Previous Topic: Configure Policies for Back-end Credential Selection

Next Topic: Create a Protection Policy

Create an Authentication Context Policy

The AuthContext policy sets the authentication context in the SiteMinder session ticket, which is used for authentication and validation. In this policy, the OnAuthAccept rules from each realm are paired with the corresponding responses to permit access to protected resources. For example, the OnAuthAccept Rule for the Form realm is paired with the Form response and the OnAuthAccept rule for the SafeWord realm paired with the SafeWord response.

User authentication and user validation are OnAuthAccept events so the authentication context in the session ticket may be overwritten after each validation. The ability to update the authentication context attribute can be useful in some circumstances, for example, if that attribute's value will include a counter. However, in this solution using the Credentials Selector, the AuthContext policy is configured to fire only if the authentication context is empty to ensure that the session ticket is not overwritten, thereby remembering the user's choice of credentials.

You need to protect the authentication context from being overwritten. To do this, write an active expression in the AuthContext policy to retrieve the SM_AUTHENTICATIONCONTEXT attribute from the session ticket.

When Federation Security Services is in use, you can create a user context variable called AuthContext and use it in the AuthContext policy to define an active expression that retrieves the SM_AUTHENTICATIONCONTEXT attribute from the session ticket.

SM--Variable Dialog for User Context Variable

Define an active expression using the AuthContext variable in the AuthContext policy:

SM--AuthContext Attribute Dialog


Copyright © 2010 CA. All rights reserved. Email CA about this topic