Which Java Method is for the 'Allow Protection Override' Feature?

book

Article ID: 145314

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) AXIOMATICS POLICY SERVER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

SiteMinder documentation mentions the 'Allow Protection Override' checkbox that applies to Custom Authentication schemes.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration/authentication-schemes/custom-authentication-schemes.html
  • (Optional) Select the Allow Protection Override check box in Scheme Common Setup. This option specifies that the protection level in the library takes precedence over the protection level specified in the Administrative UI.
Which method in the Authentication Java API can be used to set the Protection Level of the Custom Authentication scheme?

Cause

This is part of com.netegrity.policyserver.smapi SmAuthScheme Interface.

Public SmAuthenticationResult authenticate(String parameter, String secret, int challengeReason, SmAuthenticationContext context) 

Performs the custom authentication and returns the authentication result.

SiteMinder calls this method at least twice -- during user disambiguation and during user authentication. For information about these two phases of the authentication process, see the Programming Guide for Java.
Parameters:
parameter - The optional parameter string specified in the Policy Server User Interface, to be used in any way that the authentication scheme requires.
secret - The shared secret specified for the authentication scheme in the Policy Server User Interface. The shared secret is used for any purpose that the authentication scheme requires, such as enryption or credentials operations. Your authentication scheme may or may not require a shared secret.
challengeReason - The reason code from a previous authentication that failed or was challenged, or 0 if unknown. The reason code that SiteMinder passes is the REASON_ constant that the authentication scheme returned in SmAuthenticationResult after the failed or challenged authentication.
context - Contains request context objects, and also methods for passing error and user messages directly to SiteMinder.
Returns: An SmAuthenticationResult object containing status and reason codes. How the returned status code is interpreted depends upon the phase during which SiteMinder called the authentication scheme.

%SM_AUTHENTICATIONLEVEL is an User Attributes
When a user is authenticated for a resource, this attribute holds an integer number (of 0 to 1000) that represents the protection level of the authentication scheme under which the user was authenticated.

Here is an example how this might have been set in custom code:

Public SmAuthenticationResult authenticate(String parameter,
String secret,
int challengeReason,
SmAuthenticationContext context) {

...
UserContext theUserContext = context.getUserContext();
...

if (0 != theUserContext.setProp("SM_AUTHENTICATIONLEVEL", "20")) {
context.setUserText("Failed to set the SM_AUTHENTICATIONLEVEL");
}
}

Following the bookshelf, there are other properties that can be set at run time as well.

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/programming/sdks/programming-in-java/authentication-api-and-authorization-api-in-java/custom-authentication-scheme-creation-using-java/implement-the-java-authentication-api-interface.html

Environment

Release : 12.8.03

Component : SITEMINDER -SDK

Resolution

The code sample is provided as it is, no additional support is available. This is custom code development, generally out of support scope.
Any further custom coding questions should be directed to HCL service group, a Broadcom partner. 

Additional Information

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/configuring/policy-server-configuration/responses-and-response-groups/generated-user-attributes.html

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/programming/sdks/programming-in-java/authentication-api-and-authorization-api-in-java/custom-authentication-scheme-creation-using-java/implement-the-java-authentication-api-interface.html