CA SiteMinder® response attributes instruct applications how to collect user data and apply that information to display personalized content for each user.
CA SiteMinder® provides configurable response attributes as a means of delivering data to applications and customizing the user experience.
You configure responses using the Administrative UI, and then associate them with specific rules in a policy. When a request triggers a rule with a configured response, the Policy Server sends the response data to the Agent, which interprets the information and makes it available to Web applications.
When you configure a response, you associate the response with an Agent action. You can associate HTTP header and cookie response attributes with the actions GET and POST. These attributes can also be tied to Authentication or Authorization events. The Policy Server can send a response if the user is accepted or rejected for either of these events.
Note: When configuring response attributes note that the maximum buffer size for the web server for agent responses is 32 KB. There is no length limit of a response other than the total buffer size.
Response attributes other than the header and cookie attributes can only be used when an authentication or authorization event occurs (whether or not the user is accepted or rejected for either of these events). For example, you can select an Authorization event action for a rule and then configure a WebAgent-OnReject-Redirect response attribute. If a user is rejected during the authorization process by CA SiteMinder®, the Agent redirects the user to another page that could display a message indicating why that user was rejected.
The following illustration shows how response attributes are sent from the Policy Server to the web server:
To simplify the task of maintaining responses, define a separate response for each type of event. For example, define one response for an OnAccept event and another response for an OnReject event. Creating a separate response makes it easier to find attributes when you need to modify response values.
The SM_AGENTAPI_ATTR_USERMSG response enables developers of custom CA SiteMinder® authentication schemes to return custom text to their client applications, as part of a user challenge or for some other purpose.
Beginning with v5 QMR3, the Web Agent has the ability to convert the text from an SM_AGENTAPI_ATTR_USERMSG response to an SMUSRMSG cookie when performing a forms challenge.
To ensure the SMUSRMSG cookie is removed after the challenge is complete, the FCC consumes the cookie (deletes it from the browser) after a successful POST request, as follows:
Note: The SMUSRMSG cookie will be stored for a period of time in the user's browser, and could possibly be transmitted over non-secure HTTP connections. As a result, sensitive data should be avoided.
Web Agents will URL-encode text that is placed in the SMUSRMSG cookie during a forms challenge, to make it safe for HTTP transmission, eliminating spaces and other harmful characters. The FCC decodes this text before making it available to the environment for use in custom FCC functionality.
Note: URL encoding is not implemented unless the text is placed in the SMUSRMSG cookie.
To implement the new functionality, custom authentication scheme developers must generate custom forms-based authentication schemes. When an Sm_AgentApi_Login() call returns SM_AGENTAPI_CHALLENGE, the Agent challenges the requesting user by redirecting to the authentication scheme URL provided by the response to Sm_AgentApi_IsProtected().
When the Web Agent handles an authentication scheme that uses the HTML Forms authentication scheme template, the Agent looks for a SM_AGENTAPI_ATTR_STATUS_MESSAGE response attribute. If the attribute is found, the Agent generates the appropriate SMUSRMSG cookie, while redirecting to the authentication scheme URL. The FCC may then use this cookie during form generation, if appropriate directives are placed in the desired .FCC source file.
Note: For more information, see the Policy Server documentation.
You can instruct a CA SiteMinder® Agent to cache response attributes or expire attributes that contain dynamic data, forcing the Agent to contact the Policy Server and update the information. If you configure a static response attribute, the Policy Server only allows you to cache the value. By definition, static values do not change, so there is no need to recalculate them. If you configure user, DN, or active attributes, you can either cache the value or recalculate the value at specific intervals to ensure that the data is current.
|
Copyright © 2013 CA.
All rights reserved.
|
|