This section contains the following topics:
Authorization Function Declarations
Using the Authorization API, you can implement custom access control functionality. To implement custom access control functionality, you must:
The shared library must contain one or more functions defined as exportable symbols. SmApi.h defines all of the data structures necessary to create custom policy, rule, and response plug-ins.
For example, you might define an active policy that returns true if the user belongs to a particular organizational unit (ou) in an LDAP directory as defined in the parameter (param) field of the active policy expression.
For example, you might define an active response that returns a user’s common name (cn) if the user belongs to the ou specified in the param field of the active response expression.
For example, you might define an active rule that returns true if a user is a member of a group, such as Directory Administrator, that has permission to view a realm.
When extending the authorization API, include the SmApi.h header file:
#include "SmApi.h"
An active expression is a string of variable definitions that comprises an active policy, rule, or response. Active expressions are constructed in the Administrative UI using the following syntax:
<@ lib=<lib-spec> func=<func-spec> param=<func-params>@>
In the syntax example:
If you place the library in the default location, you need only specify the library file name rather than a path. Default locations are defined in Authorization API Overview.
Also, the extension .dll or .so is optional.
SiteMinder constructs the active expression from information provided in the Active Rule Editor, Active Policy Editor, or Active Response Attribute Editor dialog box.
When SiteMinder detects an active expression, it performs the following tasks:
The following diagram illustrates the procedure:
The specified user-defined function in the shared library returns a result to SiteMinder in the lpszOutBuf parameter. SiteMinder interprets this result according to the type of active expression, as follows:
The policy does not fire if the result returned in lpszOutBuf matches any of the following strings (not case-sensitive): FALSE, F, or 0.
Any other result value causes the policy to fire.
Otherwise, the behavior is the same as for Active Policies.
For example, you could specify a group name in the optional param variable of the active expression, then test for the group name in the function to determine the URL to pass back.
You specify the cookie name in the SiteMinder Response Attribute Editor.
Active rules are defined in the Administrative UI using the SiteMinder Active Rule Editor dialog box. To access this editor from the Rule Properties dialog box, select the Active Rule tab in the Advanced group box, then click Edit.
Active responses are defined in the Administrative UI using the SiteMinder Response Attribute Editor dialog box.
From the Response Properties dialog box, access the editor by clicking Create and select the Active Response button in the Attribute Kind group box on the Attribute Setup tab.
Active policies are defined in the Administrative UI using the SiteMinder Active Policy Editor dialog box.
From the Policies Properties dialog box, access this editor by selecting the Advanced tab and clicking Edit.
Copyright © 2012 CA.
All rights reserved.
|
|