Delegated authentication lets a third-party access management system authenticate a user and then share the credentials with CA SiteMinder® Federation Standalone deployed on the asserting party. These credentials are shared either through a cookie, or in a query string. The cookie is generated using the CA SiteMinder® Federation Standalone Java SDK so that CA SiteMinder® Federation Standalone can decrypt it.
Note: This document describes delegated authentication using the cookie and the Java SDK. For information about delegated authentication using a query string, see the Federation Standalone Guide.
If the third-party access manager intends to use a cookie to communicate the authenticated user ID, the access control application must follow these steps:
To construct the implementation class, the access control manager must know the Cookie Zone and Password through an out-of-band communication. The third-party access management system must be in the same cookie domain as the asserting party.
The constructor to use when creating a cookie for delegated authentication is following.
/**
* This constructor loads customized parameters for the cookie.
*
* @param zoneName Cookie zone name (the default is FED)
* @param password String used for cookie encryption
* @param domain string used to indicate the cookie domain
* @param obj the object of FedSdkLogger class
*/
public FederationIdentityImpl(String zoneName, String password, String domain,
FedSdkLogger obj) throws JavaSDKException
Note: The last parameter is a FedSdkLogger object. If the third-party access management system implements its own logger, the reference is passed here. Otherwise, null is passed, and the SDK uses the default logging implementation.
To call the createProfileCookie method, the third-party access control application must know the ID of the Remote Entity Service Provider configured in the Asserting Party‑>Relying Party partnership.
The createProfileCookie method signature is following.
/**
* Creates a <ZONE>PROFILE cookie and populates it with the passed in values.
* The zone to use was configured when this object was constructed.
* @param providerID - the provider for whom to create the cookie
* @param loginID - the user ID
* @param cookieVersion - the value to set the cookie version to.
* @param response - the response object
* @throws JavaSDKException
*/
public void createProfileCookie(String providerID,
String loginID,
HttpServletResponse response) throws JavaSDKException;
Here is a code snippet example of the cookie creation:
String zone = request.getParameter("FED");
String domain = request.getParameter(".ca.com");
String password = request.getParameter("password");
FederationIdentity fedIdentity =
new FederationIdentityImpl(zone, password, domain, null);
fedIdentity.createProfileCookie("ServiceProviderID", "JaneDoe", httpServletResponse);
The createProfileCookie method uses the provider ID and user ID to create a cookie value that is encrypted and added to the HttpSevletResponse object. After the request is redirected, the servlet container automatically passes the cookie.
The default Java SDK logger writes messages to the standard output stream. Logging is disabled by default.
To enable CA SiteMinder® Federation Standalone Java SDK logging
Logging is enabled.
The Java SDK sample application simulates a relying party Java application. The application consumes the cookie sent by the CA SiteMinder® Federation Standalone deployment running at the relying part of the federation partnership.
The sample application demonstrates how a Java application can get the cookie from the incoming request and extract user identity information and the assertion attributes that are sent to the relying party. The sample application requires that CA SiteMinder® Federation Standalone is installed at the relying party and is configured to redirect the user to the URL of the sample application servlet.
|
Copyright © 2014 CA.
All rights reserved.
|
|