A global policy is comprised of global rule objects and global response objects, including response attributes. The following process lists the procedures for creating a global policy:
Important! You can configure both global policies and domain-specific policies that affect the same resources. For example, you can configure domain-specific policies for access control, and global policies that provide a standard set of responses. However, in order for global policies to function, the realms included in the domain-specific policies must be configured to allow event processing.
Global rules are the part of a global policy that define a resource and events that trigger the processing of a global policy. Global rules are similar to domain-specific rules. However, a global rule must be associated with an authentication or authorization event. There are no global allow/deny access rules.
Global rules that include SiteMinder authentication events let you control actions that occur when users authenticate to gain access to a resource (On-Auth event).
Note: OnAuth event results are per realm, so for example, if a user goes from realm A to realm B and had an OnAuthAccept header in realm A, it will not be available in realm B. When the user goes back to realm A, the header will be set again.
The following is a list of possible On-Auth events:
Occurs if authentication was successful. This event may be used to redirect a user after a successful authentication.
Occurs if authentication failed for a user that is bound to a policy containing an On-Auth-Reject rule. This event may be used to redirect the user after a failed authentication.
OnAuthAccept and OnAuthReject events fire both at authentication time (when the user enters his / her username and password) and at validation time (when the user's cookie is read for user information). However, there are certain special actions that only occur at authentication time:
Unless you have a version of the Web Agent that supports the EnforceRealmTimeouts option and that option is enabled, the Idle and Max Timeouts for the user will stay at the values for the realm in which the user last authenticated (only changes if the user has to reenter credentials).
Note: More information on EnforceRealmTimeouts exists in section 3.3 of the SiteMinder 4.x Web and Affiliate Agent Quarterly Maintenance Release 4 Release Notes.
Redirects are only allowed at authentication time for a number of reasons, but one of the most practical is that it would be very easy to configure an infinite loop of redirection if OnAuth redirection were allowed at validation time as well.
The password is not stored in the SMSESSION cookie, so the only time it is available is when the user actually enters it (authentication time).
Occurs if the user was rejected because SiteMinder does not know this user (an unregistered user, for example, can be redirected to register first).
Occurs when custom challenge-response authentication schemes are activated (for example, a token code).
When a user is authenticated (or rejected), the Policy Server passes any global responses associated with the applicable On-Auth rule back to the requesting Agent.
Copyright © 2012 CA.
All rights reserved.
|
|