A response passes static text, user attributes, DN attributes, customized active responses, or the runtime values of defined variables from the Policy Server to a CA SiteMinder® Agent. Responses can be used by servlets, Web applications, or other custom applications to display customized content, change CA SiteMinder® settings, or redirect users to different resources. When working with Web applications, responses can be used as privileges or entitlements for fine-grained access control.
A policy contains rules and responses which are bound to users and user groups. In a policy, responses are bound to specific rules or rule groups. When a rule fires, the associated response returns information to a CA SiteMinder® Agent.
Responses take the form of name/value pairs. When a rule is triggered, the Policy Server returns the paired response to the CA SiteMinder® Agent.
For example, if a user attempts to access a protected Web page, but is not authorized to view the contents of the page, a response can redirect the user to an HTML page that indicates the user does not have access, and provide details for contacting a system administrator.
For Web Agents, CA SiteMinder® adds response attributes to HTTP header variables or HTTP cookie variables so that the responses are available to the Web resource or application named in the rule. In a RADIUS environment, the response is returned to the RADIUS client.
A response is a container for one or more response attributes. The response attributes are what a CA SiteMinder® Agent receives after the Policy Server processes a response. The available response attributes differ based on the type of response.
The following types of responses are available:
Note: You can create response types for custom Agents and response attributes using the CA SiteMinder® APIs, which are available separately with the Software Development Kit. More information exists in the API Reference Guide for C.
Web Agent responses are CA SiteMinder® responses that provide name/value pairs usable by a CA SiteMinder® Web Agent. These responses can contain attributes for HTTP header variables, cookie variables, and URLs for redirections.
RADIUS responses are CA SiteMinder® responses that provide values usable by a RADIUS Agent. These responses can contain response attributes for all supported RADIUS attributes.
Each CA SiteMinder® response contains one or more response attributes. These attributes differ based on the type of response. The following sections discuss the response attributes that are available for each type of response.
Web Agent response attributes are response attributes that CA SiteMinder® agents can interpret and pass on to other applications. The following list describes the generally available Web Agent response attributes:
Indicates an attribute that is reserved for future use.
Generates a SetCookie header, which then sets a nonpersistent cookie in a web browser. The cookies only exist in the cookie domain where the agent is configured. You can enter multiple WebAgent-HTTP-Cookie-Variables.
Limits: Use in accept or reject responses. Multiple instances of this attribute are allowed per response.
Specifies an arbitrary dynamic name/value pair for use by a web application. You can enter multiple WebAgent-HTTP-Header-Variables.
The agent does not include header variables in the responses that it sends back to a web browser. Instead, these responses reside in the request headers of the web server.
Consequently, the header variables are not visible in the debug logs that you can enable from the Policy Server Management Console.
Limits: Use in accept or reject responses. Multiple instances of this attribute are allowed per response.
Generates a response with an open format cookie that is then set in a web browser. The open format cookie provides identity information about a user. You can select multiple identity attributes to include specific identity information in the cookie.
Options: Use in an OnAuthAccept or OnAccessAccept response. Multiple instances of this attribute are allowed per response.
Defines one of the following URLs, depending on the type of response in which it is used:
To specify whether an authorization response or authentication response, include it in a policy with a rule that specifies an OnAuthAccept or OnAccessAccept event action.
Limits: Use in accept responses. Only one instance of this attribute is allowed per response.
Specifies text that the Web Agent puts in the HTTP_ONACCEPT_TEXT environment variable when it redirects the user after a successful authorization or authentication attempt.
Limits: Use in accept responses. Only one instance of this attribute is allowed per response.
Note: When configuring a Web Agent OnAcceptText response, set the FCC Compatibility Mode parameter (fcccompatmode) corresponding to the Web Agent to yes. This action ensures that user authentication takes place at the Web Agent and that the text is available for display in the browser. If the FCC Compatibility Mode parameter is set to no, user authentication takes place at the Forms Credential Collector (FCC). The response is triggered, but the text in the response is lost.
Overrides the number of seconds a user session can be idle. When this limit is reached, the user is forced to authenticate again. Associate this response with a rule configured with an OnAuthAccept authentication event.
Limits: Use in accept responses. Only one instance of this attribute is allowed per response.
Overrides the total number of seconds a user session can be active. When this limit is reached, the user session is terminated and the user is forced to authenticate again. Associate this response with a rule configured with an OnAuthAccept authentication event.
Limits: Use in accept responses. Only one instance of this attribute is allowed per response.
Specifies an AuthContext response attribute for an authentication scheme. The value of this response attribute is added to the session ticket as the value of the SM_AUTHENTICATIONCONTEXT user attribute. The value is not returned to the client as a user response.
Note: The response attribute value is truncated to 80 bytes in length.
Limits: Used in accept responses. Only one instance of this attribute is allowed per response.
Stores a particular Session Variable in the session store when an administrator has decided against persisting all authentication data.
Limits:Used in accept responses. Persistent Sessions are enabled.
Defines one of the following URLs:
To specify an authorization response or authentication response, include it in a policy with a rule that specifies an OnAuthReject or OnAccessReject event action.
Limits: Use in reject responses. Only one instance of this attribute is allowed per response.
Specifies text that the Web Agent puts in the HTTP_ONREJECT_TEXT environment variable when it redirects the user after a failed authorization or authentication attempt.
Limits: Use in reject responses. Only one instance of this attribute is allowed per response.
Generates a response that specifies that the requested resource is sensitive and requires that a user must validate their identity before being granted access. This validation is required each time the user requests access, even if they have a valid session.
Options: Use in accept responses. Only one instance of this attribute is allowed per response.
The following response attributes are also available but only applicable for use with CA SiteMinder® Web Services Security WSS Agents:
Provides Policy Server data that the SiteMinder WSS Agent uses to generate a SAML assertion. The data is inserted into an XML message HTTP or SOAP envelope header or a cookie (as specified by associated response attributes).
When you configure a SAML Session Ticket response, the Policy Server generates the response data. This data instructs the SiteMinder WSS Agent how to build the assertion. The SiteMinder WSS Agent encrypts a session ticket (and optionally, the public key from a web service consumer) and the response data. The agent then generates the assertion. The agent delivers the assertion to the web service. The token can only be encrypted and decrypted by the SiteMinder WSS Agent using its Agent key.
Provides Policy Server data that the SiteMinder WSS Agent uses to generate WS-Security Username, X509v3, or SAML tokens (as specified by associated response attributes). These tokens are added to a SOAP message header.
When you configure a WS-Security response, the Policy Server generates the response data. This data instructs the SiteMinder WSS Agent how to build the token. The agent then generates and adds the token to the SOAP request and delivers it to the web service.
RADIUS Agent response attributes are response attributes that RADIUS Agents can interpret. All of the response attributes supported by CA SiteMinder® correspond to the attributes described in the Request for Comments (RFC) 2138, which describes attributes supported by the RADIUS protocol.
Directory mappings let you specify a separate authorization user directory in application object component or a realm. When you define a separate authorization directory, a user is authenticated based on the information contained in one directory, but authorized based on the information contained in another directory.
When you create a response and associate it with a authentication (OnAuth) event, any information retrieved from a user directory is retrieved from the authentication directory. If you create an authorization (OnAccess) event, any information retrieved from a user directory is retrieved from the authorization directory.
Copyright © 2013 CA.
All rights reserved.
|
|