <eTPS_Host> so that SiteMinder can request validation of eTrust SSO cookies. Examples: pszParam="cookie; SMPS_sso; myserver.myco.com" pszParam="cookieorforms; /siteminderagent/forms/login.fcc; SMPS_sso; myserver.myco.com"
Shared secret	pszSecret=secret The password of the eTrust Policy Server administrator named in the Paramter field.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=flag Set to true (1) to specify that the scheme can be used to authenticate administrators, or to false (0) to specify that the scheme cannot be used to authenticate administrators. Default is 0.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

TeleID Template

Use this table when configuring an authentication scheme based on the scheme type TeleID. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_Encotone The scheme type TeleID.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 15.
Library	pszLib="smauthencotone" The default library for this scheme type.
Parameter	pszParam="" Set to an empty string. Not applicable to this scheme.
Shared secret	pszSecret=seed The encryption seed. SiteMinder uses this value as an encryption seed for initializing hardware tokens.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=1 Set to true (1)-scheme can be used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=1 Set to true (1)-scheme can be used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

Windows Authentication Template

Use this table when configuring an Integrated Windows Authentication scheme based on the scheme type Windows Authentication (previously known as NTLM). This scheme type is used to authenticate against WinNT or Active Directory user stores.

An Active Directory can be configured to run in mixed mode or native mode. An Active Directory supports WinNT style authentication when running in mixed mode. In native mode, an Active Directory supports only LDAP style lookups.

This authentication scheme supports either mixed mode or native mode.

The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_NTLM The scheme type Windows Authentication (NTLM).
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthntlm" The default library for this scheme type.
Parameter	pszParam=param The value of pszParam determines the style of authentication to perform for this scheme: NTLM authentication (for WinNT or Active Directory running in mixed mode) Format: iis-web-server-url/path-to-ntc-file In the format, iis-web-server-url is the name of the IIS web server that is the target of the redirection, and path-to-ntc-file is the location of the .ntc file that collects the WinNT credentials. For example: http://myiiswebserver.mycompany.com/ siteminderagent/ntlm/creds.ntc A SiteMinder Web Agent must be installed on the specified server. By default, the Web Agent installation creates a virtual directory for NTLM credential collection. Windows Authentication (for Active Directory running in native mode) With this authentication style, pszParam has an LDAP filter added to the beginning of the redirection URL. The filter and URL are separated by a semi-colon (;). For example: cn=%{UID},ou=Users,ou=USA,dc=%{DOMAIN}, dc=mycompany,dc=com;http:// myiiswebserver.mycompany.com/ siteminderagent/ntlm/creds.ntc SiteMinder uses the LDAP filter to map credentials received from the browser/Web Agent to an LDAP DN or search filter.
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag For WinNT and for Active Directory running in mixed mode, this property must be true (1)-ignore password checking. For Active Directory running in native mode, set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

WS-Federation Template

Use this table when configuring a WSFED authentication scheme based on the WSFED scheme type. A Resource Partner uses this authentication scheme to transparently validate a user based on the information in a SAML 1.0 assertion. This transparent validation allows functionality such as single sign-on and single logout.

When you configure a WSFED authentication scheme, you also define metadata properties for the associated Account Partner, that is, the Account Partner that supplies the assertion to the Resource Partner.

The properties of the Account Partner are stored with the authentication scheme object as a separate set of properties. As a result, two structures are used to configure a WSFED authentication scheme:

The structure fields referenced in the following table are in Sm_PolicyApi_Scheme_t.
The metadata properties for the associated Account Partner are defined through Sm_PolicyApi_WSFEDProviderProp_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_WSFED The scheme type WSFED.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthsaml" The default library for this scheme type.
Parameter	pszParam="" Set to an empty string. SiteMinder assigns a parameter value. The parameter is a reference to the WSFED metadata properties for the associated Account Partner. The properties are defined through Sm_PolicyApi_WSFEDProviderProp_t.
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.

More Information:

WS-Federation

X.509 Client Cert and Basic Template

Use this table when configuring an authentication scheme based on the scheme type X.509 Client Certificate and Basic. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType= Sm_Api_SchemeType_X509ClientCertAndBasic The scheme type X.509 Client Certificate and Basic.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 15.
Library	pszLib="smauthcert" The default library for this scheme type.
Parameter	pszParam=param A string containing the domain or IP address of the SSL server and the name and path of the SSL Credentials Collector (SCC). The server redirects a user's X.509 certificate over an SSL connection. Format: https://server:port/SCC?cert+basic The following example uses the default SCC: https://my.server.com:80/siteminderagent/ cert/smgetcred.scc?cert+basic
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

X.509 Client Cert and Form Template

Use this table when configuring an authentication scheme based on the scheme type X.509 Client Certificate and Form. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType= Sm_Api_SchemeType_X509ClientCertAndForm The scheme type X.509 Client Certificate and HTML Form.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 15.
Library	pszLib="smauthcert" The default library for this scheme type.
Parameter	pszParam=param A string containing the domain or IP address of the SSL server and the name and path of the forms credentials collector (FCC). The server redirects a user's X.509 certificate over an SSL connection. Format: https://server:port/FCC?cert+forms The following example uses the default FCC: https://my.server.com:80/siteminderagent/ certoptional/forms/login.fcc?cert+forms
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to 0-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to 0 to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to 0-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to 1 to ignore password checking, or 0 to check passwords. Default is 0.

X.509 Client Cert or Basic Template

Use this table when configuring an authentication scheme based on the scheme type X.509 Client Certificate or Basic. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType= Sm_Api_SchemeType_X509ClientCertOrBasic The scheme type X.509 Client Certificate or Basic.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthcert" The default library for this scheme type.
Parameter	pszParam=param A string containing the following information: Server for establishing an SSL connection. This server redirects a user's X.509 certificate over an SSL connection. Name and path of the SSL Credentials Collector (SSC). If you are using basic authentication over SSL, also provide the following two pieces of information: The fully qualified name of the SSL server used for establishing an SSL connection for basic authentication. Name and path of the SSL Credentials Collector (SSC). https://SSLserver:port/SCC?certorbasic; [https://BasicServer/SCC] The following example uses the default SCC values: https://my.SSLserver.com:80/siteminderagent/ certoptional/smgetcred.scc?certorbasic; https://my.BasicServer.com/ siteminderagent/nocert/smgetcred.scc
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to true (1) to ignore password checking, or false (0) to check passwords. Default is 0.

X.509 Client Cert or Form Template

Use this table when configuring an authentication scheme based on the scheme type X.509 Client Certificate or Form. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType= Sm_Api_SchemeType_X509ClientCertOrForm The scheme type X.509 Client Certificate or HTML Form.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthcertorform" The default library for this scheme type.
Parameter	CpszParam=param A string containing the following information: Server for establishing an SSL connection. This server redirects a user's X.509 certificate over an SSL connection. Name and path of the SSL and forms credentials collector (SFCC). If you are using an alternate forms-based authentication over SSL, also provide the following two pieces of information: The fully qualified name of the SSL server used for establishing an SSL connection for authentication. Name and path of the Forms Credentials Collector (FCC). https://SSLserver:port/SFCC?certorform; [https://BasicServer/FCC] The following example uses the default SCC values: https://my.SSLserver.com:80/siteminderagent/ certoptional/forms/login.sfcc?certorform; https://my.BasicServer.com/ siteminderagent/forms/login.fcc
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to 0-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to 0 to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to 0-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=flag Set to 1 to ignore password checking, or 0 to check passwords. Default is 0.

X.509 Client Cert Template

Use this table when configuring an authentication scheme based on the scheme type X.509 Client Certificate. The structure fields referenced in the table are in Sm_PolicyApi_Scheme_t.

Information Type	Value Assignment and Meaning
Scheme type	nType=Sm_Api_SchemeType_X509ClientCert The scheme type X.509 Client Certificate.
Description	pszDesc=description The description of the authentication scheme.
Protection level	nLevel=value A value of 1 through 1000. The higher the number, the greater degree of protection provided by the scheme. Default is 5.
Library	pszLib="smauthcert" The default library for this scheme type.
Parameter	pszParam=param A string containing the domain or IP address of the server responsible for establishing the SSL connection and the name and path of the SSL Credentials Collector (SCC). The server redirects a user's X.509 certificate over an SSL connection. Format: https://server/SCC?cert The following example uses the default SCC value: https://my.server.com/siteminderagent/ cert/smgetcred.scc?cert
Shared secret	pszSecret="" Set to an empty string. Not applicable to this scheme.
Is template?	bIsTemplate=0 Set to false (0) to indicate that the scheme is not a template. Any other value is ignored.
Is used by administrator?	bIsUsedbyAdmin=0 Set to false (0)-scheme is not used to authenticate administrators.
Save credentials?	bAllowSaveCreds=0 Set to false (0) to indicate that user credentials won't be saved.
Is RADIUS?	bIsRadius=0 Set to false (0)-scheme is not used with RADIUS agents.
Ignore password check?	bIgnorePwCheck=1 Set to true (1)-ignore password checking.