Previous Topic: Variables OverviewNext Topic: Web Service Variables

Policy Server GuidesPolicy Server Configuration GuideVariablesVariables OverviewHow the Policy Server Processes Variables

How the Policy Server Processes Variables

Variables are evaluated when the Policy Server processes an authorization for a request and determines that a user is authorized for the requested resource. The details of variable processing are slightly different based on whether the variable objects are contained in a response or in a policy expression.

How the Policy Server Processes Variables Contained in Policy Expressions

As part of policy evaluation, the variables contained in a policy expression are placed in an unresolved variable list during the authorization of a request. As the Policy Server resolves variables, they are moved to a resolved variables list. When all variables in a policy expression have been resolved, the Policy Server grants or denies access based on the entire policy.

The following figure illustrates how the authorization of a user’s request is processed by a Web Agent and the Policy Server when the policy for the requested resource contains variables. This diagram does not include Web Service variables.

Note: The process in the following figure assumes that the user has already been authenticated by SiteMinder. For unauthenticated users, the authentication process must occur before the authorization.

Graphic showing how a Web Agent and the Policy Server process the authorization of a user’s request when the policy for the requested resource contains variables

  1. The user requests a resource from a server that is protected by a SiteMinder Web Agent.
  2. The Agent verifies that the resource is protected and the Policy Server begins authorization processing.
  3. The Policy Server retrieves policy information from the Policy Store about the requested resource.
  4. The Policy Server receives a list of unresolved variables contained in the policy expression associated with the requested resource. The Policy Server evaluates static, user context, and request context variables contained in the unresolved variables list.
  5. If all variables and variable expressions have been resolved, the Policy Server indicates to the Web Agent whether or not the user may access the requested resource.
  6. If the unresolved variables list still contains unresolved variables, the list is passed to the Agent API layer with a Not Resolved indicator. The values of any Form Post variables are resolved by the Web Agent and passed to the Policy Server in a new request that includes the Form Post variable value in the resolved variables list.
  7. If the policy contained Form Post variables, the Policy Server processes the policy with the newly resolved values extracted from the POST data.
  8. The user is either allowed or denied access to the requested resource.

More information:

Web Service Variables

How the Policy Server Processes Variables contained in Responses

SiteMinder processes variables contained in responses as described in the previous section. Since Form Post variables cannot be used for responses, all variables are resolved by the time a response fires at the Policy Server.