ca etrust siteminder

Credentials Selector TechNote r6.0 SP5

CA™ eTrust® SiteMinder

This documentation and any related computer software help programs (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by CA at any time.

This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part, without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and protected by the copyright laws of the United States and international treaties.

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of the documentation for their own internal use, and may make one copy of the related software as reasonably required for back-up and disaster recovery purposes, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the provisions of the license for the product are permitted to have access to such copies.

The right to print copies of the documentation and to make a copy of the related software is limited to the period during which the applicable license for the Product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to certify in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.

EXCEPT AS OTHERWISE STATED IN THE APPLICABLE LICENSE AGREEMENT, TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION, INCLUDING WITHOUT LIMITATION, LOST PROFITS, BUSINESS INTERRUPTION, GOODWILL, OR LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED OF SUCH LOSS OR DAMAGE.

The use of any product referenced in the Documentation is governed by the end user’s applicable license agreement.

The manufacturer of this Documentation is CA.

Provided with “Restricted Rights.” Use, duplication or disclosure by the United States Government is subject to the restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section 252.227-7014(b)(3), as applicable, or their successors.

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Copyright © 2006 CA. All rights reserved.

Contact Technical Support For online technical assistance and a complete list of locations, primary service hours, and telephone numbers, contact Technical Support at http://ca.com/support.

Contents v

Contents

Chapter 1: SiteMinder Credentials Selector Overview 7 Credentials Selector Introduction............................................................................................. 7 Use Case ............................................................................................................................. 7

Access Using Password And/Or Certificate Authentication ...................................................... 8 Access Using Windows Authentication................................................................................. 9 Access Using SecurID Authentication ................................................................................ 10 Access Using SafeWord Authentication.............................................................................. 10

Chapter 2: Solve the Use Case with the Credentials Selector 11 Credentials Selector Configuration for the Use Case ................................................................. 11 Configure the FCC for the Front-End Authentication Scheme...................................................... 12

FCC Overview ............................................................................................................... 12 Configure selectlogin.fcc for the Front-End Authentication Scheme........................................ 13 FCC Configuration Details ............................................................................................... 14 Sample selectlogin.fcc File .............................................................................................. 15 Manage Unsuccessful Authentication Attempts ................................................................... 18

Protect the Sample Application.............................................................................................. 19 Realms and Rules for the Sample Application..................................................................... 19 Configure Policies to Protect the Sample Application ........................................................... 21 Configure Responses for the Sample Application ................................................................ 23

Set-up Authentication Schemes for Back-End Processing .......................................................... 24 Set Up a Policy Domain for Back-End Processing...................................................................... 27

Configure Realms for the Back-end Policy Domain .............................................................. 27 Create Rules for the Back-end Policy Domain..................................................................... 28 Configure AuthContext Responses for the Back-end Policy Domain........................................ 29 Configure Policies for Back-end Credential Selection ........................................................... 31

SiteMinder Credentials Selector Overview 7

Chapter 1: SiteMinder Credentials Selector Overview

This section contains the following topics:

Credentials Selector Introduction (see page 7) Use Case (see page 7)

Credentials Selector Introduction The SiteMinder Credentials Selector is a feature of SiteMinder's strong authentication solutions. It enables users to select the type of authentication credentials necessary to access protected resources. Based on the user's authentication context, the Policy Server can make authorization decisions and then generate user responses in the same single sign-on environment.

This functionality is implemented as a standalone component, which can be used by any SiteMinder-protected application.

Use Case The Credentials Selector can be used to solve a use case where the user is given a choice of different credentials to obtain different levels of access.

In this use case, the user requests access to a protected file. He is presented with the following login dialog:

Use Case

8 Credentials Selector TechNote

Each login button on the dialog submits different credentials. The user's experience depends on the type of credentials he provides. The user can choose from the following types of authentication:

Password And/Or Certificate authentication

Windows authentication

SecureID authentication

SafeWord authentication

After the user is successfully authenticated and authorized, the user sees a greeting that informs him of his authentication level and the type of authentication scheme he used to log in.

The file that generates this greeting has the following code: <html>

<head></head>

<body>

<h3>

<p>Greetings, <%= Request.ServerVariables("HTTP_USERNAME") %>!

<p>Your authentication level is

<%= Request.ServerVariables("HTTP_AUTHLEVEL") %>

<p>You have used <%= Request.ServerVariables("HTTP_AUTHCONTEXT") %>

authentication

</h3>

</body>

</html>

Review the different authentication options available in the login dialog to see how the user's selection of credentials results in different access levels.

More Information

Access Using Password And/Or Certificate Authentication (see page 8) Access Using Windows Authentication (see page 9) Access Using SecurID Authentication (see page 10) Access Using SafeWord Authentication (see page 10)

Access Using Password And/Or Certificate Authentication

In the Password And/Or Certificate section of the dialog, the user can choose one of the following combinations of credentials to provide:

Username and Password only entered in an HTML form

X.509 client certificate only

Username/Password and X.509 client certificate

Use Case

SiteMinder Credentials Selector Overview 9

If the user provides only his valid username and password, the following message is displayed:

Greetings, SampleUser!

Your authentication level is 5

You have used username/password authentication

If the user selects only the X.509 client certificate checkbox, he is prompted to select one of the client certificates configured with the browser. If it is recognized by the Policy Server, the following message is displayed:


Your authentication level is 10.

You have used X.509 client certificate authentication

Note: The Password And/Or Certificate option offers the flexibility of providing a different authentication level depending on the credentials the user provides. SiteMinder's X.509 Cert Or Form authentication scheme, which may seem similar to the Password And/Or Certificate option, does not distinguish between the types of provided credentials and therefore, the protection level is the same regardless of what the user provides.

If both Username and Password are provided and the X.509 client certificate checkbox is marked, the user is prompted for a client certificate. If the certificate is recognized by the Policy Server, and if it matches the username provided, the following message is displayed:



You have used X.509 client certificate and username/password authentication

Access Using Windows Authentication

If the user is currently logged into a Windows domain, the message he sees when he requests the protected resource is:



You have used the Windows domain authentication

If he is not logged into a Windows domain, the user is prompted for his Windows domain credentials.

Use Case


Access Using SecurID Authentication

If the user provides a valid Username and SecurID PIN for SecurID Authentication, the message displayed when he requests the protected resource is:



You have used the SecurID authentication

Access Using SafeWord Authentication

If the user provides only his username for SafeWord authentication, a two-step process occurs. SiteMinder passes the username to the SafeWord server, and the server determines the credentials for which it will challenge the user. SafeWord supports up to four authenticators per login. The authenticators can be fixed (using a password) or dynamic (using a token card pin).

Upon successful access, the following message is displayed:



You have used the SafeWord authentication

Solve the Use Case with the Credentials Selector 11

Chapter 2: Solve the Use Case with the Credentials Selector

This section contains the following topics:

Credentials Selector Configuration for the Use Case (see page 11) Configure the FCC for the Front-End Authentication Scheme (see page 12) Protect the Sample Application (see page 19) Set-up Authentication Schemes for Back-End Processing (see page 24) Set Up a Policy Domain for Back-End Processing (see page 27)

Credentials Selector Configuration for the Use Case To set up the Credentials Selector, you configure the following in the Policy Server User Interface:

Several authentication schemes, one for each type of credentials that the user can choose.

An authentication scheme that is exposed to applications that will use the Credentials Selector. This is the front-end authentication scheme.

A specially configured policy domain that represents the Credentials Selector's back-end processing.

A Web Agent that serves as an entry point for the policy domain representing the back-end processing.

To configure a solution to the use case, set-up the following components:

The authentication schemes associated with the type of credentials the user might choose.

The Forms Credential Collector (FCC) used by the front-end authentication scheme to render the login dialog that is presented to the user when he requests the protected file.

Back-end processing, which are tasks the Credentials Selector uses, but which are not used by the sample application with which the user interacts.

The policy domain, which includes a realm, rule, and policy, that represents the Credential Selector's back-end processing.

You also need to provide a sample application that will use the Credentials Selector functionality. For the purposes of this use case, the application is an ASP file that presents the greeting message to the user.

Configure the FCC for the Front-End Authentication Scheme


Configure the FCC for the Front-End Authentication Scheme The Forms Credential Collector (FCC), selectlogin.fcc, is used by the front-end authentication scheme to generate the login selection screen that the user sees when they request access to the protected resource. The FCC dynamically constructs the FCC directives for the Web Agent so the Agent can redirect the user as appropriate for any of the authentication scheme choices.

Be aware that the selectlogin.fcc is a sample for use by the Credentials Selector. The set of authentication choices and HTML formatting depends upon your particular situation.

Note: For detailed information about FCCs, see the Policy Design Guide and the Web Agent Guide.

FCC Overview

The FCC format is a proprietary format used by SiteMinder Web Agents to collect credentials and pass them to the Policy Server. An FCC consists of a header and a body.

FCC Header Description

An FCC header is a list of FCC directives, one per line. The FCC directives have the following syntax:

@<directive>[=<value>]

The values may contain % substitutions, formatted as %parameter%. The parameters are passed with the FCC file on a POST action when the credentials are submitted.

There is a limited set of FCC directives. For the purposes of this example, the most important directives are:

@target

Resource URL that the Web Agent must pass to the Policy Server

@username

Username that the Web Agent must pass to the Policy Server

@password

Password that the Web Agent must pass to the Policy Server

@smagentname

Agent name that the Web Agent must pass to the Policy Server. If the EncryptAgentName parameter in the Agent's configuration is set to yes, the name is encrypted.

Not all FCC directives need to be listed in the header; many have implicit defaults, such as:

@target=%target%

@username=%username%

@password=%password%

@smagentname=%smagentname%

FCC Body Description

The FCC body has the HTML or other web-browser readable format. It is rendered in the web browser when the user is challenged.

The body may contain $ substitutions, formatted as $$parameter$$. The parameter name must belong to a certain set of known parameters that are passed with the FCC file on a GET action.

For the purposes of this example, the important directives are:

$$target$$

Resource URL that the user has requested

$$smagentname$$

Web Agent's name. If the EncryptAgentName parameter in the Agent's configuration is set to yes, the name will be encrypted.

Configure selectlogin.fcc for the Front-End Authentication Scheme

The selectlogin.fcc file is included with the Web Agent installation as a sample FCC. This file is used by the front-end authentication scheme to render the login dialog that is presented to the user when he requests the protected resource.

When a user requests a resource, the Web Agent passes the requested URL to the Policy Server. In most cases, the resource URL that the Web Agent passes is the same one that the user requests. The FCC files defined for the SiteMinder authentication schemes ensure that the requested URL is sent by passing $$target$$ (the GET parameter) as %target% (the POST parameter), and using the @target=%target% directive , as follows:



<form name="Login" method="POST">



<input type="hidden" name="target" value=”$$target$$”>



</form>



Note: The @target=%target% directive is used by default, if it is omitted.

In this case, the selectlogin.fcc file works by replacing the value of the %target% parameter with the following value:

/path/redirect.ext?authtype=type&target=$$target$$

redirect.ext

A simple script that redirects to the URL provided in the target parameter. Example values are redirect.asp or redirect.jsp. Alternatively, you can use different redirect script files or different virtual directories that expose the same physical file as long as the redirect script's URLs depend on the credentials provided.

type

A string determined by the user's choice of credentials.

If different redirect URLs are protected by different authentication schemes, the credentials collected by the FCC are processed by the chosen authentication scheme. This is the authentication scheme that establishes the user's session, including the user's authentication level. After the user is authenticated and authorized for the redirect script resource, the user is redirected to the originally requested resource.

If single sign-on is in effect and the user's protection level is equal or higher than the front-end authentication scheme's protection level, then the user's session is validated against the original resource. Whether or not the user is authorized depends on the policy configuration, which may check for the user's authentication context. For example, a minimal protection level or certain conditions may be required to access particular resource.

More Information:

Set-up Authentication Schemes for Back-End Processing (see page 24) FCC Configuration Details (see page 14)

FCC Configuration Details

You can configure various authentication schemes in the selectlogin.fcc file.

The following are configuration details for some schemes:

The cert-and-form scheme requires posting over an SSL connection. If the front-end authentication scheme does not use an SSL connection, the Web Agent cannot POST to the same selectlogin.fcc URL that was obtained on the GET request.



The following JavaScript code may be used to convert the URL to an SSL URL:

arr = document.URL.split("://");

document.Login.action = "https://" + arr[1];

To support the SafeWord's two-step authentication, the username collected from the first challenge form must be remembered by the client side in time for the second challenge. The safeword.fcc file, also included in the Web Agent installation, uses the @smtransient FCC directive to keep the username in a transient cookie. The same directive may be used in the selectlogin.fcc file too, but then the cookie is going to be created even if the user makes a different choice of credentials. A better alternative is to modify the action argument to POST to the safeword.fcc file, as follows:

document.Login.action = "safeword.fcc";

The Windows authentication scheme does not use an FCC file. It uses a specific pseudo-resource URL, which does not exist on the web server but which is recognized by the SiteMinder Web Agent. To make Windows authentication work, set the action argument to this same pseudo-resource URL, as follows:

document.Login.action = "/siteminderagent/ntlm/creds.ntc";

The SecurID authentication scheme does not use an FCC; however, the Agent can POST the SecurID credentials directly to the selectlogin.fcc file. No modification of the action argument is required.

The action URL may be hosted by a different web server; however, the other web server must also be protected by a SiteMinder Web Agent so that the SiteMinder-specific resource URLs (FCC, SCC, and NTC) are recognized and properly processed.

Note: SCC pseudo-resource URLs are used for certificate-only authentication.

Sample selectlogin.fcc File

A simplified version of the selectlogin.fcc file (without the HTML formatting) follows. Note that there are hidden input fields for smquerydata and postpreservationdata; those are necessary for passing the GET and POST parameters, respectively. The smauthreason parameter holds the reason code provided by the Policy Server together with the authentication challenge.

@username=%USER%

@smretries=0

<html>

<head>

<script language="JavaScript">

function submitForm(form)



{

authtype = "none";

if (form == 1)

{

document.Login.USER.value = document.Login.USER1.value;

document.Login.PASSWORD.value = document.Login.PASSWORD1.value;

if (!document.Login.UseCert.checked)

{

// username/password only

authtype = "form";

}

else if (document.Login.USER.value == "" &&

document.Login.PASSWORD.value == "")

{

// certificate only

authtype = "cert";

}

else

{

// username/password and certificate

authtype = "certform";

// This option requires posting over SSL.

arr = document.URL.split("://");

document.Login.action = "https://" + arr[1];

}

}

else if (form == 2)

{

// SecurID authentication

authtype = "securid";


document.Login.PASSWORD.value = document.Login.PASSWORD2.value;

}

else if (form == 3)

{

// SafeWord authentication

authtype = "safeword";


document.Login.PASSWORD.value = "";

// POST to safeword.fcc, for additional processing.

// NOTE: This forces the web agent to POST to safeword.fcc

// even if the authentication scheme's URL parameter

// is set to selectlogin.fcc for redirection purposes.


}



else if (form == 4)

{

// Authenticate with the current Windows login credentials

authtype = "windows";

document.Login.USER.value = "";


// POST to creds.ntc (required by the Windows authentication scheme).

document.Login.action = "/siteminderagent/ntlm/creds.ntc";

}

// Generate the target, depending on the user's choice of credentials.

// This sample uses redirect.asp, but it could also be redirect.jsp,

redirect.pl, etc.

// This sample uses the following format:

/auth/redirect.asp?authtype=<choice>&target=<original target>

// Other formats are also possible, e.g.: /auth-

<choice>/redirect.asp?target=<original target>

// The helper realms' resource filters must be defined accordingly (see the

tech note).

// Check if the target is not already in the same format. The user may

// have been redirected back to selectlogin.fcc upon authentication

failure,

// if the authentication scheme's URL parameter is set to selectlogin.fcc.

if ("$$target$$".indexOf("/auth/redirect.asp?authtype=") == 0 &&

"$$target$$".indexOf("&target=") > 0)

{

// This must be a redirect. Extract the original target, but not

// the authtype parameter, because the user may have made a different

// choice of credentials this time.

trgarr = "$$target$$".split("&target=");

document.Login.target.value = "/auth/redirect.asp?authtype=" + authtype +

"&target=" + trgarr[1];

}

else

{

// This is not a redirect. Pass $$target$$ as a URL query parameter.

document.Login.target.value = "/auth/redirect.asp?authtype=" + authtype +

"&target=$$target$$";

}

document.Login.submit();

}

function resetCredFields()

{


document.Login.PASSWORD1.value = "";

document.Login.PASSWORD2.value = "";

}

</script>

</head>

<body onLoad="resetCredFields();">

<center>

<form name="Login" method="POST">

<input type="hidden" name="USER">

<input type="hidden" name="PASSWORD">

<input type="hidden" name="smagentname" value="$$smagentname$$">

<input type="hidden" name="smauthreason" value="$$smauthreason$$">

<input type="hidden" name="smquerydata" value="$$smquerydata$$">

<input type="hidden" name="postpreservationdata"

value="$$postpreservationdata$$">

<input type="hidden" name="target">





<input type="text" name="USER1">

<input type="password" name="PASSWORD1">

<input type="button" value="Login" onClick="submitForm(1);">







<input type="password" name="PASSWORD2">








</form>

</center>

</body>

</html>

Manage Unsuccessful Authentication Attempts

If the user is rejected by an authentication scheme, the user is redirected to the URL specified in that authentication scheme's Target parameter, which you set in the Authentication Scheme Properties dialog of the Policy Server User Interface.

Protect the Sample Application


Configure the following behaviors that best suits your situation:

Have the user prompted to resubmit his credentials for the same authentication scheme, instead of being presented with a choice of authentication schemes again.

Allow the user to return to the original login screen to repeat the selection. To do this, the selectlogin.fcc must be configured as each authentication scheme's Target parameter, if applicable.

If a particular choice of credentials requires posting the credentials to an FCC file other than the selectlogin.fcc file, then set the HTML form's action parameter in the selectlogin.fcc to the desired FCC file's URL. For example, this command sets the action parameter to the safeword.fcc file:


The basic authentication schemes can be used instead of HTML forms. In most cases, the user experience is the same for a successful authentication. However, if the user has to be re-challenged, the re-challenge is based on basic authentication scheme, that is, with a prompt dialog instead of an HTML form.

Note: The SafeWord basic scheme does not support two-step authentication and multiple authenticators, unlike the SafeWord HTML forms scheme.

Protect the Sample Application To protect the sample application, the realm containing the application has to be protected with the front-end authentication scheme. For this use case, the sample application, which generates the greeting message for the user, must be in a realm that is protected by the AuthChannel authentication scheme configured previously.

The policies that govern access to the application may apply restrictions based on the user's authentication level and authentication context.

Realms and Rules for the Sample Application

The following four realms must be configured to protect the sample application:

A realm that contains public resources

A realm that contains resources requiring at least a level 5 authentication

A realm that contains resources requiring at least a level 15 authentication

A realm that contains resources available only to users authenticated with SafeWord



The realms are shown in the following dialog.

The protected realms are configured with the SampleAgentGroup and the AuthChannel front-end authentication scheme, as shown in the following dialog:



The SampleAgentGroup may contain any Web Agents that provide points of entry to the sample application.

The following requirements are necessary for Web Agents protecting realms as part of the Credentials Selector functionality:

Single sign-on must be configured between all Web Agents protecting realms. This means that they are in the same cookie domain or they use the same cookie provider.

Note: To configure single sign-on, see the Web Agent Guide.

The value of the @smagentname directive in the FCC file must match the expected value for at least one of the Web Agents protecting the originally requested resource.

The expected value is the value of the Web Agent's AgentName parameter or the DefaultAgentName parameter, if the AgentName parameter is not assigned a value. If the EncryptAgentName parameter in the Agent's configuration is set to yes, the value must be encrypted.

One way of setting the @smagentname directive is by configuring each Web Agent with the same naming properties. They can even share the same Agent Configuration Object. Another method is to configure the @smagentname directive programmatically in the FCC file, provided that the name is not encrypted.

Important! If the @smagentname directive is misconfigured, you may see a “No realm received in request” error message in the Policy Server log.

The FCCForceIsProtected parameter must be set to yes to ensure that a second IsProtected call is made for the new target generated by the selectlogin.fcc fiile. The IgnoreQueryData parameter must be set to no so the Web Agent does not ignore the URL query parameters.

Configure Policies to Protect the Sample Application

If resources require a protection level of at least 5 or greater, the policy protecting the resources requires an active or variable expression that fetches the SM_AUTHENTICATIONLEVEL attribute from the SiteMinder session ticket.



The AuthLevel variable is a user context variable defined similarly to the AuthContext user context variable for the user's authentication context (see page 32).

In this solution, a user authenticated by any authentication scheme would be authorized by this policy because all corresponding authentication schemes are of level 5 or greater. It is recommended to include this restriction. Since the front-end authentication scheme is an HTML form scheme, a custom Web Agent (based on SiteMinder Agent API) that does not support the FCC functionality would authenticate the user with the password alone. However, the user's authentication level would be set to the front-end authentication scheme's level, which is 1. A policy requiring the authentication level to be greater than that of the realm's authentication scheme would always reject such users at the authorization stage.

The policy protecting the confidential resources can be set up similarly, with the (AuthLevel>=15) variable expression. In that case, only the users authenticated with either cert-and-form, SecurID, or SafeWord credentials would be authorized, while the users authenticated with password or certificate credentials alone would be rejected.

Note: If you have not installed the Policy Server Option Pack, an active expression can be used instead.



The policy protecting the resources that require SafeWord authentication can be set up with the “AuthContext==SafeWord” variable expression, where AuthContext is the user context variable shown.

More Information:

Create an Authentication Context Policy (see page 32)

Configure Responses for the Sample Application

In this example, the sample application that displays the greeting message uses three HTTP header variables:

HTTP_USERNAME

HTTP_AUTHLEVEL

HTTP_AUTHCONTEXT

These headers are returned to the client with the following response:

Set-up Authentication Schemes for Back-End Processing


For any of the response attributes, the right-hand side expression is generated from the following dialog:

Set-up Authentication Schemes for Back-End Processing You need to set up several authentication schemes for back-end processing, one for each choice of credentials. These schemes enable a user to choose the type of credentials he provides to access a protected resource.

The following dialog shows the configured authentication schemes for the solution to the use case.

Note: The Basic authentication scheme is listed by default as part of the Policy Server's installation.



There is one authentication scheme for each type of credentials:

An HTML Form authentication scheme

An X.509 Client Cert authentication scheme

An X.509 Client Cert And Form authentication scheme

A SecurID HTML Form authentication scheme

A SafeWord HTML Form authentication scheme

A Windows authentication scheme

The Credentials Selector front-end, which is what the sample application uses, is represented by an additional authentication scheme. For this solution, this front-end authentication scheme is called AuthChannel.

The following dialog shows the AuthChannel authentication scheme, which protects the front-end.



The AuthChannel authentication scheme uses the HTML Form Template and specifies a special FCC file called selectlogin.fcc, as its target. The selectlogin.fcc file is a sample file included in the 6.x QMR 5 Web Agent installation.

The AuthChannel scheme's protection level is set to 1 because the front-end authentication scheme must be lower than any other scheme in the configuration. The user's actual protection level is determined by the authentication scheme he chooses. When the user is redirected back to the originally requested resource, the front-end scheme's low protection level ensures that the user is not re-challenged.

More Information:

Configure the FCC for the Front-End Authentication Scheme (see page 12)

Set Up a Policy Domain for Back-End Processing


Set Up a Policy Domain for Back-End Processing The Credentials Selector's back-end processing is represented by a policy domain. In this solution, the policy domain is named AuthChannel.

Configure Realms for the Back-end Policy Domain

In this solution the AuthChannel policy domain is the domain for back-end processing. There is one realm per authentication scheme with a resource filter defined as follows

/auth/redirect.asp?authtype=type&target=

type

Can be one of the following:

form username/password authentication

cert certificate authentication

certform cert-and-form authentication

securid SecurID authentication

safeword SafeWord authentication

windows Windows authentication

Note: These are the types chosen for the purposes of this use case. You are not restricted to these specific values, but the types must correspond to the authtype values in the selectlogin.fcc file, or any other FCC file based on the selectlogin.fcc template. Also, the realm's resource filter must match the redirect target in the FCC file.

The following dialog shows the list of realms.



The Web Agents protecting the realms may or may not be the same. This solution uses a single Web Agent; however, if multiple Web Agents are used, they must satisfy specific requirements.

The following requirements are necessary for Web Agents protecting realms as part of the Credentials Selector functionality:

Single sign-on must be configured between all Web Agents protecting realms. This means that they are in the same cookie domain or they use the same cookie provider.

Note: To configure single sign-on, see the Web Agent Guide.

The value of the @smagentname directive in the FCC file must match the expected value for at least one of the Web Agents protecting the originally requested resource.

The expected value is the value of the Web Agent's AgentName parameter or the DefaultAgentName parameter, if the AgentName parameter is not assigned a value. If the EncryptAgentName parameter in the Agent's configuration is set to yes, the value must be encrypted.

One way of setting the @smagentname directive is by configuring each Web Agent with the same naming properties. They can even share the same Agent Configuration Object. Another method is to configure the @smagentname directive programmatically in the FCC file, provided that the name is not encrypted.

Important! If the @smagentname directive is misconfigured, you may see a “No realm received in request” error message in the Policy Server log.

The FCCForceIsProtected parameter must be set to yes to ensure that a second IsProtected call is made for the new target generated by the selectlogin.fcc fiile. The IgnoreQueryData parameter must be set to no so the Web Agent does not ignore the URL query parameters.

Create Rules for the Back-end Policy Domain

In each realm that you configure for the AuthChannel policy domain, there are two rules you need to configure:

An OnAuthAccept rule

A Web Agent action rule (for the purposes of this example, use a GET action rule)

Both rules should have an asterisk (*) as the value for the Resource Filter field.

The following dialog shows the two rules.



Configure AuthContext Responses for the Back-end Policy Domain

An AuthContext response is configured for each authentication scheme in the AuthChannel domain, as shown in the following dialog.

Each of these response contains an AuthContext response attribute, which is a new feature in SiteMinder 6.0 SP5. An AuthContext response attribute is evaluated only on an OnAuthAccept event. Its value is added to the SiteMinder session ticket as the value of the SM_AUTHENTICATIONCONTEXT user attribute. It is not, however, returned to the client as a user response.

Note: The response attribute value is truncated to 80 bytes in length.



To configure an AuthContext response attribute, select the WebAgent-OnAuthAccept-Session-AuthContext response attribute type, which is new for SiteMinder 6.0 SP5.

The following dialog shows the creation of an AuthContext response attribute using the WebAgent-OnAuthAccept-Session-AuthContext attribute type:

As the dialog shows, the AuthContext response attribute is configured with a static value. If the Policy Server Option Pack is installed, you can use static variables to define constants and string literals for better encapsulation.

SiteMinder variables and active expressions add more flexibility to configuring AuthContext response attributes. They may also contain the authentication timestamp and/or a hash value of a SAML assertion.

The following dialog shows the resulting responses configured for this solution.



Configure Policies for Back-end Credential Selection

There are two policies in this example

One for setting the user's authentication context

One for Web Agent actions

The following dialog shows the two policies.



Create an Authentication Context Policy

The AuthContext policy is configured to set the authentication context in the session ticket. In the policy, the OnAuthAccept rules from each realm are paired with the corresponding responses, as shown in the following dialog.



The user authentication and user validation are OnAuthAccept events, which means that the authentication context in the session ticket may be overwritten on each subsequent validation. The ability to update the authentication context attribute in the session ticket can be useful in some circumstances, for example, if that attribute's value will include a counter. However, in this solution, the AuthContext policy is configured to fire only if the authentication context is empty to ensure that the session ticket is not overwritten, thereby remembering the user's choice of credentials.

To protect the authentication context from being overwritten, use an active or variable expression in the AuthContext policy that fetches the SM_AUTHENTICATIONCONTEXT attribute from the session ticket. If the SiteMinder Policy Server Option Pack is installed, configure a user context variable, as shown in the following dialog.

Without the Policy Server Option Pack, the same can be accomplished by writing an active expression library.

In the following dialog, the AuthContext is a user context variable configured to fetch the SM_AUTHENTICATIONCONTEXT from the session ticket.



Create a Protection Policy

In addition to an authentication context policy, create a second policy that authorizes an authenticated user for the requested resource.

Create this policy in the AuthChannel domain to authorize the authenticated user for the redirection target, which in this example, is a GET action on the redirect.asp file.

The following dialog shows the policy and its associated rules.

ca etrust siteminder

Documents