Global rules that include SiteMinder authentication events let you control actions that occur when users authenticate to gain access to a resource (On-Auth event).
Note: OnAuth event results are per realm, so for example, if a user goes from realm A to realm B and had an OnAuthAccept header in realm A, it will not be available in realm B. When the user goes back to realm A, the header will be set again.
The following is a list of possible On-Auth events:
Occurs if authentication was successful. This event may be used to redirect a user after a successful authentication.
Occurs if authentication failed for a user that is bound to a policy containing an On-Auth-Reject rule. This event may be used to redirect the user after a failed authentication.
OnAuthAccept and OnAuthReject events fire both at authentication time (when the user enters his / her username and password) and at validation time (when the user's cookie is read for user information). However, there are certain special actions that only occur at authentication time:
Unless you have a version of the Web Agent that supports the EnforceRealmTimeouts option and that option is enabled, the Idle and Max Timeouts for the user will stay at the values for the realm in which the user last authenticated (only changes if the user has to reenter credentials).
Note: More information on EnforceRealmTimeouts exists in section 3.3 of the SiteMinder 4.x Web and Affiliate Agent Quarterly Maintenance Release 4 Release Notes.
Redirects are only allowed at authentication time for a number of reasons, but one of the most practical is that it would be very easy to configure an infinite loop of redirection if OnAuth redirection were allowed at validation time as well.
The password is not stored in the SMSESSION cookie, so the only time it is available is when the user actually enters it (authentication time).
Occurs if the user was rejected because SiteMinder does not know this user (an unregistered user, for example, can be redirected to register first).
Occurs when custom challenge-response authentication schemes are activated (for example, a token code).
When a user is authenticated (or rejected), the Policy Server passes any global responses associated with the applicable On-Auth rule back to the requesting Agent.
Copyright © 2010 CA. All rights reserved. | Email CA about this topic |