This section contains the following topics:
The following enumerations in SmApi.h are used by more than one SiteMinder API:
Enumerates the reasons that a user account can be disabled.
The following APIs use Sm_Api_DisabledReason_t:
Note: A user account can be disabled for multiple reasons. For example, if the User must change password at next login checkbox is checked and the administrator clicks Disable, an nDisabledReason parameter holds both the Sm_Api_Disabled_PWMustChange bit and the Sm_Api_Disabled_AdminDisabled bit.
For examples of using Sm_Api_DisabledReason_t, see the examples under Sm_PolicyApi_SetDisabledUserState().
The following table shows the bits that can be set for disabled reason. A brief explanation of each reason, organized by reason type, follows the table.
|
Disabled Reason |
Type |
Value |
|---|---|---|
|
Sm_Api_Disabled_DisabledMask |
Mask |
0x00ffffff |
|
Sm_Api_Disabled_Enabled |
Mask |
0 |
|
Sm_Api_Disabled_AdminDisabled |
Bits |
0x00000001 |
|
Sm_Api_Disabled_MaxLoginFail |
Bits |
0x00000002 |
|
Sm_Api_Disabled_Inactivity |
Bits |
0x00000004 |
|
Sm_Api_Disabled_PWExpired |
Bits |
0x00000008 |
|
Sm_Api_Disabled_DirNativeDisabled |
Bits |
0x00000010 |
|
Sm_Api_Disabled_PWMustChange |
Qualifier |
0x01000000 |
Disabled Mask
The disable bits mask is used to distinguish between two cases:
When a user account is enabled, the value is 0, as opposed to the other cases that have non-zero values.
Disabled Bits
A user account can be disabled for one or more of the following reasons:
Disabled by administrator.
Disabled for maximum login failures.
Disabled for inactivity over a period of time.
Disabled for password expiration.
Disabled by the user repository and cannot be enabled in SiteMinder. For example, SiteMinder returns this disabled reason if an Active Directory user object expires because its accountExpires time elapsed.
Qualifier
Forces a user to change his or her password during the next login. When users are forced to change their passwords, the resulting hexadecimal value begins 0x01, as opposed to 0x00.
Enumerates the reasons for an access event, such as an authentication failure or session logout.
When an authentication scheme fails to authenticate, it may send back a reason status code. The status code returned from the authentication function is constructed using the SM_MAKEAUTH_STATUSVALUE macro (see Returns on page 10).
The Policy server sends the reason to the agent. The SiteMinder Web Agent exposes the reason so that Web applications can use it in their logic.
The following APIs use Sm_Api_Reason_t:
The following table shows the bits that can be set for access events.
Note: Values 0 through 31999 are reserved for use by SiteMinder. Values 32000 through 32767 are available for user-defined reasons.
|
Authentication Reason |
Value |
|---|---|
|
Sm_Api_Reason_None |
0 |
|
Sm_Api_Reason_PwMustChange |
1 |
|
Sm_Api_Reason_InvalidSession |
2 |
|
Sm_Api_Reason_RevokedSession |
3 |
|
Sm_Api_Reason_ExpiredSession |
4 |
|
Sm_Api_Reason_AuthLevelTooLow |
5 |
|
Sm_Api_Reason_UnknownUser |
6 |
|
Sm_Api_Reason_UserDisabled |
7 |
|
Sm_Api_Reason_InvalidSessionId |
8 |
|
Sm_Api_Reason_InvalidSessionIp |
9 |
|
Sm_Api_Reason_CertificateRevoked |
10 |
|
Sm_Api_Reason_CRLOutOfDate |
11 |
|
Sm_Api_Reason_CertRevokedKeyCompromised |
12 |
|
Sm_Api_Reason_CertRevokedAffiliationChange |
13 |
|
Sm_Api_Reason_CertOnHold |
14 |
|
Sm_Api_Reason_TokenCardChallenge |
15 |
|
Sm_Api_Reason_ImpersonatedUserNotInDir |
16 |
|
Sm_Api_Reason_Anonymous |
17 |
|
Sm_Api_Reason_PwWillExpire |
18 |
|
Sm_Api_Reason_PwExpired |
19 |
|
Sm_Api_Reason_ImmedPWChangeRequired |
20 |
|
Sm_Api_Reason_PWChangeFailed |
21 |
|
Sm_Api_Reason_BadPWChange |
22 |
|
Sm_Api_Reason_PWChangeAccepted |
23 |
|
Sm_Api_Reason_ExcessiveFailedLoginAttempts |
24 |
|
Sm_Api_Reason_AccountInactivity |
25 |
|
Sm_Api_Reason_NoRedirectConfigured |
26 |
|
Sm_Api_Reason_ErrorMessageIsRedirect |
27 |
|
Sm_Api_Reason_Next_Tokencode |
28 |
|
Sm_Api_Reason_New_PIN_Select |
29 |
|
Sm_Api_Reason_New_PIN_Sys_Tokencode |
30 |
|
Sm_Api_Reason_New_User_PIN_Tokencode |
31 |
|
Sm_Api_Reason_New_PIN_Accepted |
32 |
|
Sm_Api_Reason_Guest |
33 |
|
Sm_Api_Reason_PWSelfChange |
34 |
|
Sm_Api_Reason_ServerException |
35 |
|
Sm_Api_Reason_UnknownScheme |
36 |
|
Sm_Api_Reason_UnsupportedScheme |
37 |
|
Sm_Api_Reason_Misconfigured |
38 |
|
Sm_Api_Reason_BufferOverflow |
39 |
|
Sm_Api_Reason_SetPersistentSessionFailed |
40 |
|
Sm_Api_Reason_UserLogout |
41 |
|
Sm_Api_Reason_IdleSession |
42 |
|
Sm_Api_Reason_PolicyServerEnforcedTimeout |
43 |
|
Sm_Api_Reason_PolicyServerEnforcedIdle |
44 |
|
Sm_Api_Reason_ImpersonationNotAllowed |
45 |
|
Sm_Api_Reason_ImpersonationNotAllowedUser |
46 |
|
Sm_Api_Reason_FederationNoLoginID |
47 |
|
Sm_Api_Reason_FederationUserNotInDir |
48 |
|
Sm_Api_Reason_FederationInvalidMessage |
49 |
|
Sm_Api_Reason_FederationUnacceptedMessage |
50 |
Sm_PolicyResolution_t, defined in SmApi.h, enumerates values that describe how one policy object, such as a user, is related to another policy object, such as a group.
The following APIs use the enumeration Sm_PolicyResolution_t:
The following table lists the supported policy resolutions. A brief description of each resolution follows the table.
|
Policy Resolution |
Value |
|---|---|
|
Sm_PolicyResolution_Unknown |
0 |
|
Sm_PolicyResolution_User |
1 |
|
Sm_PolicyResolution_UserGroup |
2 |
|
Sm_PolicyResolution_UserProp |
3 |
|
Sm_PolicyResolution_UserRole |
4 |
|
Sm_PolicyResolution_Org |
5 |
|
Sm_PolicyResolution_Query |
6 |
|
Sm_PolicyResolution_All |
7 |
|
Sm_PolicyResolution_GroupProp |
8 |
|
Sm_PolicyResolution_OrgProp |
9 |
|
Sm_PolicyResolution_DnProp |
10 |
Note: Another policy resolution, Sm_PolicyResolution_Max, is for internal use only.
The Sm_Api_Context_t structure is used by multiple SiteMinder APIs.
The structure provides the function pointers for the SiteMinder logging utility, trace utility, and error utility.
The following APIs use Sm_Api_Context_t:
|
Copyright © 2012 CA.
All rights reserved.
|
|