You can create a response by specifying an agent type and an attribute list. A response contains the specified attributes and is sent to the specified agent.
To create a response
The Create Response: Select Domain pane opens.
The Create Response: Define Response pane opens.
The Create Response Attribute pane opens.
The Create Response Task is submitted for processing.
Each SiteMinder response may contain one or more response attributes. Response attributes identify the pieces of information that the Policy Server passes to a SiteMinder Agent. Each SiteMinder Agent type can accept different response attributes.
Note: More information on configuring an smetssocookie Web Agent active response attribute, which is needed for enabling single sign-on from SiteMinder to CA Single Sign-On, exists in Configure an smetssocookie Web Agent Active Response Attribute.
SiteMinder supports different types of response attributes. The types of response attributes determine where the Policy Server finds the proper values for the response attributes.
You can specify the following types of response attributes when you add response attributes to a SiteMinder response:
Returns data that remains constant.
Use a static attribute to return a string as part of a SiteMinder response. This type of response can be used to provide information to a Web application. For example, if a group of users has specific customized content on a Web site, the static response attribute, show_button = yes could be passed to the application.
Returns profile information from a user’s entry in a user directory.
This type of response attribute returns information associated with a user in a directory. A user attribute can be retrieved from an LDAP, WinNT, Microsoft SQL Server or Oracle user directory.
Note: In order for the Policy Server to return values from user directory attributes as response attributes, the user directories must be configured on the SiteMinder User Directory pane.
Returns profile information from a directory object in an LDAP, Microsoft SQL Server or Oracle user directory.
This type of response attribute is used to return information associated with directory objects to which the user is related. Groups to which a user belongs, and Organizational Units (OUs) that are part of a user DN, are examples of directory objects whose attributes can be treated as DN attributes.
For example, you can use a DN attribute to return a company division for a user, based on the user’s membership in a division.
Note: In order for the Policy Server to return values from DN attributes as response attributes, the user directories must be configured on the SiteMinder User Directory pane.
Returns values from a customer supplied library that is based on the SiteMinder Authorization API.
An Active Response is used to return information from an external source. An Active Response is generated by having the Policy Server invoke a function in a customer-supplied shared library. This shared library must conform to the interface specified by the Authorization API (available separately with the Software Development Kit; if installed, see the API Reference Guide for C for more information).
Note: It is up to you to make sure the value returned by an active response is valid. For example, if an active response returns a numeric type, the library and function must return a string whose value is a number.
When you configure a response attribute, the correct Value Type for the response attribute is displayed on the Response Attribute pane.
Returns the value of the specified variable at runtime.
Select Variable Definition when you want to select and use a variable from a list of already-defined variables.
You can create a response attribute for a SiteMinder Web Agent by selecting SiteMinder and Web Agent on the Attributes group box on the Response pane. Web Agent response attributes support HTTP header variables, cookie variables, redirections to other resources, text, and timeout values.
Note: If you have purchased and installed SOA Security Manager, you can create a WebAgent-SAML-Session-Ticket-Variable response attribute. For more information, see the CA SOA Security Manager Policy Configuration Guide.
To create a response attribute
The Create Response Attribute page appears.
The details in the Attribute Fields are updated to match the specified attribute type.
Note: A list of automatically generated SiteMinder user attributes that you can use in responses exists in SiteMinder Generated User Attributes.
Note: The Attribute Setup section closes when you edit the attribute on the Advanced section.
Note: The maximum time limit that can be entered is 3600 seconds.
The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Response page.
You can create a response attribute for a RADIUS Agent by selecting RADIUS and a RADIUS vendor on the Attributes group box on the Response pane. RADIUS response attributes support any of the attributes supported by the RADIUS protocol.
To create a response attribute
The Create Response Attribute page appears.
The details in the Attribute Fields are updated to match the specified attribute type.
Note: A list of automatically generated SiteMinder user attributes that you can use in responses exists in SiteMinder Generated User Attributes.
Note: The Attribute Setup section closes when you edit the attribute on the Advanced section.
Note: The maximum time limit that can be entered is 3600 seconds.
The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Response page.
You can create a response attribute for a SiteMinder Affiliate Agent by selecting SiteMinder and Affiliate Agent on the Attributes group box on the Response pane. Affiliate Agent response attributes support HTTP header variables and cookie variables. More information on Agent types exists in the Web Agent Configuration Guide.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
To create a response attribute
The Create Response Attribute page appears.
The details in the Attribute Fields are updated to match the specified attribute type.
Note: A list of automatically generated SiteMinder user attributes that you can use in responses exists in SiteMinder Generated User Attributes.
Note: The Attribute Setup section closes when you edit the attribute on the Advanced section.
Note: The maximum time limit that can be entered is 3600 seconds.
The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Response page.
You can create responses that include variable objects by incorporating them in response attributes. Variable objects can be used in response attributes to include dynamic information evaluated during the authorization of a request.
Note: Variable objects included in responses are only evaluated during the authorization of a request and not during the authentication process. Responses that include variables are limited to authorization events.
Responses can contain any number of response attributes. Each response attribute contains one variable object. Like HTTP header and cookie variables, a SiteMinder variable object is a name-value pair. SiteMinder variable objects are different from HTTP header and cookie variables, however, in that the variable object name is used to look up the variable object value at runtime. Then, in the case of response attributes, the resulting name-value pair can be returned in an HTTP header or cookie variable.
A response can contain one or more response attributes whose values are determined by variable objects. Each response attribute contains one variable object. Each variable object is a name-value pair. The name of the variable object is used to look up the value of the variable object at runtime. SiteMinder passes the resulting name-value pair to the Web Agent.
To configure a response attribute that contains a variable
The Create Response Attribute pane opens.
Note: When this field is required, SiteMinder passes this name to the Web Agent in the form of a name-value pair.
Specify the value of the static variable in the Variable Value field.
Specify the name of the user attribute in the Attribute Name field.
Specify the DN of the user or user group in the DN Spec field and the name of the user attribute in the Attribute Name field.
(Optional) Click Lookup to search for and select one set of users or user group in a specified user directory.
(Optional) Select the Allow Nested Groups check box.
Specify the name of your library, the name of a library function. Optionally, specify the names of parameters in the Library Name, Function Name, and Parameters fields.
Note: Your library must be based on the SiteMinder Authorization API.
Click Lookup to select an existing variable object for the Variable field.
Specify the name of a session variable for which an administrator can retrieve the value.
Specify an expression that extracts a value from an attribute and stores it as a new session variable.
Note: SiteMinder uses the information that you provide in the fields on the Attribute Fields section to determine the value that it passes to the Web Agent in the form of a name-value pair.
The response attribute is saved.
The User Lookup pane allows you to select one user directory and search a list of users and user groups in that directory, selecting one set of users or user group for inclusion in a response attribute.
To select users for inclusion in a response attribute
The Attribute Fields group box expands to include the DN Spec field.
The User Lookup pane opens.
The User Search pane opens.
Specify an attribute name and value in the fields on the Users/Groups dialog.
Specify a search expression in the Expression field on the Users/Groups dialog.
Note: You can click Reset to clear the search results.
The User Lookup pane reopens.
The Response Attribute pane reopens, and the set of users or user group is added to the DN Spec field in the Attribute Fields group box.
The Select Variable pane allows you to select one variable object from a list of existing variable objects.
To select a variable using variable lookup
The Select Variable pane opens.
The Create Response Attribute pane reopens, and the name of the variable object is displayed in the Variable field on the Attribute Fields group box.
Responses return values to a requesting Agent. The data returned to the Agent can be a fixed value, or it may change over time. When you use a SiteMinder Agent to protect a resource, Agents can cache a value for fixed data, so that the value does not need to be recalculated each time the associated policy fires.
For example, a customer’s account number is a fixed value, while the customer’s account balance changes after each transaction. It would be more efficient to retrieve the account number once and then cache it. However, you probably want the balance to be recalculated at a regular interval to make sure the information is current.
Note: SiteMinder does not cache RADIUS response attributes.
To configure response attribute caching
The associated response attributes are listed in the Attribute List group box.
The Modify Response Attribute pane opens.
The cache settings are saved.
You can edit all of the properties of a response, except the Agent Type. If you want to change the Agent Type, you must delete the response and create a new one.
Note: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.
Deleting a response removes the response from any policies with which it is associated.
It may take a short amount of time for all deleted objects to be removed from caches.
Note: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.
|
Copyright © 2012 CA.
All rights reserved.
|
|