|
|
|
Authentication events occur as SiteMinder tries to establish a user's identity. As a rule action, an authentication event causes the Policy Server to fire a rule at a particular point in the authentication process.
Authentication events occur when a user accesses a resource protected by a rule that includes an On-Auth event. Unlike Web Agent actions or authorization events, authentication events always apply to the entire realm. You can't create an On-Auth rule that applies to a portion of a realm.
The following is a list of possible On-Auth events:
Occurs if authentication was successful. This event may be used to redirect a user after a successful authentication.
Occurs if authentication failed for a user that is bound to a policy containing an On-Auth-Reject rule. This event may be used to redirect the user after a failed authentication.
OnAuthAccept and OnAuthReject events fire both at authentication time (when the user enters his / her username and password) and at validation time (when the user's cookie is read for user information). However, there are certain special actions that only occur at authentication time:
Unless you have a version of the Web Agent that supports the EnforceRealmTimeouts option and that option is enabled, the Idle and Max Timeouts for the user will stay at the values for the realm in which the user last authenticated (only changes if the user has to reenter credentials). See section 3.3 of the SiteMinder 4.x Web and Affiliate Agent Quarterly Maintenance Release 4 Release Notes for more information on EnforceRealmTimeouts.
Redirects are only allowed at authentication time for a number of reasons, but one of the most practical is that it would be very easy to configure an infinite loop of redirection if OnAuth redirection were allowed at validation time as well.
The password is not stored in the SMSESSION cookie, so the only time it is available is when the user actually enters it (authentication time).
Note: OnAuth event results are per realm, so for example, if a user goes from realm A to realm B and had an OnAuthAccept header in realm A, it will not be available in realm B. When the user goes back to realm A, the header will be set again.
Occurs if the user was rejected because SiteMinder does not know this user (an unregistered user, for example, can be redirected to register first).
Occurs when custom challenge-response authentication schemes are activated (for example, a token code).
This event is only used to trigger Active Responses. This event should not be used to trigger any response other than an Active Response.
A rule with an authentication event action may be coupled with a SiteMinder response in a policy. When a user is authenticated (or rejected), the Policy Server passes any response associated with the applicable On-Auth rule back to the requesting Agent.
Note: To optimize SiteMinder performance and limit the number of times the Web Agent must retrieve static information from the Policy Server, you can set up a rule based on the OnAuthAccept authentication event, then create a response that returns the static information. When you bind the rule and response in a policy, the rule fires for users specified in the policy, and the static response is only returned to users who successfully authenticate.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |