Federation Security Services Guide › Authenticate SAML 1.x Users at a Consumer › Customize Assertion Processing with the Message Consumer Plug-in

Customize Assertion Processing with the Message Consumer Plug-in

The Message Consumer Plug-in is SiteMinder's Java program that implements the Message Consumer Extension API. Using this plug-in you can implement your own business logic for processing assertions, such as rejecting an assertion and returning a SiteMinder-defined status code. This additional processing works together with SiteMinder's standard processing of an assertion.

Note: For more information about status codes for authentication and disambiguation, see the SiteMinder Programming Guide for Java.

During authentication, SiteMinder first tries to process the assertion by mapping a user to its local user store. If SiteMinder cannot find the user, it calls the postDisambiguateUser method of the Message Consumer Plug-in, if the plug-in is configured. The plug-in then has the opportunity to disambiguate the user, if it knows how.

If the plug-in successfully finds the user, SiteMinder proceeds to the second phase of authentication. If the plug-in cannot map the user to a local user store, the plug-in should return a UserNotFound error, which is documented in the MessageConsumerPlugin interface. The plug-in's use of SiteMinder's redirect URLs feature is optional and is based on the error code returned by the plug-in. If the Message Consumer plug-in is not configured, the redirect URLs are used based on the error generated by the SAML authentication scheme.

During the second phase of authentication, SiteMinder calls the postAuthenticateUser method of the Message Consumer Plug-in, if the plug-in is configured. If the method succeeds, SiteMinder redirects the user to the requested resource. If the method fails, you can configure the plug-in to send the user to a failure page. The failure page can be one of the redirect URLs that you can specify with the authentication scheme configuration, but this is not required.

To integrate the Message Consumer plug-in with SiteMinder, use the parameter values that you specify for the plug-in configuration. The plug-in configuration is part of the SAML 1.x, SAML 2.0 and WS-Federation authentication scheme configuration.