The message consumer plug-in is a Java program that implements the Message Consumer Plug–in. The plug-in lets you implement your own business logic for processing assertions, such as rejecting an assertion and returning a status code. This additional processing works together with the standard processing of an assertion.
Note: For more information about status codes for authentication and disambiguation, see the CA SiteMinder® Programming Guide for Java.
During authentication, CA SiteMinder® first tries to process the assertion by mapping a user to its local user store. If CA SiteMinder® cannot find the user, it calls the postDisambiguateUser method of the message consumer plug-in.
If the plug-in successfully finds the user, CA SiteMinder® proceeds to the second phase of authentication. If the plug-in cannot map the user to a local user store, the plug-in returns a UserNotFound error. The plug-in can optionally use the redirect URL feature. Without the consumer plug-in, the redirect URLs are based on the error that the SAML authentication scheme generates.
During the second phase of authentication, CA SiteMinder® calls the postAuthenticateUser method of the message consumer plug-in, if the plug-in is configured. If the method succeeds, CA SiteMinder® redirects the user to the requested resource. If the method fails, you can configure the plug-in to send the user to a failure page. The failure page can be one of the redirect URLs that you can specify with the authentication scheme configuration.
Additional information about the message consumer plug-in can be found as follows:
To configure the plugin
Create a custom message consumer plug-in by implementing the MessageConsumerPlugin.java interface. The minimum requirements for the implementation class are listed in the following procedure.
Follow these steps:
The MessageConsumerPlugin includes the following four methods:
Performs any initialization procedures that the plug-in requires. CA SiteMinder® calls this method once for each plug-in instance, when the plug-in is loaded.
Performs any rundown procedures that the plug-in requires. CA SiteMinder® calls this method once for each plug-in instance, when CA SiteMinder® is shutting down.
Provides processing to disambiguate a user when the authentication scheme is unable to do so. Alternatively, this method can add data for new federation users to a user store. This method receives the decrypted assertion. The decrypted assertion is added to the properties map passed to plug-in under the key "_DecryptedAssertion".
Provides additional code to determine the final outcome of assertion processing, regardless of whether the Policy Server processing is a success or failure.
CA SiteMinder® provides the following samples of the Message Consumer plug-in class:
MessageConsumerPluginSample.java in installation_home\sdk\samples\messageconsumerplugin
MessageConsumerSAML20.java in installation_home\sdk\samples\authextensionsaml20
After you have coded your implementation class for the MessageConsumerPlugin interface, compile it and verify that CA SiteMinder® can find your executable file.
To deploy the Message Consumer Plugin:
installation_home\siteminder\bin\jars\SmJavaApi.jar
An identical copy of SmJavaApi.jar is installed with CA SiteMinder® SDK. The file is in the directory installation_home\sdk\java\SmJavaApi.jar.
You can use either of them at development time.
Note: Do not modify the classpath for the existing xerces.jar, xalan.jar, or SmJavaApi.jar.
After writing a message consumer plug-in and compiling it, enable the plug-in by configuring settings in the Administrative UI. The UI settings tell CA SiteMinder® where to find the plug-in.
Do not configure the plug-in settings until you deploy the plug-in.
To enable the message consumer plug-in
Specify the Java class name for the plug-in, For example, a sample class included with the CA SiteMinder® SDK is:
com.ca.messageconsumerplugin.MessageConsumerPluginSample
Specify a string of parameters that are passed to the plug-in specified in the Full Java Class Name field.
As an alternative to configuring the plug-in in the Administrative UI, use the Policy Management API (C or Perl) to set the IdpPluginClass and IdpPluginParameters.
For single sign-on processing, you can configure several optional redirect URLs if a user cannot be authenticated at the Resource Partner. The redirect URLs allow finer control over where a user is redirected. For example, when a user cannot be located in a user store, the Redirect URL for the User Not Found specification can redirect the user to the appropriate location.
Note: These URLs are not required.
If you do not configure redirect URLs, standard SiteMinder processing takes place. How SiteMinder handles a failed authentication depends on the configuration.
If a Resource Partner cannot authenticate a user during a single sign-on transaction, the Resource Partner can redirect that user to a customized URL for further processing.
You can configure several optional redirect URLs for failed authentication. If the assertion is not valid, the redirect URLs allow finer control over where a user is redirected. For example, if a user cannot be located in a user store, you can fill in a User Not Found redirect URL.
The Status Redirect URLs and Modes are in the Additional Configuration section of the authentication dialog. The redirect URLs are for specific status conditions:
If any of the conditions occur, redirect URLs can send the user to an application or a customized error page for further action.
Note: Configuring redirect URLs is not required.
To configure optional Redirect URLs
If enter a value for the Redirect URL for the Invalid SSO Message status, select a mode.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Federation Web Services handles the errors by mapping the authentication reason into one of the configured redirect URLs. The user can be redirected to that URL to report the error.
Note: These redirect URLs can be used with the CA SiteMinder® message consumer plug-in for further assertion processing. If authentication fails, the plug-in can send the user to one of the redirect URLs you specify.
Copyright © 2013 CA.
All rights reserved.
|
|