The Federation Security Services interface supports the manipulation of policy store data related to Affiliate Domain objects, which can include Affiliates, Service Providers, and Resource Partners.
Federation Security Services supports SAML 1.x, SAML 2.0, and WS-Federation profiles and it enables SiteMinder the ability to exchange user profile information with partners in a secure manner.
For information about federation in a SiteMinder environment, see the Federation Security Services Guide.
SAML 1.x support lets a user access a consumer site directly or from an assertion producer site without having to supply credentials more than once.
When a user requests access to a protected resource at an affiliate site, the Policy Server at the producer site is notified. After authenticating the user (if the user has not yet been authenticated), the Policy Server generates a SAML assertion from the affiliate object associated with the consumer site.
An application at the affiliate site then retrieves the SAML assertion from the Policy Server, and uses the information for authorization purposes and any other required purpose.
For example, suppose a user logs into a site for a bank (the producer site). The producer includes Policy Server software. The Policy Server contains an affiliate object that represents a site offering credit card services, and also other affiliate objects that represent other sites affiliated with the bank. When a user is authenticated at the producer, the user can click the link for the credit-card site and access the site without having to re-enter his credentials.
The pseudo-code in this section illustrates the following operations:
Note: Comments using <> notation represent code omitted for ease of understanding. Return code checking is omitted for ease of understanding.
# 1. Initialize the API
use Netegrity::PolicyMgtAPI;
$policyapi = Netegrity::PolicyMgtAPI‑>New();
$session = $policyapi‑>CreateSession("adminid", "adminpwd");
# 2. Add an affiliate domain
$affdomain = $session‑>CreateAffDomain("name", "description");
# 3. Add a previously obtained user directory to the affiliate domain
# <Obtain $userdir via $session‑>GetAllUserDirs>
$affdomain‑>AddUserDir($userdir);
# 4. Create an affiliate in the affiliate domain
$affiliate = $affdomain‑>CreateAffiliate("affname", "password",
http://authurl, 60, 30);
# 5. Add users from a previously obtained user table to the affiliate
# <Obtain $user via $userdir‑>GetContents>
$affdomain‑>AddUser($user);
# 6. Add an attribute for the affiliate
$affdomain‑>AddAttribute(1, "staticAttrName=StaticAttrValue");
# 7. Get an existing affiliate domain
$affiliate = $affdomain‑>GetAffiliate("affname");
# 8. Get all the affiliates in an affiliate domain
@affiliates = $affdomain‑>GetAllAffiliate();
# 9. Get all the attributes in an affiliate
@affiliateAttrs = $affiliate‑>GetAllAttributes();
# 10. Remove an affiliate domain
$session‑>DeleteAffDomain($affiliate);
With SAML 2.0, security assertions are shared between the following entities within a federation:
An Identity Provider generates assertions for principals within a SAML 2.0 federation. The Identity Provider sends the SAML assertion to the Service Provider where the principal is attempting to access resources.
A Service Provider makes applications and other resources available to principals within a federation, using the identity information provided in an assertion. A principal is a user or another federation entity.
The Service Provider uses a SAML 2.0 authentication scheme to validate a user based on the information in a SAML 2.0 assertion.
Identity Providers and Service Providers can belong to a SAML affiliation. A SAML affiliation is a group of SAML entities that share a name identifier for a single principal.
Service Providers and Identity Providers can belong to an affiliation; however, an entity can belong to no more than one affiliation. Service Providers share the Name ID definition across the affiliation. Identity Providers share the user disambiguation properties across the affiliation.
Using affiliations reduces the configuration required at each Service Provider. Additionally, using one name ID for a principal saves storage space at the Identity Provider.
By sharing security assertions, a principal can log in at one site (the site acting as the Identity Provider), and then access resources at another site (the Service Provider) without explicitly supplying credentials at the second site.
For example:
Any authentication scheme can be used to authenticate the user.
This validation is transparent to the user.
The pseudo-code in this section illustrates the following operations:
# 1. Initialize the API
use Netegrity::PolicyMgtAPI;
$policyapi = Netegrity::PolicyMgtAPI‑>New();
$session = $policyapi‑>CreateSession("adminid", "adminpwd");
# 2. Retrieve the affiliate domain for the Service Provider
$affDom=$session‑>GetAffDomain("AffiliateDomain");
# 3. Assign metadata constants to variables
$SAML_NAME=SAML_NAME;
$SAML_SP_AUTHENTICATION_URL=SAML_SP_AUTHENTICATION_URL;
$SAML_KEY_SPID=SAML_KEY_SPID;
$SAML_SP_IDPID=SAML_SP_IDPID;
$SAML_AUDIENCE=SAML_AUDIENCE;
$SAML_SP_ASSERTION_CONSUMER_DEFAULT_URL=
SAML_SP_ASSERTION_CONSUMER_DEFAULT_URL;
$SAML_SP_NAMEID_ATTRNAME=SAML_SP_NAMEID_ATTRNAME;
$SAML_SKEWTIME=SAML_SKEWTIME;
# 4. Assign values to the Service Provider metadata
%hsh=($SAML_NAME=>'My Service Provider',
$SAML_SP_AUTHENTICATION_URL=>
'http://www.mysite.com/redirect.jsp',
$SAML_KEY_SPID=>'http://www.spprovider.com',
$SAML_SP_IDPID=>'http://www.idpprovider.com',
$SAML_AUDIENCE=>'SSOAudience',
$SAML_SP_ASSERTION_CONSUMER_DEFAULT_URL=>
'http://www.defaultconsumer.com',
$SAML_SP_NAMEID_ATTRNAME=>'attribute'
);
# 5. Create the Service Provider
$sp=$affDom‑>CreateSAMLServiceProvider(\%hsh);
# 6. Retrieve users from the directory associated with the # affiliate domain—in this case, users in the group HR
$userDir=$session‑>GetUserDir("MyNtDirectory");
$usr=$userDir‑>LookupEntry("HR");
# 7. Add the users to the Service Provider
$sp‑>AddUser($usr);
# 8. Update the Service Provider's default skewtime to 100
$sp‑>Property($SAML_SKEWTIME,"100");
# 9. Save the update
$sp‑>Save();
# 10. Print the updated skewtime
print "\n";
print $sp‑>Property($SAML_SKEWTIME);
A SAML 2.0 affiliation consists of Service Providers and Identity Providers that have a shared Name ID namespace. Identity Providers also share the user disambiguation properties across the affiliation.
A SAML 2.0 affiliation can have multiple Service Providers and Identity Providers. However, a Service Provider or Identity Provider can belong to no more than one SAML 2.0 affiliation.
Example:
By sharing security assertions, a principal can log in at one site (the site acting as the Identity Provider), and then access resources at another site (the Service Provider) without explicitly supplying credentials at the second site:
Any authentication scheme can be used to authenticate the user.
This validation occurs transparently to the user.
SiteMinder supports authorization that uses the values of predetermined user attributes from a remote site as the basis for the authorization decision. The request contains no session information, because the user is not necessarily authenticated on the remote site.
For example, imagine a customer logs on to a car rental agency site to inquire about rates. The customer is authenticated by the agency, but to provide a competitive rate, the agency uses information from the customer's preferred airline. The car rental agency puts in a request to the airline's Web site to obtain the customer's quality code, which is based on the customer's accrued frequent flier miles. The airline returns the value of the quality code, for instance, 1A, and the car agency displays a customized rate sheet.
In this example, the car rental agency acts as what is know as the the SAML Requester, and the airline acts as what is known as a SAML Attribute Authority. Note that the customer is not authenticated by the Attribute Authority.
The Policy Server implements this kind of authorization decision by using variables within policy expressions. In the policy expressions, Federation Attribute Variables associate an attribute with a remote Attribute Authority. When the policy server attempts to resolve the Federation attribute variable, it determines the Attribute Authority from which to request the value of the attribute.
In the Policy Management API, the Sm_PolicyApi_SAMLRequesterAttr_t structure defines an attribute that can be requested by the SAML Requester. It specifies the actual name of the attribute known by the Attribute Authority, as well as a local name used in Federation attribute variables. The local name maps to a variable defined in the SAML 2.0 authentication scheme.
When configuring single sign-on at the Identity Provider, you can configure more than one endpoint for the Assertion Consumer Service, the service that enables a Service Provider to consume a SAML assertion. Each endpoint you configure is assigned a unique index value, instead of a single, explicit reference to an Assertion Consumer Service URL.
The assigned index can be used as a part of a Service Provider request for an assertion that it sends to the Identity Provider. This enables you to have a different Assertion Consumer Service at the Service Provider for different protocol bindings (Artifact or POST).
In the Policy Management API, you can, for example, add a new Assertion Consumer Service to the Service Provider programmatically by calling the Sm_PolicyApi_AddAssertionConsumerServiceToSAMLSP() function as follows:
iSmApiRetCode = Sm_PolicyApi_AddAssertionConsumerServiceToSAMLSP (
pSmApiSessionHandle, &structSAMLSPACS2, pszOid);
Parameters:
In addition, the API includes a function to remove an Assertion Consumer Service and a function to retrieve all the Assertion Consumer Services defined in the Service Provider object. The C Policy Management API sample program, smpolicyapiexample.cpp, shows how these functions are implemented.
The C sample program smpolicyapi has been augmented for the affiliate functionality.
To run the affiliate portions
Three options have been added to the smpolicyapi program.
Answering Y causes smpolicyapi to:
Answering Y causes smpolicyapi to:
Answering Y causes smpolicyapi to delete the affiliate domain.
The WS-Federation specification provides a protocol for how passive clients (such as Web browsers) implement the federation framework. ADFS is Microsoft's implementation of the WS-Federation Passive Requestor Profile.
Web SSO and Signout in the WS-Federation environment are implmented using Account Partners and Resource Partners. An Account Partner authenticates users, provides WS-Federation security tokens and passes them to a Resource Partner. The Resource Partner consumes security tokens and establishes a session based on the contents of the WS-Federation security token.
For SiteMinder to act as an Account Partner, an administrator must define the Resource Partner that will be consuming security tokens. This is done by defining a Resource Partner in an Affiliate domain. For SiteMinder to act as a Resource Partner, an administrator must define the Account Partner that is going to supply security tokens. This is done by defining a WS-Federation authentication scheme.
The C Policy Management API sample program, smpolicyapiexample.cpp, includes examples of how to define, list, and delete a Resource Partner, as well as define, list, and delete a WS-Federation authentication scheme.
Each data structure represents an entity in the SiteMinder policy store. The structures have a common format:
All the character arrays within the following structures are sized according to BFSIZE, which is set to 1024 characters. A 24-character TIMESIZE buffer is used for policy time restrictions.
Defines a SiteMinder Administrator object.
Syntax
typedef struct Sm_PolicyApi_Admin_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszPassword[BFSIZE];
char pszUserDirOid[BFSIZE];
char pszSchemeOid[BFSIZE];
Sm_PolicyApi_AdminRights_t nRights; /* Required */
struct Sm_PolicyApi_Admin_s* next;
} Sm_PolicyApi_Admin_t;
|
Field |
Description |
|---|---|
|
iStructId |
Administrator data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the administrator object. |
|
pszName |
Name of the administrator. |
|
pszDesc |
Brief description of the administrator. |
|
pszPassword |
This is required if the pszUserDirOid is not specified. The SiteMinder stores the password in its directory. |
|
pszUserDirOid |
Object identifier of the user directory if the administrator is stored in an external directory. |
|
pszSchemeOid |
Object identifier of the authentication scheme to use to authenticate the administrator. This is required if the pszUserDirOid is specified. |
|
nRights |
Rights of the administrator, as specified in Sm_PolicyApi_AdminRights_t. |
|
next |
Pointer to the next administrator structure. |
Represents an affiliate object.
Syntax
typedef struct Sm_PolicyApi_Affiliate_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE];
char pszDesc[BFSIZE];
char pszAffiliateDomainOid[BFSIZE];
char pszPassword[BFSIZE];
bool bIsEnabled;
bool bAllowNotification;
char pszAuthURL[BFSIZE];
char pszAudience[BFSIZE];
long nValidityDuration;
bool bSharedSession;
long nSyncInterval;
long nSkewTime;
long nStartTime;
long nEndTime;
unsigned char pszTimeGrid[TIMESIZE];
Sm_PolicyApi_IPAddress_t *pIPAddress;
struct Sm_PolicyApi_Affiliate_s* next;
long nSAMLVersion;
char pszAssertionPluginClass[BFSIZE];
char pszAssertionPluginParameters[BFSIZE];
Sm_PolicyApi_SAML_Profile_t SAMLProfile;
char pszConsumerURL[BFSIZE];
} Sm_PolicyApi_Affiliate_t;
|
Field |
Description |
|---|---|
|
iStructId |
Domain data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the affiliate object. |
|
pszName |
Name of the affiliate. |
|
pszDesc |
Brief description of the affiliate. |
|
pszAffiliateDomain |
The object identifier of the affiliate domain object. |
|
pszPassword |
The password for the affiliate as a null terminated string. |
|
bIsEnabled |
Boolean indicating if the affiliate is enabled. |
|
bAllowNotification |
Boolean indicating if notifications are allowed for the affiliate. |
|
pszAuthURL |
The authentication URL for the affiliate. |
|
pszAudience |
A URI of the document that describes the terms and conditions of the agreement between the portal and the affiliate. |
|
nValidityDuration |
The amount of time, in seconds, that the assertion is valid. |
|
bSharedSession |
Boolean that enables the sharing of session information between the portal and the affiliate. |
|
nSyncInterval |
The frequency, in seconds, at which the affiliate contacts the portal to validate session status. |
|
nSkewTime |
The difference, in seconds, between the system clock time of the portal and the system clock time of the affiliate. |
|
nStartTime |
The time when the time restriction becomes effective. This value is stored in standard time_t format. Set nStartTime to 0 to start the time restriction immediately. |
|
nEndTime |
The time when the time restriction expires. This value is stored in standard time_t format. Set nEndTime to 0 to end the time restriction immediately. |
|
pszTimeGrid |
An array containing time restrictions for an entire week. |
|
pIPAddress |
IP address that user must use in order to gain access to the resources governed by the Policy. |
|
next |
Pointer to the next affiliate structure. |
|
nSAMLVersion |
One of the following SAML version constants:
The SAML version has effect only if the Policy Management API's session version is at least SM_POLICY_API_VERSION_6_0_1. |
|
pszAssertion |
The fully qualified class name of a custom assertion generator plug-in. The plug-in lets you customize the default assertion that SiteMinder generates for an affiliate. A plug-in class and parameter string are supported only if the Policy Management API's session version is at least SM_POLICY_API_VERSION_6_0_2. Custom assertion generator plug-ins are implemented with the Java SDK. |
|
pszAssertion |
The parameter string to pass to a custom assertion generator plug-in. |
|
SAMLProfile |
The type of profile used to send and receive SAML assertions. Defined in Sm_PolicyApi_SAML_Profile_t. Valid profiles:
This profile is supported only if the Policy Management API's session version is at least SM_POLICY_API_VERSION_6_0_2. |
|
pszConsumerURL |
With a SAML POST profile, this field specifies the URL where the requesting user's browser must POST a generated assertion. The site associated with the URL validates the assertion and uses its contents to make access decisions. |
Represents affiliate attributes. Used with affiliate methods to manipulate affiliate attributes.
Syntax
typedef struct Sm_PolicyApi_AffiliateAttr_s
{
int iStructId;
Sm_PolicyApi_AffiliateAttrType_t nAttrType;
char pszValue[BFSIZE];
struct Sm_PolicyApi_AffiliateAttr_s* next;
} Sm_PolicyApi_AffiliateAttr_t;
|
Field |
Description |
|---|---|
|
iStructId |
Domain data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
nAttrType |
An affiliate attribute type from Sm_PolicyApi_AffiliateAttrType_t. |
|
pszValue |
An affiliate attribute specification. The affiliate attribute's name and value, in one of these formats:
To allow SiteMinder to retrieve DN attributes from a nested group, begin DNSpec with an exclamation mark ( ! )-for example: |
|
next |
Pointer to the next Affiliate Attribute structure. |
Represents an affiliate domain.
Syntax
typedef struct Sm_PolicyApi_Domain_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE];
char pszDesc[BFSIZE];
struct Sm_PolicyApi_Domain_s* next;
} Sm_PolicyApi_Domain_t, Sm_PolicyApi_AffiliateDomain_t;
|
Field |
Description |
|---|---|
|
iStructId |
Affiliate Domain data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Affiliate Domain. |
|
pszName |
Name of the Affiliate Domain. |
|
pszDesc |
Brief description of the Affiliate Domain. |
|
next |
Pointer to the next Affiliate Domain structure. |
Defines a SiteMinder Agent object.
Syntax
typedef struct Sm_PolicyApi_Agent_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszIpAddr[BFSIZE];
char pszSecret[BFSIZE];
char pszAgentTypeOid[BFSIZE]; /* Required */
int nRealmHintAttrId; /* Required */
struct Sm_PolicyApi_Agent_s* next;
} Sm_PolicyApi_Agent_t;
|
Field |
Description |
|---|---|
|
iStructId |
Agent data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the agent object. |
|
pszName |
Name of the agent. Agent names are converted to lower case when written to the policy store. |
|
pszDesc |
Brief description of the agent. |
|
pszIpAddr |
IP address of the server on which the agent resides. |
|
pszSecret |
A shared secret known to two parties for the purpose of establishing secure data exchange. If a shared secret is provided, the agent is considered to be a SiteMinder version 4.x agent. If a shared secret is not provided, the agent is considered to be a SiteMinder version 5.x or 6.0 agent. |
|
pszAgentTypeOid |
Type of agent. |
|
nRealmHintAttrId |
The hint attribute is a RADIUS attribute that is sent by the RADIUS client device. |
|
next |
Pointer to the next agent structure. |
Defines an agent configuration object.
Syntax
typedef struct Sm_PolicyApi_AgentConfig_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
struct Sm_PolicyApi_AgentConfig_s* next;
} Sm_PolicyApi_AgentConfig_t;
|
Field |
Description |
|---|---|
|
iStructId |
Data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the agent configuration object. |
|
pszName |
Name of the agent configuration. |
|
pszDesc |
Brief description of the agent configuration. |
|
next |
Pointer to the next agent configuration object structure. |
Defines a SiteMinder Agent Type object.
Syntax
typedef struct Sm_PolicyApi_AgentType_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE];
char pszDesc[BFSIZE];
int nRfcId;
int nAgentType;
int nResourceType;
int nAgentTypeSpecific;
struct Sm_PolicyApi_AgentType_s* next;
} Sm_PolicyApi_AgentType_t;
|
Field |
Description |
|---|---|
|
iStructId |
Agent Type data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Agent Type object. |
|
pszName |
Name of the Agent Type object. |
|
pszDesc |
Brief description of the Agent Type object. |
|
nRfcId |
The IETF Vendor ID, assigned by the Internet Assigned Numbers Authority (IANA). (Applies to RADIUS device only.) |
|
nAgentType |
Agent type: RADIUS (value=0) or Web Agent (value=1). |
|
nResourceType |
The resource type that the agent will protect. One of the following values:
|
|
nAgentTypeSpecific |
The vendor-specific offset provided by the RADIUS vendor. (Applies to RADIUS device only.) Not a required field. |
|
next |
Pointer to the next Agent Type structure. |
Defines a SiteMinder Agent Type Attribute object.
Syntax
typedef struct Sm_PolicyApi_AgentTypeAttr_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE];
char pszDesc[BFSIZE];
char pszAgentTypeOid[BFSIZE];
struct Sm_PolicyApi_AgentTypeAttr_s* next;
} Sm_PolicyApi_AgentTypeAttr_t;
|
Field |
Description |
|---|---|
|
iStructId |
Agent Type Attribute data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Agent Type Attribute object. |
|
pszName |
Name of the Agent Type Attribute object. |
|
pszDesc |
Brief description of the Agent Type Attribute object. |
|
pszAgentTypeOid |
The object identifier of the Agent Type. |
|
next |
Pointer to the next Agent Type Attribute structure. |
Defines a configuration parameter name and its associated value for an agent configuration object.
Syntax
typedef struct Sm_PolicyApi_Association_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char* pszValue;
int iFlags;
struct Sm_PolicyApi_Association_s* next;
} Sm_PolicyApi_Association_t;
|
Field |
Description |
|---|---|
|
iStructId |
Data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the configuration parameter association object. |
|
pszName |
The name of the configuration parameter. |
|
pszValue |
The value of the configuration parameter. |
|
iFlags |
If 1, the name/value pair is stored in encrypted format. If 0, storage is in plain text. |
|
next |
Pointer to the next configuration parameter association structure. |
Defines a SiteMinder authentication and authorization mapping object.
Syntax
typedef struct Sm_PolicyApi_AuthAzMap_s
{
int iStructId;
char pszOid[BFSIZE];
char pszAuthDirOid[BFSIZE]; /* Required */
char pszAuthDirName[BFSIZE];
char pszAzDirOid[BFSIZE]; /* Required */
char pszAzDirName[BFSIZE];
Sm_PolicyApi_AuthAzMapType_t nMapType; /* Required */
struct Sm_PolicyApi_AuthAzMap_s *next;
} Sm_PolicyApi_AuthAzMap_t;
|
Field |
Description |
|---|---|
|
iStructId |
Authentication and authorization mapping object data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the authentication and authorization mapping object. |
|
pszAuthDirOid |
The object identifier for the Authentication Directory. |
|
pszAuthDirName |
The name of the Authentication Directory. |
|
pszAzDirOid |
The object identifier for the Authorization Directory. |
|
pszAzDirName |
The name of the Authorization Directory. |
|
nMapType |
The type of mapping between an authentication directory and an authorization directory. The mapping can be based on a DN, a universal identifier, or on an attribute in the directory. |
|
next |
Pointer to the next authentication and authorization mapping structure. |
Defines a SiteMinder certification mapping object.
Syntax
typedef struct Sm_PolicyApi_CertMap_s
{
int iStructId;
char pszOid[BFSIZE];
char pszDesc[BFSIZE];
char pszUserDirOid[BFSIZE]; /* Required */
char pszIssuerDN[BFSIZE]; /* Required */
char pszCaDN[BFSIZE];
char pszMapAttr[BFSIZE];
Sm_PolicyApi_CertMapFlags_t nFlags; /* Required */
Sm_PolicyApi_CertMapAttrType_t nAttrType;
Sm_PolicyApi_DirType_t nDirType; /* Required */
struct Sm_PolicyApi_CertMap_s *next;
} Sm_PolicyApi_CertMap_t;
|
Field |
Description |
|---|---|
|
iStructId |
Certificate mapping data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the certificate mapping object. |
|
pszDesc |
Brief description of the certificate mapping object. |
|
pszUserDirOid |
Object identifier of the user directory. |
|
pszIssuerDN |
DN of the server certificate. |
|
pszCaDN |
DN of the issuing Certificate Authority. |
|
pszMapAttr |
You can perform single attribute mapping or custom mapping:
The format of the attribute is: %{<attribute name>} <attribute name> is the name of the attribute, matching a single attribute from the subject DN of a user's certificate to a single attribute stored in the user directory to verify the user's identity.
Using custom mapping expressions for complex multiple attribute mapping, you can specify multiple user attributes that should be extracted from a user DN to establish a certificate mapping. The syntax for a custom mapping expression is a parsing specification designed to enable full mapping flexibility. It indicates which information to take from the certificate and where it should be applied to in the user directory. The basic syntax is: UserAttribute=%{CertificateAttribute}, UserAttribute2=%{CertificateAttribute} |
|
nFlags |
Set one or more of these flags:
|
|
nAttrType |
This enumeration specifies how the X.509 client certificate maps to the user information in the authentication directory.
|
|
nDirType |
The type of directory used to authenticate users. One of these values:
|
|
next |
Pointer to the next registration scheme structure. |
Defines a SiteMinder Domain object.
Syntax
typedef struct Sm_PolicyApi_Domain_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
struct Sm_PolicyApi_Domain_s* next;
Sm_PolicyApi_DomainFlags_t iFlags;
} Sm_PolicyApi_Domain_t;
|
Field |
Description |
|---|---|
|
iStructId |
Domain data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Domain object. |
|
pszName |
Name of the Domain. |
|
pszDesc |
Brief description of the Domain. |
|
next |
Pointer to the next domain structure. |
|
iFlags |
Flag to enable or disable global policies processing for the domain. |
Defines a SiteMinder Group object. SiteMinder Groups are defined in the Sm_PolicyApi_Groups_t enumeration.
Syntax
typedef struct Sm_PolicyApi_Group_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszAgentTypeOid[BFSIZE]; /* Required */
struct Sm_PolicyApi_Group_s* next;
} Sm_PolicyApi_Group_t;
|
Field |
Description |
|---|---|
|
iStructId |
Group data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Group object. |
|
pszName |
Name of the Group. |
|
pszDesc |
Brief description of the Group. |
|
pszpszAgentTypeOid |
Object identifier of the agent. |
|
next |
Pointer to the next Group structure. |
Defines a host configuration object.
Syntax
typedef struct Sm_PolicyApi_HostConfig_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszIPAdress[BFSIZE];
bool bEnableFailOver;
int iMaxSocketsPerPort;
int iMinSocketsPerPort;
int iNewSocketStep;
int iRequestTimeout;
struct Sm_PolicyApi_HostConfig_s* next;
Sm_PolicyApi_Server_t* pServer;
Sm_PolicyApi_Server_t* pCluster;
long nFailoverThreshold;
} Sm_PolicyApi_HostConfig_t;
|
Field |
Description |
|---|---|
|
iStructId |
Data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the host configuration object. |
|
pszName |
The name of the host configuration. |
|
pszDesc |
Brief description of the host configuration. |
|
pszIPAddr |
The IP address of the host configuration object. |
|
bEnableFailOver |
Specifies whether an agent and the Policy Server should communicate through failover or round-robin. The parameter is applicable to non-cluster servers specified in the pServer parameter. |
|
iMaxSocketsPerPort |
The maximum number of TCP/IP sockets that can be opened between an agent and a particular Policy Server process. |
|
iMinSocketsPerPort |
The minimum number of TCP/IP sockets that should be opened between an agent and a particular Policy Server process. |
|
iNewSocketStep |
The incremental number of TCP/IP sockets that should be opened between an agent and a particular Policy Server process when demand increases. |
|
iRequestTimeout |
The length of time in seconds that an agent will wait for a response from the Policy Server. |
|
next |
Pointer to the next host configuration structure. |
|
pServer |
A linked list of Sm_PolicyApi_Server_t structures that describe TCP/IP connectivity information for a particular Policy Server installation. |
|
pCluster |
Pointer to an array of Sm_PolicyApi_Server_t structures. The array specifies cluster servers. |
|
nFailoverThreshold |
Specifies the failover threshold percent. The parameter is applicable to the cluster servers specified in pCluster. |
Defines an IP address restriction for an object-for example, you can define IP address restrictions that must be met for a policy to fire.
You can specify a single host IP address, a range of IP addresses, a host name, or a subnet mask.
Syntax
typedef struct Sm_PolicyApi_IPAddress_s
{
int iStructId;
Sm_PolicyApi_IPAddressType_t iIPAddressType;
unsigned long nIPAddress;
unsigned long nEndIPAddress;
unsigned long nSubnetMask;
char pszHostName[BFSIZE];
struct Sm_PolicyApi_IPAddress_s *next;
} Sm_PolicyApi_IPAddress_t;
|
Field |
Description |
|---|---|
|
iStructId |
IP address structure ID, defined in Sm_PolicyApi_Structs_t. |
|
iIPAddressType |
Type of IP address, as enumerated in Sm_PolicyApi_IPAddressType_t. |
|
nIPAddress |
Starting IP address. |
|
nEndIPAddress |
Ending IP address. |
|
nSubnetMask |
The subnet mask value is a number of bits. To arrive at this value, count the bits in the binary value of the address. For example, suppose the subnet mask is 255.255.255.128. The binary format is: 11111111 11111111 11111111 10000000 Counting from left to right, the number to pass in nSubnetMask would be 25. |
|
pszHostName |
Host name of the machine that a user must be using in order for a policy to fire. |
|
next |
Pointer to next IP Address structure. |
Defines a management command. Management commands enable an agent to retrieve information from the Policy Server.
Syntax
typedef struct Sm_PolicyApi_ManagementCommand_s
{
Sm_PolicyApi_ManagementCommands_t iCommand;
char pszData[BFSIZE];
} Sm_PolicyApi_ManagementCommand_t;
|
Field |
Description |
|---|---|
|
iCommand |
Management command, as specified in Management Commands. |
|
pszData |
Reserved. |
Defines a SiteMinder ODBC Query Scheme object.
Syntax
typedef struct Sm_PolicyApi_ODBCQueryScheme_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszQueryEnumerate[BFSIZE]; /* Required */
char pszQueryGetObjInfo[BFSIZE]; /* Required */
char pszQueryLookup[BFSIZE]; /* Required */
char pszQueryInitUser[BFSIZE]; /* Required */
char pszQueryAuthenticateUser[BFSIZE]; /* Required */
char pszQueryGetUserProp[BFSIZE]; /* Required */
char pszQuerySetUserProp[BFSIZE]; /* Required */
char pszQueryGetUserProps[BFSIZE]; /* Required */
char pszQueryLookupUser[BFSIZE]; /* Required */
char pszQueryGetGroups[BFSIZE]; /* Required */
char pszQueryIsGroupMember[BFSIZE]; /* Required */
char pszQueryGetGroupProp[BFSIZE]; /* Required */
char pszQuerySetGroupProp[BFSIZE]; /* Required */
char pszQueryGetGroupProps[BFSIZE]; /* Required */
char pszQueryLookupGroup [BFSIZE]; /* Required */
char pszQuerySetPassword [BFSIZE]; /* Required */
struct Sm_PolicyApi_ODBCQueryScheme_s* next;
} Sm_PolicyApi_ODBCQueryScheme_t;
|
Field |
Description |
|---|---|
|
iStructId |
ODBC Query Scheme data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the ODBC Query Scheme object. |
|
pszName |
Name of the ODBC Query Scheme. |
|
pszDesc |
Brief description of the ODBC Query Scheme. |
|
pszQueryEnumerate |
Query that lists the names of user objects in the directory. |
|
pszQueryGetObjInfo |
Query that fetches the class of the object. |
|
pszQueryLookup |
Query that returns objects based on an attribute specified in a group table. |
|
pszQueryInitUser |
Query that determines if a user with a given name exists in the database. |
|
pszQueryAuthenticateUser |
Query that retrieves a password from a user. |
|
pszQueryGetUserProp |
Query that retrieves the value of a user property. The property must be one of the properties listed with pszQueryGetUserProps. |
|
pszQuerySetUserProp |
Query that sets the value of a user property. The property must be one of the properties listed in pszQueryGetUserProps. |
|
pszQueryGetUserProps |
Query that returns a comma-separated list of user attributes that reside in the same table as the user name. |
|
pszQueryLookupUser |
Query that retrieves a user name using an attribute of the user table. |
|
pszQueryGetGroups |
Query that retrieves the names of the groups of which the user is a member. |
|
pszQueryIsGroupMember |
Query that identifies the group membership of a particular user. |
|
pszQueryGetGroupProp |
Query that returns the value of a property defined in pszQueryGetGroupProps |
|
pszQuerySetGroupProp |
Query that sets the value of a group property. The property must be one of the properties listed in pszQueryGetGroupProps. |
|
pszQueryGetGroupProps |
Query that returns a comma-separated list of group attributes. |
|
pszQueryLookupGroup |
Query that retrieves a group name using an attribute of the group table. |
|
pszQuerySetPassword |
Query that changes a user password. |
|
next |
Pointer to the next ODBC query scheme structure. |
Used by the following functions to retrieve a SiteMinder object collection:
Syntax
typedef struct Sm_PolicyApi_Oid_s
{
int iStructId;
int iObjectId;
char pszOid[BFSIZE];
struct Sm_PolicyApi_Oid_s *next;
} Sm_PolicyApi_Oid_t;
|
Field |
Description |
|---|---|
|
iStructId |
OID data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
iObjectId |
The object type identifier (enumerated in Sm_PolicyApi_Objects_t). |
|
pszOid |
The unique object identifier. |
|
next |
Pointer to the next OID structure. |
Describes a password policy message field. A password policy message field contains information about an error that occurred during a validation attempt for a new password.
A password policy message field is associated with a password policy message identifier. This identifier is returned in the nMsgId parameter of Sm_PolicyApi_GetPasswordMsg().
This structure is returned in the ppStructMsgField parameter of Sm_PolicyApi_GetPasswordMsg().
Syntax
typedef struct Sm_PolicyApi_PasswordMsgField_s
{
int iStructId;
Sm_PolicyApi_PasswordMsgFieldId_t nId;
Sm_PolicyApi_FieldType_t nType;
char pszMsg[BFSIZE];
int nValue;
struct Sm_PolicyApi_PasswordMsgField_s* next;
} Sm_PolicyApi_PasswordMsgField_t;
|
Field |
Description |
|---|---|
|
iStructId |
Password policy data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
nId |
The password message field identifier. Message field identifiers are enumerated in Sm_PolicyApi_PasswordMsgFieldId_t. |
|
nType |
The data type of the message field (integer, string, or none) as enumerated in Sm_PolicyApi_FieldType_t. The value of nType determines whether pszMsg or nValue is populated. |
|
pszMsg |
Text that provides information about the error. |
|
nValue |
Integer that provides information about the error. |
|
next |
Pointer to the next password message field structure. |
Defines a SiteMinder password policy object.
Syntax
typedef struct Sm_PolicyApi_PasswordPolicy_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
bool bEntireDir; /* Required */
bool bIsEnabled; /* Required */
char pszUserDirectoryOid[BFSIZE]; /* Required */
char pszPath[BFSIZE]; /* Required */
char pszClass[BFSIZE]; /* Required */
int nResolution; /* Required */
int nLoginMaxFailures; /* Required */
int nLoginMaxInactivity; /* Required */
int nLoginInactivityWarn;
int nLoginDaysGrace; /* Required */
char pszDictionaryName[BFSIZE];
int nDictionaryPartial; /* Required */
int nExpirationDelay; /* Required */
int nReenablement; /* Required */
int nPasswordBehavior; /* Required */
char pszPasswordServicesRedirect[BFSIZE];
int nPWMaxLength; /* Required */
int nPWMinLength; /* Required */
int nPWMaxRepeatingChar; /* Required */
int nPWMinAlphaNum; /* Required */
int nPWMinAlpha; /* Required */
int nPWMinNonAlpha; /* Required */
int nPWMinNonPrintable; /* Required */
int nPWMinNumbers; /* Required */
int nPWMinPunctuation; /* Required */
int nPWReuseCount; /* Required */
int nPWReuseDelay; /* Required */
int nPWPercentDifferent; /* Required */
int nPWPercentSequence; /* Required */
int nPWSpecialsLength; /* Required */
struct Sm_PolicyApi_PasswordPolicy_s* next;
int nPriority; /* Required */
int nPWMinLowerAlpha; /* Required */
int nPWMinUpperAlpha; /* Required */
int nReserved1;
int nReserved2;
int nReserved3;
int nReserved4[BFSIZE];
} Sm_PolicyApi_PasswordPolicy_t;
|
Field |
Description |
|---|---|
|
iStructId |
Password policy data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the password policy object. |
|
pszName |
Name of the password policy. |
|
pszDesc |
Brief description of the password policy object. |
|
bEntireDir |
Flag: Set to true to apply the password policy to the entire LDAP directory. |
|
bIsEnabled |
Flag: Set to true to enable the password policy. |
|
pszUserDirectoryOid |
Object identifier of the user directory to which the password policy will apply. |
|
pszPath |
If bEntireDir is set to false, use this field to specify the users to whom the password policy applies. For example, values you can specify include:
See nResolution for more information. |
|
pszClass |
If bEntireDir is set to false, use this field to specify the object class where the password policy applies. Specify the object class as understood by a particular user directory, such as organizationalUnit in LDAP or User in NT. |
|
nResolution |
A constant that shows how the password policy applies to the users specified in pszPath. For example:
Sm_PolicyResolution_UserGroup
Sm_PolicyResolution_GroupProp Policy resolution constants are defined in Sm_PolicyResolution_t. |
|
nLoginMaxFailures |
Maximum number of failed login attempts a user can make before the user account is disabled. |
|
nLoginMaxInactivity |
Number of days of inactivity allowed before a user's password expires. The account is not disabled until the user tries to log in after the expiration. |
|
nLoginInactivityWarn |
Reserved. |
|
nLoginDaysGrace |
Number of days in advance to notify user that the password will expire. |
|
pszDictionaryName |
The location of a dictionary file that lists words that cannot be used in a password. |
|
nDictionaryPartial |
The minimum number of letters to qualify for dictionary checking. For example, set this field to 5 to avoid checking words of 4 or fewer characters. Set this field to 0 to reject only passwords that match a word in the dictionary exactly. |
|
nExpirationDelay |
Number of days of inactivity allowed before user account is disabled. |
|
nReenablement |
Specifies the number of minutes a user must wait before attempting to log in again or before the user's account is re-enabled. The condition that applies after the nReenablement time period is determined by the following flag (which is set through nPasswordBehavior): Sm_PasswordPolicyBehavior_ |
|
nPasswordBehavior |
Bit mask flags expressing the behavior of the password policy, as defined in Sm_PasswordPolicyBehavior_t. You can also set recursive behavior for the password policy through the additional password behavior flag below. Use this flag to indicate that the password policy applies to the group specified in pszPath and to any groups nested within it: Sm_PolicyBehavior_Recursive_Yes All password behavior flags are defined in SmApi.h. |
|
pszPasswordServices |
The URL to which the user should be redirected when an invalid password is entered. This must be the URL of the Password Services CGI. |
|
nPWMaxLength |
The maximum length for user passwords. |
|
nPWMinLength |
Minimum length for user passwords. |
|
nPWMaxRepeatingChar |
Maximum number of identical characters that can appear consecutively in a password. |
|
nPWMinAlphaNum |
Minimum number of alphabetic or numeric characters (A-Z, a-z, or 0-9) that a password must contain. May be set in conjunction with PWMinAlpha or PWMinNumbers. For example, if PWMinAlphaNum and PWMinNumbers are set to 4, the password 1234 is valid. |
|
nPWMinAlpha |
Minimum number of alphabetic characters (A-Z, a-z) a password must contain. |
|
nPWMinNonAlpha |
Minimum number of non-alphanumeric characters a password must contain. These characters include punctuation marks and other symbols located on the keyboard, such as "@", "$", and "*." |
|
nPWMinNonPrintable |
Minimum number of non-printable characters that must be in a password. These characters cannot be displayed on a computer screen. |
|
nPWMinNumbers |
Minimum number of numeric characters (0-9) a password must contain. |
|
nPWMinPunctuation |
Minimum number of punctuation marks a password must contain. These characters include periods, commas, exclamation marks, slashes, hyphens, dashes, and other marks used for punctuation. |
|
nPWReuseCount |
Number of new passwords that must be used before an old one can be reused. |
|
nPWReuseDelay |
Number of days a user must wait before reusing a password. |
|
nPWPercentDifferent |
The percentage of characters a new password must contain that differ from characters in the previous password. If the value is set to 100, the new password may contain no characters that were in the previous password, unless nPWPercentSequence is set to 0. |
|
nPWPercentSequence |
Flag that indicates whether to ignore sequence (character position) when the different-from-previous-characters percentage is calculated. To ignore character position, set nPWPercentSequence to 1. This flag works in conjunction with nPWPercentDifferent. For examples of how this parameter works with nPWPercentDifferent, see Figure 31 on page 150. |
|
nPWSpecialsLength |
Specifies the minimum character sequence to check against the user's personal information. For example, if this value is set to 4, SiteMinder prohibits the use of any four consecutive characters found in the user's personal information, such as the four last digits of the user's telephone number. This field prevents a user from incorporating personal information in a password. SiteMinder checks the password against attributes in the user's directory entry. |
|
next |
Pointer to the next registration scheme structure. |
|
nPriority |
Priority of password policy, when multiple password policies apply. The value can be any integer, including a negative one. The higher number has priority over the lower number. |
|
nPWMinLowerAlpha |
Minimum number of lowercase alphabetic characters. |
|
nPWMinUpperAlpha |
Minimum number of uppercase alphabetic characters. |
Defines a SiteMinder Policy object.
Syntax
typedef struct Sm_PolicyApi_Policy_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszActiveExpr[BFSIZE];
bool bIsEnabled; /* Required */
char pszDomainOid[BFSIZE]; /* Required */
long nStartTime;
long nEndTime;
unsigned char pszTimeGrid[TIMESIZE];
Sm_PolicyApi_IPAddress_t *pIPAddress;
struct Sm_PolicyApi_Policy_s* next;
char pszVariableExpr[BFSIZE]
Sm_PolicyApi_Oid_t* pVariableList;
} Sm_PolicyApi_Policy_t;
|
Field |
Description |
|---|---|
|
iStructId |
Policy data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Policy object. |
|
pszName |
Name of the Policy. |
|
pszDesc |
Brief description of the Policy. |
|
pszActiveExpr |
Active expression associated with the policy. The expression is a string of variable definitions in the following format. The non-alphanumeric characters are required characters. For example: In the format example:
|
|
bIsEnabled |
Flag to enable or disable the policy. |
|
pszDomainOid |
The object identifier of the domain. Required for domain-specific policy; ignored for global policy. |
|
nStartTime |
The time when the time restriction becomes effective. This value is stored in standard time_t format. Set nStartTime to 0 to start the time restriction immediately. |
|
nEndTime |
The time when the time restriction expires. This value is stored in standard time_t format. Set nEndTime to 0 to end the time restriction immediately. |
|
pszTimeGrid |
An array containing time restrictions for an entire week. |
|
pIPAddress |
IP address that user must use in order to gain access to the resources governed by the Policy. |
|
next |
Pointer to the next Policy structure. |
|
pszVariableExpr |
Unique object identifier that corresponds to a variable type. |
|
pVariableList |
Linked list of variable OIDs used by this expression. |
The time grid array (used with the field pszTimeGrid) holds time restrictions for an entire week. The array contains a one-byte element for every hour of the day, starting with 12 AM. In every byte, the seven days of the week are represented, beginning with Sunday as the lowest order bit. Bits that are set enable the policy to fire. A zero bit prevents the policy from firing on that day during the associated hour.
Examples:
3E7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F
7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F7F
6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F6F
7F7F7F7F7F7F7F7F7C7C7F7F7F7F7F7F7F7F7F7F7F7F7F7F
00000000000000007F7F7F7F7F7F7F7F7F7F7F7F00000000
Defines a SiteMinder Policy Link object.
Syntax
typedef struct Sm_PolicyApi_PolicyLink_s
{
int iStructId;
char pszOid[BFSIZE];
char pszRuleOid[BFSIZE]; /* Required */
char pszResponseOid[BFSIZE];
struct Sm_PolicyApi_PolicyLink_s* next;
} Sm_PolicyApi_PolicyLink_t;
|
Field |
Description |
|---|---|
|
iStructId |
Policy Link data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Policy Link object. |
|
pszRuleOid |
Object identifier of the rule. |
|
pszResponseOid |
Object identifier of the response. |
|
next |
Pointer to the next Policy Link structure. |
Sm_PolicyApi_Realm_t type defines a SiteMinder Realm object.
Syntax
typedef struct Sm_PolicyApi_Realm_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszResourceFilter[BFSIZE];
char pszAgentOid[BFSIZE]; /* Required */
char pszSchemeOid[BFSIZE]; /* Required */
char pszParentRealmOid[BFSIZE]; /* Required */
char pszDomainOid[BFSIZE]; /* Required */
char pszAzUserDirOid[BFSIZE]; /* Required */
char pszRegSchemeOid[BFSIZE]; /* Required */
bool bProcessAuthEvents; /* Required */
bool bProcessAzEvents; /* Required */
bool bProtectAll; /* Required */
int nMaxTimeout; /* Required */
int nIdleTimeout; /* Required */
bool bSyncAudit; /* Required */
struct Sm_PolicyApi_Realm_s* next;
} Sm_PolicyApi_Realm_t;
|
Field |
Description |
|---|---|
|
iStructId |
Realm data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Realm object. |
|
pszName |
Name of the realm. |
|
pszDesc |
Brief description of the realm. |
|
pszResourceFilter |
Path for the resource filter. |
|
pszAgentOid |
Object identifier of the agent or agent group associated with the realm. |
|
pszSchemeOid |
Object identifier of the authentication scheme associated with the realm. |
|
pszParentRealmOid |
Object identifier of the parent realm under which this realm will be added. If the realm being added is the top realm in the realm hierarchy, set this field to the domain OID. Otherwise, set it to the parent realm OID. |
|
pszDomainOid |
Object identifier of the domain. |
|
bProcessAuthEvents |
Boolean to trigger this rule in an event of authentication attempts. Authentication event processing affects performance. If no rules in the realm are triggered by authentication events, set this field to false. |
|
bProcessAzEvents |
Boolean to trigger this rule in an event of authorization attempts. Authorization event processing affects performance. If no rules in the realm are triggered by authorization events, set this field to false. |
|
bProtectAll |
Boolean to protect all the resources contained in the new realm. |
|
nMaxTimeout |
Maximum amount of time a user can access the protected resources in the realm before they must re-authenticate. |
|
nIdleTimeout |
Amount of time a user can remain authenticated for the protected resources in the realm without interacting with the resources before they must re-authenticate. |
|
bSyncAudit |
Boolean to enable synchronous auditing. When enabled, users cannot access resources within a realm until their activity has been successfully recorded in the audit logs of both the Policy Server and the Web Agent. |
|
pszAzUserDirOid |
OID of the directory against which users accessing resources in this realm will be authorized. |
|
pszRegSchemeOid |
OID of the registration scheme that will be used to register new users accessing resources in this realm. |
|
next |
Pointer to the next realm structure. |
Defines a SiteMinder registration scheme object.
Syntax
typedef struct Sm_PolicyApi_RegistrationScheme_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszUserDirOid[BFSIZE]; /* Required */
char pszWelcomePageURL[BFSIZE];
char pszTemplatePath[BFSIZE];
bool bEnableLogging; /* Required */
struct Sm_PolicyApi_RegistrationScheme_s* next;
} Sm_PolicyApi_RegistrationScheme_t;
|
Field |
Description |
|---|---|
|
iStructId |
Registration scheme data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the registration scheme object. |
|
pszName |
Name of the registration scheme. |
|
pszDesc |
Brief description of the registration scheme. |
|
pszUserDirOid |
Object identifier of the LDAP user directory in which user information is stored. |
|
pszWelcomePageURL |
Location of the form used to welcome users who registered and who have been successfully authenticated. |
|
pszTemplatePath |
Location of a registration template. |
|
bEnableLogging |
Flag to indicate whether to log registration information. Set this flag to true to enable logging. |
|
next |
Pointer to the next registration scheme structure. |
Defines a regular expression.
Syntax
typedef struct Sm_PolicyApi_RegularExpression_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE];
char ExpressionDef[BFSIZE];
bool matchExpression;
struct Sm_PolicyApi_RegularExpression_s *next;
} Sm_PolicyApi_RegularExpression_t;
|
Field |
Description |
|---|---|
|
iStructId |
Regular expression structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the regular expression object. |
|
pszName |
Name of the regular expression. |
|
ExpressionDef |
Definition of the regular expression. |
|
matchExpression |
1 if password must match this expression. 0 if password must not match this expression. |
|
next |
Pointer to the next regular expression structure. |
Defines a SiteMinder Response object.
Syntax
typedef struct Sm_PolicyApi_Response_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszAgentTypeOid[BFSIZE]; /* Required */
char pszDomainOid[BFSIZE]; /* Required */
struct Sm_PolicyApi_Response_s* next;
} Sm_PolicyApi_Response_t;
|
Field |
Description |
|---|---|
|
iStructId |
Response data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Response object. |
|
pszName |
Name of the Response. |
|
pszDesc |
Brief description of the Response. |
|
pszAgentTypeOid |
The object identifier of the agent type. |
|
pszDomainOid |
The object identifier of the domain. Required for a domain-specific response; ignored for a global response. |
|
next |
Pointer to the next Response structure. |
Defines a SiteMinder Response attribute object.
Syntax
typedef struct Sm_PolicyApi_ResponseAttr_s
{
int iStructId;
char pszOid[BFSIZE];
char pszAgentTypeAttrOid [BFSIZE]; /* Required */
char pszValue[BFSIZE];
int iTTL; /* Required */
int iFlags;
struct Sm_PolicyApi_ResponseAttr_s* next;
char pszActiveExpr[BFSIZE];
Sm_PolicyApi_Oid_t* pVariableList;
} Sm_PolicyApi_ResponseAttr_t;
|
Field |
Description |
|---|---|
|
iStructId |
Response Attribute data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the Response Attribute object. |
|
pszAgentTypeAttrOid |
The object identifier of the agent type attribute. |
|
pszValue |
A response attribute type, as described in Response Attribute Types. |
|
iTTL |
Amount of time (in seconds) that can elapse before the value of the response attribute is recalculated. |
|
iFlags |
Reserved. |
|
next |
Pointer to the next Response Attribute structure. |
|
pszActiveExpr |
Active expression associated with the response attribute. For information, see the bullet "Active Response" in the section Response Attribute Types. |
|
pVariableList |
Linked list of variable OIDs used by the active expression. |
The field pszValue contains one of the following response attribute types:
Note: The non-alphanumeric characters in the formats below are required characters.
variable-name=variable-value
In the format example:
User-Attr-variable-name=<%userattr="user-attr-name"%>
In the format example:
DN-Variable-Name=<#dn="DN-Spec" attr="DN-Attribute-Name"#>
In the format example:
Name=<@lib="LibName" func="FuncName" param="Param"@>
In the format example:
Note: For information about configuring active expressions in responses, rules, or policies, see Policy Design.
Defines a SiteMinder Rule object.
Syntax
typedef struct Sm_PolicyApi_Rule_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
char pszRealmOid[BFSIZE]; /* Required */
char pszAction[BFSIZE]; /* Required */
char pszResource[2*BFSIZE];
bool bAllowAccess; /* Required */
bool bRegularExpression; /* Required */
char pszActiveExpr[BFSIZE];
bool bIsEnabled; /* Required */
long nStartTime;
long nEndTime;
unsigned char pszTimeGrid[TIMESIZE];
struct Sm_PolicyApi_Rule_s* next;
char pszAgentOid[BFSIZE]; /* Required */
} Sm_PolicyApi_Rule_t;
|
Field |
Description |
|---|---|
|
iStructId |
Rule data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the rule object. |
|
pszName |
Name of the Rule. |
|
pszDesc |
Brief description of the rule. |
|
pszRealmOid |
Object identifier of the Realm associated with the rule. Required for a domain-specific rule; ignored for a global rule. |
|
pszAction |
The type of action the rule is executing. The supported Web Agent Actions consist of the following HTTP operations: Get, Put, and Post. |
|
pszResource |
Resource protected by the rule. |
|
bAllowAccess |
Flag to allow or deny access to the resource protected by the rule. |
|
bRegularExpression |
Flag to perform regular expression pattern matching. Regular expressions are text patterns used for string matching.
|
|
pszActiveExpr |
Active expression associated with the rule. The expression is a string of variable definitions in the following format: The non-alphanumeric characters are required characters .For example: In the format example:
|
|
dbIsEnabled |
Flag to enable or disable the rule. |
|
nStartTime |
The time when the time restriction becomes effective. This value is stored in standard time_t format. Set nStartTime to 0 to start the time restriction immediately. |
|
nEndTime |
The time when the time restriction expires. This value is stored in standard time_t format. Set nEndTime to 0 to end the time restriction immediately. |
|
pszTimeGrid |
An array containing time restrictions for an entire week. |
|
next |
Pointer to the next rule structure. |
|
pszAgentOid |
Object identifier of agent or agent group associated with the global rule. |
Defines a SAML 2.0 affiliation object. A SAML 2.0 affiliation is a set of entities that share a single federated namespace of unique Name IDs for principals.
Syntax
typedef struct Sm_PolicyApi_SAMLAffiliation_s
{
int iStructId;
Sm_PolicyApi_SAMLProviderProp_t *pProps;
struct Sm_PolicyApi_SAMLAffiliation_s *next;
} Sm_PolicyApi_SAMLAffiliation_t;
|
Field |
Description |
|---|---|
|
iStructId |
SAML affiliation structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pProps |
SAML 2.0 metadata properties associated with the affiliation. If you do not assign a value to a property associated with a default value, the default will be assigned. |
|
next |
Pointer to the next SAML affiliation structure. |
Defines a SAML 2.0 metadata property as a name/value pair.
An Sm_PolicyApi_SAMLProviderProp_t structure consists of a single name/value pair. You define a set of properties for a given SAML 2.0 object through a linked list of Sm_PolicyApi_SAMLProviderProp_t structures.
Use the following structures and function to define a set of properties for a SAML 2.0 Service Provider, affiliation, or authentication scheme and associated Identity Provider:
Syntax
typedef struct Sm_PolicyApi_SAMLProviderProp_s
{
int iStructId;
char pszName[BFSIZE];
char pszValue[BFSIZE];
struct Sm_PolicyApi_SAMLProviderProp_s *next;
} Sm_PolicyApi_SAMLProviderProp_t;
|
Field |
Description |
|---|---|
|
iStructId |
SAML 2.0 properties structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszName |
The property name. See Property Lists for a list of valid property names. |
|
pszValue |
The value to assign to pszName. |
|
next |
Pointer to the next SAML 2.0 properties structure. |
Example
The following is an example of a helper method that creates an instance of Sm_PolicyApi_SAMLProviderProp_t and assigns it the name/value pair that is passed into it:
Sm_PolicyApi_SAMLProviderProp_t * CreateSAMLProp(
const char *pszName,
const char *pszValue)
{
Sm_PolicyApi_SAMLProviderProp_t * pProp = new
Sm_PolicyApi_SAMLProviderProp_t;
memset(pProp, 0, sizeof(Sm_PolicyApi_SAMLProviderProp_t));
pProp->iStructId = Sm_PolicyApi_SAMLProviderProp_ID;
strncpy(pProp->pszName, pszName, BFSIZE);
strncpy(pProp->pszValue, pszValue, BFSIZE);
return pProp;
}
The following is an example of a helper method that retrieves the value of the property whose name is passed into it:
char * FindSAMLParam(const Sm_PolicyApi_SAMLSP_t *pStructSP,
const char *pszName)
{
for(Sm_PolicyApi_SAMLProviderProp_t *pCurProp=pStructSP->pProps;
pCurProp != NULL;
pCurProp = pCurProp->next)
{
if (0 == strcmp(pCurProp->pszName, pszName))
{
return pCurProp->pszValue;
}
}
return NULL;
}
Property Lists
Each Sm_PolicyApi_SAMLProviderProp_t structure contains a SAML 2.0 metadata property defined as a name/value pair. A complete set of properties for a particular SAML 2.0 object is defined as a linked list of Sm_PolicyApi_SAMLProviderProp_t structures.
The following metadata properties apply to a given type of SAML 2.0 object:
Note: Some properties are used with multiple object types.
Service Provider Properties
A Service Provider object contains information that an Identity Provider needs to produce assertions for the Service Provider. Service Provider properties are stored within an Sm_PolicyApi_SAMLSP_t structure.
The properties of a SAML 2.0 Service Provider object are listed following.
|
Property Name |
Comments |
|---|---|
|
General Properties |
|
|
SAML_NAME |
String, required. |
|
SAML_DESCRIPTION |
String. |
|
SAML_SP_AUTHENTICATION_URL |
String, required. |
|
SAML_ENABLED |
Boolean. Default: SAML_TRUE. |
|
SAML_SP_DOMAIN |
String, required. |
|
Name IDs Tab |
|
|
SAML_SP_NAMEID_FORMAT |
String. Default: Unspecified. |
|
SAML_SP_NAMEID_TYPE |
Integer.
Default: 1. |
|
SAML_SP_NAMEID_STATIC |
String. Required conditionally. |
|
SAML_SP_NAMEID_ATTRNAME |
String. Required conditionally. |
|
SAML_SP_NAMEID_DNSPEC |
String. Required conditionally. |
|
SAML_AFFILIATION |
String. |
|
SAML_KEY_SPID |
String, required. |
|
|
String, required. |
|
SAML_MAJOR_VERSION |
Integer. Default: 2. |
|
SAML_MINOR_VERSION |
Integer. Default: 0. |
|
SAML_SKEWTIME |
Integer. Default: 30. |
|
SAML_DISABLE_SIGNATURE_ |
Boolean. Default: SAML_FALSE. |
|
SAML_DSIG_VERINFO_ISSUER_DN |
String. Required conditionally. |
|
SAML_DSIG_VERINFO_SERIAL_NUMBER |
String. Required conditionally. |
|
SSO Properties |
|
|
SAML_AUDIENCE |
String, required. |
|
SAML_SP_ASSERTION_CONSUMER_ |
String, required. |
|
SAML_ENABLE_SSO_ARTIFACT_ |
Boolean. Default: SAML_FALSE. |
|
SAML_SP_ARTIFACT_ENCODING |
String. Default: FORM. Applies if no value is provided and SAML_ENABLE_SSO_ |
|
SAML_SP_IDP_SOURCEID |
String. Default: A hex-encoded SHA-1 hash of the SAML_SP_IDPID value. |
|
SAML_SP_PASSWORD |
String. Required conditionally (see page 34). |
|
SAML_ENABLE_SSO_POST_BINDING |
Boolean. Default: SAML_FALSE. |
|
SAML_SSOECPPROFILE |
Boolean. Default: SAML_FALSE. |
|
SAML_SP_REQUIRE_SIGNED_ |
Boolean. Default: SAML_FALSE. |
|
SAML_SP_AUTHENTICATION_LEVEL |
Integer. Default: 5. |
|
SAML_SP_AUTHN_CONTEXT_CLASS_REF |
String. Default: urn:oasis:names:tc:SAML: |
|
SAML_SP_VALIDITY_DURATION |
Integer. Default: 60. |
|
SAML_SP_STARTTIME |
Long. |
|
SAML_SP_ENDTIME |
Long. |
|
SLO Properties |
|
|
SAML_SLO_REDIRECT_BINDING |
Boolean. Default: SAML_FALSE. |
|
SAML_SLO_SERVICE_VALIDITY_ |
Integer. Default: 60. Applies if no value is provided and SAML_SLO_REDIRECT_BINDING is SAML_TRUE. |
|
SAML_SLO_SERVICE_URL |
String. Required conditionally. |
|
SAML_SLO_SERVICE_RESPONSE_URL |
String. |
|
SAML_SLO_SERVICE_CONFIRM_URL |
String. |
|
IPD Properties |
|
|
SAML_SP_ENABLE_IPD |
Boolean. Default: SAML_FALSE. |
|
SAML_SP_IPD_SERVICE_URL |
String. Required conditionally. |
|
SAML_SP_COMMON_DOMAIN |
String. Required conditionally. |
|
SAML_SP_PERSISTENT_COOKIE |
Boolean. Default: SAML_FALSE. |
|
Encryption Properties |
|
|
SAML_SP_ENCRYPT_ID |
Boolean. Default: SAML_FALSE. |
|
SAML_SP_ENCRYPT_ASSERTION |
Boolean. Default: SAML_FALSE. |
|
SAML_SP_ENCRYPT_BLOCK_ALGO |
String.
Default: tripledes. |
|
SAML_SP_ENCRYPT_KEY_ALGO |
String.
Default: rsa-v15. |
|
SAML_SP_ENCRYPT_CERT_ISSUER_DN |
String. Required conditionally. |
|
SAML_SP_ENCRYPT_CERT_SERIAL_ |
String. Required conditionally. |
|
Attribute Service Properties |
|
|
SAML_SP_ATTRSVS_ENABLE |
Boolean. Default: False (0). |
|
SAML_SP_ATTRSVS_VALIDITY_DURATION |
Integer. Default: 60 (seconds) |
|
SAML_SP_ATTRSVS_SIGN_ASSERTION |
Boolean. Default: False (0). |
|
SAML_SP_ATTRSVS_LDAP_SEARCH_SPEC |
String. |
|
SAML_SP_ATTRSVS_ODBC_SEARCH_SPEC |
String. |
|
SAML_SP_ATTRSVS_WINNT_SEARCH_SPEC |
String. |
|
SAML_SP_ATTRSVS_CUSTOM_SEARCH_SPEC |
String. |
|
SAML_SP_ATTRSVS_AD_SEARCH_SPEC |
String. |
|
Advanced Properties |
|
|
SAML_SP_PLUGIN_CLASS |
String. |
|
SAML_SP_PLUGIN_PARAMS |
String. |
SAML Affiliation Properties
The properties of a SAML 2.0 affiliation object are listed below. Properties are grouped according to the way they are presented on the SAML Affiliation Properties dialog box.
SAML affiliation properties are stored within an Sm_PolicyApi_SAMLAffiliation_t structure.
|
Property Name |
Comments |
|
|---|---|---|
|
General Properties |
||
|
SAML_NAME |
String, required. |
|
|
SAML_DESCRIPTION |
String |
|
|
SAML_KEY_AFFILIATION_ID |
String, required. |
|
|
SAML_MAJOR_VERSION |
Integer. Default: 2. |
|
|
SAML_MINOR_VERSION |
Integer. Default: 0. |
|
|
SAML_OID |
String. SiteMinder supplies the object identifier when an affiliation object is created. |
|
|
Name IDs Tab |
||
|
SAML_SP_NAMEID_FORMAT |
String.
Default: Unspecified. |
|
|
SAML_SP_NAMEID_TYPE |
Integer.
Default: 1. |
|
|
SAML_SP_NAMEID_STATIC |
String. Required conditionally. |
|
|
SAML_SP_NAMEID_ATTRNAME |
String. Required conditionally. |
|
|
SAML_SP_NAMEID_DNSPEC |
String. Required conditionally. |
|
|
Users Tab |
||
|
SAML_IDP_XPATH |
String. |
|
|
SAML_IDP_LDAP_SEARCH_SPEC |
String. |
|
|
SAML_IDP_ODBC_SEARCH_SPEC |
String. |
|
|
SAML_IDP_WINNT_SEARCH_SPEC |
String. |
|
|
SAML_IDP_CUSTOM_SEARCH_SPEC |
String. |
|
|
SAML_IDP_AD_SEARCH_SPEC |
String. |
|
SAML 2.0 Authentication Scheme Properties
The properties listed in this section define:
You define a SAML 2.0 authentication scheme to represent an Identity Provider for a particular Service Provider.
The properties of a SAML 2.0 authentication scheme and its associated Identity Provider are listed below. Properties are grouped according to the way they are presented on the SAML Authentication Scheme Properties dialog box for the SAML 2.0 Template.
You define properties for a SAML 2.0 authentication scheme and its associated Identity Provider by calling Sm_PolicyApi_AddSAMLScheme().
|
Property Name |
Comments |
|
|---|---|---|
|
General Properties |
||
|
SAML_NAME |
String, required. |
|
|
SAML_DESCRIPTION |
String |
|
|
Scheme Setup Tab |
||
|
SAML_IDP_SPID |
String, required. |
|
|
SAML_KEY_IDPID |
String, required. |
|
|
SAML_MAJOR_VERSION |
Integer. Default: 2. |
|
|
SAML_MINOR_VERSION |
Integer. Default: 0. |
|
|
SAML_SKEWTIME |
Integer. Default: 30. |
|
|
SAML_DISABLE_SIGNATURE_ |
Boolean. Default: SAML_FALSE. |
|
|
SAML_DSIG_VERINFO_ISSUER_DN |
String. Required conditionally (see page 9). |
|
|
SAML_DSIG_VERINFO_SERIAL_NUMBER |
String. Required conditionally (see page 10). |
|
|
Additional Configuration - Users Tab |
||
|
SAML_IDP_XPATH |
String. |
|
|
SAML_IDP_LDAP_SEARCH_SPEC |
String. |
|
|
SAML_IDP_ODBC_SEARCH_SPEC |
String. |
|
|
SAML_IDP_WINNT_SEARCH_SPEC |
String. |
|
|
SAML_IDP_CUSTOM_SEARCH_SPEC |
String. |
|
|
SAML_IDP_AD_SEARCH_SPEC |
String. |
|
|
SAML_AFFILIATION |
String. |
|
|
Additional Configuration - SSO Tab |
||
|
SAML_IDP_SSO_REDIRECT_MODE |
Integer. Default: 0. |
|
|
SAML_IDP_SSO_DEFAULT_SERVICE |
String, required. |
|
|
SAML_AUDIENCE |
String, required. |
|
|
SAML_IDP_SSO_TARGET |
String. |
|
|
SAML_ENABLE_SSO_ARTIFACT_ |
Boolean. Default: SAML_FALSE. |
|
|
SAML_KEY_IDP_SOURCEID |
String. Default: A hex-encoded SHA-1 hash of the SAML_KEY_IDPID value. |
|
|
SAML_IDP_ARTIFACT_RESOLUTION_ |
String. Required conditionally (see page 12). |
|
|
SAML_IDP_BACKCHANNEL_AUTH_TYPE |
Integer. Default: 0. |
|
|
SAML_IDP_SPNAME |
String. Required conditionally (see page 19). |
|
|
SAML_IDP_PASSWORD |
String. Required conditionally (see page 14). |
|
|
SAML_ENABLE_SSO_POST_BINDING |
Boolean. Default: SAML_FALSE. |
|
|
SAML_IDP_SSO_ENFORCE_SINGLE_ |
Boolean. Default: SAML_TRUE. |
|
|
SAML_SSOECPPROFILE |
Boolean. Default: SAML_FALSE. |
|
|
SAML_IDP_SIGN_AUTHNREQUESTS |
Boolean. Default: SAML_FALSE. |
|
|
Additional Configuration - SLO Tab |
||
|
SAML_SLO_REDIRECT_BINDING |
Boolean. Default: SAML_FALSE. |
|
|
SAML_SLO_SERVICE_VALIDITY_ |
Integer. Default: 60. Applies if no value is provided and SAML_SLO_REDIRECT_BINDING is SAML_TRUE. |
|
|
SAML_SLO_SERVICE_URL |
String. Required conditionally. |
|
|
SAML_SLO_SERVICE_RESPONSE_URL |
String. |
|
|
SAML_SLO_SERVICE_CONFIRM_URL |
String. |
|
|
Additional Configuration - Encryption Tab |
||
|
SAML_IDP_REQUIRE_ENCRYPTED_ |
Boolean. Default: SAML_FALSE. |
|
|
SAML_IDP_REQUIRE_ENCRYPTED_ |
Boolean. Default: SAML_FALSE. |
|
|
Additional Configuration - Attributes Tab |
||
|
SAML_IDP_SAMLREQ_ENABLE |
Boolean. Default: False (0). |
|
|
SAML_IDP_SAMLREQ_REQUIRE_SIGNED_ ASSERTION |
Boolean. Default: False (0). |
|
|
SAML_IDP_SAMLREQ_ATTRIBUTE_SERVICE |
String. |
|
|
Additional Configuration - NameID tab |
||
|
SAML_IDP_SAMLREQ_NAMEID_FORMAT |
String. |
|
|
SAML_IDP_SAMLREQ_NAMEID_TYPE |
Integer. Default: 1 (User Attribute) |
|
|
SAML_IDP_SAMLREQ_NAMEID_STATIC |
String. |
|
|
SAML_IDP_SAMLREQ_NAMEID_ATTR_NAME |
String. |
|
|
SAML_IDP_SAMLREQ_NAMEID_DN_SPEC |
String. |
|
|
SAML_IDP_SAMLREQ_NAMEID_ALLOW_ NESTED |
Boolean. Deafult: False (0). |
|
|
Additional Configuration - Advanced Tab |
||
|
SAML_SP_PLUGIN_CLASS |
String. |
|
|
SAML_SP_PLUGIN_PARAMS |
String. |
|
|
SAML_IDP_REDIRECT_URL_USER_ |
String. |
|
|
SAML_IDP_REDIRECT_MODE_USER_ |
Integer. Default: 0. |
|
|
SAML_IDP_REDIRECT_URL_FAILURE |
String. |
|
|
SAML_IDP_REDIRECT_MODE_FAILURE |
Integer. Default: 0. |
|
|
SAML_IDP_REDIRECT_URL_INVALID |
String. |
|
|
SAML_IDP_REDIRECT_MODE_INVALID |
Integer. Default: 0. |
|
Defines an attribute that can be requested by a SAML Requester in an AttributeQuery message.
Syntax
typedef struct Sm_PolicyApi_SAMLRequesterAttr_s
{
int iStructId;
Sm_PolicyApi_SAMLSPAttrNameFormat_t nAttrNameFormat;
char pszLocalName[BFSIZE];
char pszName[BUFSIZE];
struct Sm_PolicyApi_SAMLRequesterAttr_s* next;
} Sm_PolicyApi_SAMLRequesterAttr_t;
|
Field |
Description |
|---|---|
|
iStructId |
SAML attribute structure ID, defined in Sm_PolicyApi_Structs_t. |
|
nAttrNameFormat |
The format of the attribute name, as defined by the SAML 2.0 standard. |
|
pszLocalName |
Name of the attribute as defined in the SAML 2.0 authentication scheme. |
|
pszName |
Actual name of the attribute requested from the Attribute Authority. |
|
next |
Pointer to the next requester attribute structure. |
Defines a SAML 2.0 Service Provider object for an Identity Provider.
A Service Provider offers services (such as access to applications and other resources) to principals within a federation.
Syntax
typedef struct Sm_PolicyApi_SAMLSP_s
{
int iStructId;
Sm_PolicyApi_SAMLProviderProp_t *pProps;
Sm_PolicyApi_IPAddress_t *pIPAddress;
unsigned char pszTimeGrid[TIMESIZE];
struct Sm_PolicyApi_SAMLSP_s *next;
} Sm_PolicyApi_SAMLSP_t;
|
Field |
Description |
|---|---|
|
iStructId |
SAML Service Provider structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pProps |
SAML 2.0 metadata properties associated with the Service Provider. If you do not assign a value to a property associated with a default value, the default will be assigned. |
|
pIPAddress |
The Service Provider's IP address. |
|
pszTimeGrid |
An array containing time restrictions for an entire week. |
|
next |
Pointer to the next Service Provider structure. |
Defines a structure that supports the Assertion Consumer Service.
Syntax
typedef struct Sm_PolicyApi_SAMLSPAssertionConsumerService_s
{
int iStructId;
int iIndex;
Sm_PolicyApi_SAMLSPACSBinding_t nACSBinding;
char pszAssertionConsumerURL[BFSIZE};
bool bIsDefault;
struct Sm_PolicyApi_SAMLSPAssertionConsumerService_s* next;
} Sm_PolicyApi_SAMLSPAsserttionConsumer_t;
|
Field |
Description |
|---|---|
|
iStructId |
SAML Assertion Consumer Service ID, defined in Sm_PolicyApi_Structs_t. |
|
iIndex |
Index value assigned to this Assertion Consumer Service. The value must be 0 or a positive integer. |
|
nACSBinding |
One of the following bindings associated with the Assertion Consumer Service:
|
|
pszAssertionConsumer- |
Location of the Assertion Consumer Service. In the case of the HTTP-Artifact binding, this is the URL that contains a SAML artifact and target as query parameters, which are used by the credential collector to obtain the SAML assertion and redirect the user to the target. In the case of the HTTP-Post binding, it is the destination site URL to which the user's browser must POST a generated assertion. |
|
bIsDefault |
Specifies whether this Assertion Consumer Service is the default. |
|
next |
Pointer to the defintion of the next Assertion Consumer Service. |
Defines an attribute of a principal for a particular SAML 2.0 Service Provider.
Syntax
typedef struct Sm_PolicyApi_SAMLSPAttr_s
{
int iStructId;
Sm_PolicyApi_SAMLSPAttrNameFormat_t nAttrNameFormat;
char pszValue[BFSIZE];
bool bEncrypted;
struct Sm_PolicyApi_SAMLSPAttr_s* next;
Sm_PolicyApi_SAMLSPAttrMode_t nMode;
} Sm_PolicyApi_SAMLSPAttr_t;
|
Field |
Description |
|---|---|
|
iStructId |
SAML attribute structure ID, defined in Sm_PolicyApi_Structs_t. |
|
nAttrNameFormat |
The format of the attribute name, as defined by the SAML 2.0 standard. |
|
pszValue |
The attribute's name and value, in one of these formats:
To allow SiteMinder to retrieve DN attributes from a nested group, begin DNSpec with an exclamation mark ( ! ). For example: |
|
bEncrypted |
Specifies whether the attribute is encrypted. |
|
next |
Pointer to the next attribute structure. |
|
nMode |
One of the three following uses of an attribute:
|
Defines a SiteMinder authentication scheme object.
Syntax
typedef struct Sm_PolicyApi_Scheme_s
{
int iStructId;
char pszOid[BFSIZE];
char pszName[BFSIZE]; /* Required */
char pszDesc[BFSIZE];
int nLevel; /* Required */
char pszLib[BFSIZE];
char pszParam[BFSIZE];
char pszSecret[BFSIZE];
bool bIsTemplate;
bool bIsUsedbyAdmin;
Sm_Api_SchemeType_t nType; /* Required */
bool bAllowSaveCreds; /* Required */
bool bIsRadius; /* Required */
bool bIgnorePwCheck; /* Required */
struct Sm_PolicyApi_Scheme_s* next;
} Sm_PolicyApi_Scheme_t;
|
Field |
Description |
|---|---|
|
iStructId |
Authentication scheme data structure ID, defined in Sm_PolicyApi_Structs_t. |
|
pszOid |
The object identifier of the authentication scheme object. |
|
pszName |
Name of the authentication scheme. |
|
pszDesc |
Brief description of the authentication scheme. |
|
nLevel |
The protection level of the authentication scheme. The level may vary from 1 through 1000. The higher the number, the more secure is the scheme. With Anonymous authentication schemes, set this value to 0. |
|
pszLib |
The name of the shared library that implements the custom authentication scheme. |
|
pszParam |
Information that is passed on to the custom authentication scheme. |
|
pszSecret |
A shared secret known to two parties for the purpose of establishing secure data exchange. This information is passed on to the custom authentication scheme. |
|
bIsTemplate |
Flag to indicate whether the authentication scheme is a template. Note: Setting an authentication scheme as a template with the C Policy Management API is deprecated in SDK v6.0 SP3. |
|
bIsUsedbyAdmin |
Flag to indicate if the custom authentication scheme can be used to authenticate administrators. |
|
nType |
The type of the authentication scheme, defined in Sm_Api_SchemeType_t. |
|
bAllowSaveCreds |
Flag to allow user credentials to be saved. |
|
bIsRadius |
Flag to indicate if the scheme is of type Radius. |
|
bIgnorePwCheck |
If this flag is set to true, password policies for the authentication scheme will be disabled. |
|
next |
Pointer to the next Scheme structure. |
|
Copyright © 2012 CA.
All rights reserved.
|
|