SmAuthenticate()

Programming Guides › Programming Guide for C › Authentication API › Create a Custom Authentication Scheme Library › SmAuthenticate()

SmAuthenticate()

Authenticates user credentials.

Syntax

Sm_AuthApi_Status_t SM_EXTERN SmAuthenticate (
   const Sm_Api_Context_t*             lpApiContext,
   const Sm_Api_UserContext_t*         lpUserContext,
   const Sm_AuthApi_UserCredentials_t* lpUserCredentials,
   const Sm_Api_Reason_t               nChallengeReason,
   const char*                         lpszParam,
   const char*                         lpszSharedSecret,
   const int                           nBytesUserMsg,
   char*                               lpszUserMsg,
   const int                           nBytesErrMsg,
   char*                               lpszErrMsg
);

Parameter	I/O	Description
lpApiContext	I	Pointer to the API context structure.
lpUserContext	I	Pointer to the user context structure.
lpUserCredentials	I	Pointer to the user credentials context structure.
nChallengeReason	I	The reason for the original challenge, otherwise 0.
lpszParam	I	Pointer to the buffer containing the null-terminated parameter string as specified for the authentication scheme.
lpszSharedSecret	I	Pointer to the buffer containing the null-terminated shared secret string as specified for the authentication scheme.
nBytesUserMsg	I	Maximum size of the lpszUserMsg buffer to receive the user message—4097 bytes, including the string termination character.
lpszUserMsg	O	Output buffer to receive the user message. This message can be the challenge text or any other message that the scheme developer wants to present to the user through a mechanism external to SiteMinder. The Agent stores this message in the HTTP_SM_USERMSG HTTP variable. For RADIUS authentication, the user message is returned in the REPLY-MESSAGE response attribute.
nBytesErrMsg	I	Maximum size of the lpszErrMsg error buffer—4097 bytes, including the string termination character.
lpszErrMsg	O	Output buffer to receive the error text. Use this buffer to return an error message to SiteMinder.

Returns

Use the SM_MAKEAUTH_STATUSVALUE macro to construct the return value. This macro is defined in SmApi.h.

The syntax of the macro is as follows:

SM_MAKEAUTH_STATUSVALUE(status, reason)

The macro's parameters are:

status—An Sm_AuthApi_Status_t enumeration. Different status codes can be returned when SmAuthenticate() is called during disambiguation and when it is called during authentication, as follows:
During the disambiguation phase (for descriptions, see the description in User Disambiguation, which follows):

Sm_AuthApi_NoUserContext

Sm_AuthApi_Success
Sm_AuthApi_SuccessUserDN
Sm_AuthApi_SuccessUserFilter
Sm_AuthApi_Attempt
Sm_AuthApi_Failure

During the authentication phase (for descriptions, see the description in User Authentication, which follows):

Sm_AuthApi_Accept
Sm_AuthApi_Reject
Sm_AuthApi_Challenge
Sm_AuthApi_Failure

reason—An Sm_Api_Reason_t enumeration. For the valid values in this enumeration, see Sm_Api_Reason_t. Note that:
- Values 0 - 31999 are reserved for use by SiteMinder.
- Values 32000 - 32767 are available for user-defined reasons.

Remarks

The authentication process includes two phases—user disambiguation and user authentication. During each phase, SmAuthenticate() is called at least once:

During disambiguation, it is called once per directory where disambiguation occurred
During authentication, it is called once per user found in the directory

The basic steps are as follows:

User login. The user supplies a login ID (such as jsmith) for authentication purposes.
Disambiguation phase. User disambiguation is the process of locating a user in the user store, such as an LDAP user directory or an ODBC database. Either SiteMinder or the custom authentication scheme can look up the user in the user store.
Before the lookup operation can begin, a complete DN or a search expression must be constructed based upon the supplied login ID. For example, if the login ID is jsmith, the DN used to search the user store might be constructed as follows:
```
uid=jsmith,ou=marketing,o=myorg.org
```
An LDAP search expression can also be used to search an LDAP user directory, and a SQL query is used to search an ODBC database—for example:
```
(&(objectclass=inetOrgPerson)(uid=jsmith))
```
select Name from SmUser where Name = 'jsmith'

Multiple results are possible, given that the LDAP DN or the ID stored in the ODBC database might apply to different users who have different passwords.
Authentication phase. The custom authentication scheme compares the known credentials of each disambiguated user with the credentials supplied during login—for example, by comparing the hash of the supplied password against the hash in the user store.

User Disambiguation

SiteMinder first calls SmAuthenticate() at the beginning of the user disambiguation phase.

Either SiteMinder or the custom authentication scheme can disambiguate the user. The authentication scheme indicates whether it has performed the disambiguation through one of the following return codes:

Sm_AuthApi_NoUserContext
The authentication scheme asks SiteMinder to disambiguate the user.

When this code is returned, the authentication scheme leaves the parameter lpszUserMsg empty. SiteMinder gets the login ID from the Agent, constructs the DN or search expression based on the login ID and the information defined in the SiteMinder User Directory Properties dialog box, and disambiguates the user by looking up the user in the user store.
Sm_AuthApi_Success
The authentication scheme asks SiteMinder to disambiguate the user.

The authentication scheme puts the login ID into lpszUserMsg. SiteMinder uses that value to construct the DN or search expression and disambiguate the user in the user store. This approach gives the authentication scheme the opportunity to modify the login ID before SiteMinder disambiguates the user.

Note: If the authentication scheme leaves lpszUserMsg empty, SiteMinder uses the login ID provided by the Agent (the same behavior as with return code SmAuthApi_NoUserContext).

Sm_AuthApi_SuccessUserDN
The authentication scheme disambiguates the user by constructing the complete DN or search expression and looking up the user in the user store. The authentication scheme passes the user's complete DN or ODBC database ID to SiteMinder in lpszUserMsg. Only one DN or database ID can be passed in lpszUserMsg.
Sm_AuthApi_SuccessUserFilter
SiteMinder disambiguates the user based upon a standard LDAP search filter that the authentication scheme constructs and passes in lpszParam. When SiteMinder is passed this return code, it ignores the Start and End field values configured for the user directory.
Sm_AuthApi_Attempt. The user cannot be found in the directory.
Sm_AuthApi_Failure
This is returned if an error condition exists. Error text is returned in lpszUserMsg.

User Authentication

During this phase, SiteMinder calls SmAuthenticate() again to verify the supplied credentials after the user context has been established during disambiguation. The function returns one of the following return codes:

Sm_AuthApi_Accept. The user is authenticated.
Sm_AuthApi_Reject. The user is not authenticated.
Sm_AuthApi_Challenge. The user is challenged. The scheme should store the challenge to be presented to the user in lpszUserMsg. Also, a reason code must be supplied in the SM_MAKEAUTH_STATUSVALUE macro. For information about the reason code, see Returns.
Sm_AuthApi_Failure. An error condition occurred. Error text is returned in lpszUserMsg.

Example

Sm_AuthApi_Status_t SM_EXTERN SmAuthenticate (
const Sm_Api_Context_t*lpApiContext, 
// The structure that provides API context
const Sm_Api_UserContext_t*lpUserContext, 
// The structure that allows access to user properties
const Sm_AuthApi_UserCredentials_t* lpUserCredentials, 
// The user credentials
unsigned char  bChallengeResponse, 
// Boolean indicating whether this is the response to a challenge
const char*  lpszServerParam,  
// The parameter to be passed to the server
const char* lpszSharedSecret, 
// The shared secret to be passed to the server
const int  nBytesUserMsg,               
// Maximum size of the user message buffer
char*   lpszUserMsg, 
// Output buffer to hold the null-terminated user message
const int  nBytesErrMsg, 
// Maximum size of the error buffer
char*   lpszErrMsg) 
// Output buffer to hold the null-terminated error message
{
if (!lpUserContext->bIsUserContext)
   return Sm_AuthApi_NoUserContext;
return (0 == lpUserContext->fAuthenticate (
             lpUserContext->lpParam,
             lpUserCredentials->lpszPassword,
             nBytesUserMsg,
             lpszUserMsg,
             nBytesErrMsg,
             lpszErrMsg) ? Sm_AuthApi_Accept : Sm_AuthApi_Reject);
}

Email CA about this topic