Implementing Authentication Context i a SAMLFederation using REST API

book

Article ID: 193519

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running an AdminUI and when we try to create a SAML Federation
Partnership that uses an Authentication Context it fails. We use REST
API to create it. We tried to create with AuthenticationContextType =
Static and AuthenticationContextType = Dynamic, and both are failing.

 AuthenticationContextType = Static

     <StatusMessage>The AuthnRequest with AuthnContexts is not supported!</StatusMessage>

 AuthenticationContextType = Dynamic

     ERROR:create post failure {u'status': 500, u'responseType':
     u'error', u'data': [{u'message':
     u'java.lang.IllegalArgumentException: null attribute value
     DynAuthDefaultURI'}]}

How can I create a Partnership using curl and RESTAPI ?

 

Environment

 

AdminUI 12.8SP3 on RedHat 7;

 

Resolution

 

Try to define the status of the partnership as "Defined" and no other
value for the reason as you can't activate the partnership before
having saved the partnership configuration data.

Once you have saved the Partnership data, then can activate
successfully the partnership in the AdminUI.

More, you will notice that in the AdminUI, there's a page in which you
can test your payload :

  /ca/api/sso/services/v1/api-doc/

Here's a sample of creating a Partnership using curl and RESTAPI. A
tip. If you need to know the data structure you need to put in a
payload, define first a partnership in the AdminUI. Then you can get
its configuration through RESTAPI. Finally change the values as per
your business needs.

Creating the partnership with the payload in params.json :

curl -v -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..vBfAMWB8A3zCXvAx.VZ2w9E8iC41VydBu-tWL33kQgFLKUfTJGx61F9UpDlBxyNzqoSXgP6TR-OzpYZ9CRja5YZ7PJks1KqoRrNuqfWlseMUJh6RAsqxy30QBmg1ImQiqN4JvGE2504sU-aji0tVYRUcAcdQV8sNd9gpK5G9LbHz7mCWL_SjpYAI6d5_5XDdF2Wsjwo78hOcKmGkiV1b_DNt_3VEHKrJx5FU8O3z8QcJJw_sQR-y-jLSy6vHrVMZolg5tYpDUKHmqgQAruGtDI3R4ecas1_Hf3Y5h5z7DZz7pF_l7trYO0tWyyTShwmcM6ZXUKxZBjZI3v1VHvqVaLZiUm2JcGHN47llqKWMoTwDcGGxE-i_F3B_m8lhJxQ-yWF71JXm3u9alAQFnZiu_bFiYXHdo8a2LsirrVjnut3rnC7XU2V9An7z7Tkcnn7BxYKORVneTNyTkf1WAvJ8VwRHDS89IF6jtEhnfEQzAYCpyYa3O0BR-zY6uHODe_H5gYecvRc4fbxF4GoZ_Ba44FLwOPtZlt1rlJmSMVZUJGvwGWt750yKaQHVKBw.IiBgR3ol1-wTFXTD67jZ_A" -H "Content-Type: application/json; charset=UTF-8" -X POST --data @params.json https://ps.training.com:8443/ca/api/sso/services/policy/v1/FedSPPartnerships

  params.json

  {
      "id": "CA.FED::[email protected]",
      "type": "FedSPPartnership",
      "Name": "mytestpartnership-1",
      "BaseURL": "https://mytestidp.mytestidp.com",
      "AllowIDPToCreateUserID": false,
      "Status": "Defined",
      "EnableIdentityMapping": false,
      "FIPSApproved": true,
      "SkewTime": 30,
      "Policy": {
 "TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
 "SmUserPolicies": [
   {
     "id": "CA.SM::[email protected]",
     "type": "SmUserPolicy",
     "FilterPath": "all",
     "UserDirectory": {
       "id": "CA.SM::[email protected]"
     },
     "Exclude": false,
     "FilterClass": "ALL"
   }
 ]
      },
      "AttributeService": {
 "id": "CA.FED::[email protected]",
 "type": "FedAttributeAuthorityConfig",
 "Enabled": false,
 "EnableProxiedQuery": false,
 "ValidityDuration": 60,
 "RequireSignedQuery": false,
 "SignAssertion": false,
 "SignResponse": false
      },
      "UserDirectories": [
 {
   "id": "CA.SM::[email protected]",
   "path": "/SmUserDirectories/localhost_userstore",
   "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::[email protected]",
   "desc": "jsmith user store for testing"
 }
      ],
      "StatusRedirect": {
 "id": "CA.FED::[email protected]",
 "type": "FedStatusRedirects",
 "EnableUnauthorizedRequestURL": false,
 "UnauthorizedAccessRedirectMode": "NoData",
 "EnableInvalidRequestURL": false,
 "InvalidRequestRedirectMode": "NoData",
 "UserNotFoundMode": "NoData",
 "UnacceptedMode": "NoData",
 "InvalidMode": "NoData",
 "ServerErrorRedirectMode": "NoData",
 "EnableServerErrorURL": false
      },
      "RemoteSPEntityName": "mytestsp",
      "LocalIdPEntityName": "mytestidp",
      "SignatureOptions": {
 "DisableSignatureProcessing": true,
 "POSTSignatureOptions": "SignAssertion",
 "ArtifactSignatureOptions": "SignNeither",
 "SLOSOAPSignatureOptions": "SignNeither",
 "RequireSignedAuthenticationRequests": false,
 "SignArtifactResponse": false,
 "SigningAlgorithm": "RSAwithSHA1",
 "RequireSignedArtifactResolve": false
      },
      "Authentication": {
 "AllowOpenFormatCookieAuthenticationContextOverride": false,
 "UseNewSessionInForceAuthentication": false,
 "DelegatedAuthenticationURL": " ",
 "SecureAuthenticationURL": false,
 "MinimumAuthenticationLevel": 5,
 "AuthenticationType": "Dynamic",
 "IdleTimeout": 3600,
 "MaxTimeout": 7200,
 "LocalAuthenticationType": "Basic",
 "ForceAuthenticationSessionTimeouts": false,
 "AuthenticationURL": "https://mytestidp.mytestidp.com/auth",
 "TrackDelegatedAuthenticationStatus": true,
 "AuthenticationContextType": "Automatic",
 "AuthenticationContextClassReference": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password",
 "DelegatedAuthenticationType": "Query",
 "EnableSessionAssurance": false,
 "IgnoreRequestedAuthenticationContext": false,
 "OpenFormatCookieConfiguration": {
   "id": "CA.FED::[email protected]",
   "type": "FedOpenCookieConfig",
   "EncryptionPassword": " ",
   "EncryptionTransformation": "AES128/CBC/PKCS5Padding",
   "CookieName": "DEFAULT",
   "EnableQuotedCookie": false,
   "EnableHashMessageAuthenticationCode": false,
   "SkewTime": 30
 }
      },
      "Backchannel": {
 "Timeout": 0,
 "LegacyBackchannelProtectionEnabled": false,
 "PartnershipBackchannelProtectionEnabled": true,
 "Configuration": {
   "Incoming": {
     "id": "CA.FED::[email protected]",
     "type": "FedBackchannelConfig",
     "UserName": "defaultUser",
     "AuthenticationType": "NoAuth"
   },
   "Outgoing": {
     "id": "CA.FED::[email protected]",
     "type": "FedBackchannelConfig",
     "UserName": "defaultUser",
     "BackchannelTimeout": 300,
     "AuthenticationType": "NoAuth"
   }
 }
      },
      "AuthenticationContextConfiguration": {
 "AuthenticationContextTemplate": {
   "id": "CA.FED::[email protected]",
   "path": "/FedAuthnContextTemplates/mytest",
   "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]"
 }
      },
      "SLO": {
 "EnableSLOSOAP": false,
 "RelayStateOverridesSLOConfirmURL": false,
 "EnableSLOPOST": false,
 "SLOValidityDuration": 60,
 "EnableSLO": false,
 "ReuseSessionIndex": false
      },
      "AssertionConfiguration": {
 "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
 "AttributeSource": {
   "id": "CA.FED::[email protected]",
   "type": "FedAttributeSource",
   "NameIDType": "Static",
   "StaticValue": "ok",
   "Value": "ok"
 }
      },
      "IDPDiscovery": {
 "EnableIDPDiscovery": false,
 "PersistentCookie": false
      },
      "EncryptionOptions": {
 "EncryptNameIDinSOAP": false,
 "EncryptionConfiguration": {
   "id": "CA.FED::[email protected]",
   "type": "FedEncryptionConfig",
   "EncryptionKeyAlgorithm": "rsa-v15",
   "EncryptionBlockAlgorithm": "tripledes",
   "EncryptAttributes": false,
   "EncryptAssertion": false,
   "EncryptNameID": false
 }
      },
      "NameIDManagement": {
 "Configuration": {
   "id": "CA.FED::[email protected]",
   "type": "FedNameIDMgtConfig",
   "NotificationAuthType": "NoAuth",
   "NotifyUserName": "*",
   "RetryCount": 3,
   "NotifyPassword": "{RC2}KX+/r5P53icByO98oPYqSQ\u003d\u003d",
   "SignRequest": false,
   "SOAPTimeout": 60,
   "EnablePostBinding": false,
   "AllowUserSelfService": false,
   "EnableNotification": false,
   "SignResponse": false,
   "EncryptNameID": false,
   "NotifyTimeout": 60,
   "RequireSignedRequest": false,
   "RequireEncryptedNameID": false,
   "EnableRedirectBinding": false,
   "DeleteNameID": false,
   "EnableSOAPBinding": false,
   "RetryBoundary": 15,
   "RequireSignedResponse": false
 }
      },
      "SSO": {
 "PersistentSessionValidationPeriod": -1,
 "EnableAuthenticationRequestPost": false,
 "EnableEnhancedClientProxyProfile": false,
 "ArtifactEncoding": "URL",
 "GUIDCookieValidityDuration": 180,
 "AcceptIncomingAssertionConsumerServiceURL": false,
 "CustomTimeout": 60,
 "EnableArtifact": false,
 "EnableAuthenticationRequestRedirect": true,
 "LegacyArtifactProtectionEnabled": false,
 "EnablePost": true,
 "EnableUserConsent": false,
 "PartnershipArtifactProtectionEnabled": false,
 "RecommendedSPSessionDuration": "AssertionValidity",
 "AllowTransactionType": "AllowBoth",
 "EnableNegativeAuthenticationResponse": false,
 "SSOValidityDuration": 60,
 "RemoteAssertionConsumerServices": [
   {
     "id": "CA.FED::[email protected]",
     "type": "FedEndpoint",
     "Index": 0,
     "Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
     "IsDefault": false,
     "LocationURL": "https://mytestsp.testsp.com"
   }
 ],
 "OneTimeToUseAssertion": false
      }
  }

Getting the partnership configuration :

curl -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..MqJicc9zqSv2y5Un.kUrgBO4lUGt1lAFvQ4y-K3J798BikKXmDaVTVCjRw9Lv4X_k2qb54fZYcvv9du7J9abXgJnccTMdXC5PiwC1YXxCavhcyf1g-KhYiZzMUEw8vE0BDMnAHpm_HIs9z6xRa77N5clRJf4v2m1iD4tXx5KzaZ8BI091VoaWLmdEHfMqxrhPMayUroGDNIlWsgIlo7IRzsHsdcJtGz6HjtALkVpz-V-6WDENlqoXARo-fZm90MeovrY8iTDkaPVC3LEYjZDwF2Sg-8K8uXKp2kq3Awj4lXZb_0JbCGjv-OiAxi7ts7mK3FWES6-eidQWBWgjcqiNtL94y4gU6Zl4x4UcilzMKlArjUZVAU7et4GwjhzHQJsL_UwugI0_9o7NA83-UXLFLI3OcM8LBLTGUt1ZOywIZW2UX6A4xTLrIPW6L3j9D1xoEbpbMzpmlC-t6lwz-MbijZO757VFhyc3CZ3C63Qgg4-zhfZBSm4lNeQNG7JsquY0WugJovBvDUWF84uUrFQBZ1aKtKF4ElOoqx5MMK7cNjB1p9Eh6ouO89eng.XTw-k0q6QJOeTRn_CuBjjQ" GET https://ps.training.com:8443/ca/api/sso/services/policy/v1/FedSPPartnerships/mytestpartnership-1 -v

response :  

 {
    "responseType": "object",
    "data": {
      "id": "CA.FED::[email protected]",
      "type": "FedSPPartnership",
      "Name": "mytestpartnership-1",
      "SkewTime": 30,
      "Status": "Defined",
      "EnableIdentityMapping": false,
      "FIPSApproved": true,
      "AllowIDPToCreateUserID": false,
      "BaseURL": "https://mytestidp.mytestidp.com",
      "AttributeService": {
 "id": "CA.FED::[email protected]",
 "type": "FedAttributeAuthorityConfig",
 "SignResponse": false,
 "ValidityDuration": 60,
 "EnableProxiedQuery": false,
 "Enabled": false,
 "RequireSignedQuery": false,
 "SignAssertion": false
      },
      "StatusRedirect": {
 "id": "CA.FED::[email protected]",
 "type": "FedStatusRedirects",
 "UnauthorizedAccessRedirectMode": "NoData",
 "EnableServerErrorURL": false,
 "UnacceptedMode": "NoData",
 "InvalidMode": "NoData",
 "UserNotFoundMode": "NoData",
 "ServerErrorRedirectMode": "NoData",
 "EnableInvalidRequestURL": false,
 "InvalidRequestRedirectMode": "NoData",
 "EnableUnauthorizedRequestURL": false
      },
      "Policy": {
 "TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
 "SmUserPolicies": [
   {
     "id": "CA.SM::[email protected]",
     "type": "SmUserPolicy",
     "FilterPath": "all",
     "UserDirectory": {
       "id": "CA.SM::[email protected]"
     },
     "Exclude": false,
     "FilterClass": "ALL"
   }
 ]
      },
      "UserDirectories": [
 {
   "id": "CA.SM::[email protected]",
   "path": "/SmUserDirectories/localhost_userstore",
   "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::[email protected]",
   "desc": "jsmith user store for testing"
 }
      ],
      "RemoteSPEntityName": "mytestsp",
      "LocalIdPEntityName": "mytestidp",
      "SignatureOptions": {
 "RequireSignedAuthenticationRequests": false,
 "ArtifactSignatureOptions": "SignNeither",
 "POSTSignatureOptions": "SignAssertion",
 "RequireSignedArtifactResolve": false,
 "SignArtifactResponse": false,
 "DisableSignatureProcessing": true,
 "SigningAlgorithm": "RSAwithSHA1",
 "SLOSOAPSignatureOptions": "SignNeither"
      },
      "Authentication": {
 "MaxTimeout": 7200,
 "EnableSessionAssurance": false,
 "ForceAuthenticationSessionTimeouts": false,
 "TrackDelegatedAuthenticationStatus": true,
 "AllowOpenFormatCookieAuthenticationContextOverride": false,
 "DelegatedAuthenticationType": "Query",
 "MinimumAuthenticationLevel": 5,
 "AuthenticationType": "Dynamic",
 "AuthenticationContextClassReference": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password",
 "AuthenticationURL": "https://mytestidp.mytestidp.com/auth",
 "DelegatedAuthenticationURL": " ",
 "AuthenticationContextType": "Automatic",
 "LocalAuthenticationType": "Basic",
 "SecureAuthenticationURL": false,
 "IgnoreRequestedAuthenticationContext": false,
 "UseNewSessionInForceAuthentication": false,
 "IdleTimeout": 3600,
 "OpenFormatCookieConfiguration": {
   "id": "CA.FED::[email protected]",
   "type": "FedOpenCookieConfig",
   "SkewTime": 30,
   "EncryptionPassword": " ",
   "CookieName": "DEFAULT",
   "EncryptionTransformation": "AES128/CBC/PKCS5Padding",
   "EnableHashMessageAuthenticationCode": false,
   "EnableQuotedCookie": false
 }
      },
      "Backchannel": {
 "LegacyBackchannelProtectionEnabled": false,
 "PartnershipBackchannelProtectionEnabled": true,
 "Timeout": 0,
 "Configuration": {
   "Incoming": {
     "id": "CA.FED::[email protected]",
     "type": "FedBackchannelConfig",
     "UserName": "defaultUser",
     "AuthenticationType": "NoAuth"
   },
   "Outgoing": {
     "id": "CA.FED::[email protected]",
     "type": "FedBackchannelConfig",
     "UserName": "defaultUser",
     "AuthenticationType": "NoAuth",
     "BackchannelTimeout": 300
   }
 }
      },
      "AuthenticationContextConfiguration": {
 "AuthenticationContextTemplate": {
   "id": "CA.FED::[email protected]",
   "path": "/FedAuthnContextTemplates/mytest",
   "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]"
 }
      },
      "SLO": {
 "EnableSLOPOST": false,
 "ReuseSessionIndex": false,
 "EnableSLO": false,
 "EnableSLOSOAP": false,
 "SLOValidityDuration": 60,
 "RelayStateOverridesSLOConfirmURL": false
      },
      "IDPDiscovery": {
 "PersistentCookie": false,
 "EnableIDPDiscovery": false
      },
      "AssertionConfiguration": {
 "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
 "AttributeSource": {
   "id": "CA.FED::[email protected]",
   "type": "FedAttributeSource",
   "NameIDType": "Static",
   "StaticValue": "ok",
   "Value": "ok"
 }
      },
      "EncryptionOptions": {
 "RequireEncryptedNameIDInSOAP": false,
 "EncryptNameIDinSOAP": false,
 "EncryptionConfiguration": {
   "id": "CA.FED::[email protected]",
   "type": "FedEncryptionConfig",
   "EncryptAssertion": false,
   "EncryptNameID": false,
   "EncryptAttributes": false,
   "EncryptionKeyAlgorithm": "rsa-v15",
   "EncryptionBlockAlgorithm": "tripledes"
 }
      },
      "NameIDManagement": {
 "Configuration": {
   "id": "CA.FED::[email protected]",
   "type": "FedNameIDMgtConfig",
   "SignRequest": false,
   "EncryptNameID": false,
   "NotifyPassword": "{RC2}kluny2SjVIvjpaTC/GpDjA\u003d\u003d",
   "NotifyTimeout": 60,
   "EnablePostBinding": false,
   "NotificationAuthType": "NoAuth",
   "RequireSignedResponse": false,
   "EnableSOAPBinding": false,
   "DeleteNameID": false,
   "AllowUserSelfService": false,
   "EnableRedirectBinding": false,
   "RetryCount": 3,
   "RequireSignedRequest": false,
   "NotifyUserName": "*",
   "RequireEncryptedNameID": false,
   "EnableNotification": false,
   "SOAPTimeout": 60,
   "RetryBoundary": 15,
   "SignResponse": false
 }
      },
      "SSO": {
 "EnableAuthenticationRequestPost": false,
 "SSOValidityDuration": 60,
 "EnableEnhancedClientProxyProfile": false,
 "EnableArtifact": false,
 "PersistentSessionValidationPeriod": -1,
 "AllowTransactionType": "AllowBoth",
 "RecommendedSPSessionDuration": "AssertionValidity",
 "LegacyArtifactProtectionEnabled": false,
 "EnableAuthenticationRequestRedirect": true,
 "ArtifactEncoding": "URL",
 "EnableUserConsent": false,
 "PartnershipArtifactProtectionEnabled": false,
 "EnableNegativeAuthenticationResponse": false,
 "GUIDCookieValidityDuration": 180,
 "EnablePost": true,
 "AcceptIncomingAssertionConsumerServiceURL": false,
 "CustomTimeout": 60,
 "RemoteAssertionConsumerServices": [
   {
     "id": "CA.FED::[email protected]",
     "type": "FedEndpoint",
     "IsDefault": false,
     "LocationURL": "https://mytestsp.testsp.com",
     "Index": 0,
     "Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   }
 ],
 "OneTimeToUseAssertion": false
      }
    },
    "links": {
      "self": {
 "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]"
      },
      "classinfo": {
 "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]/classinfo"
      },
      "editinfo": {
 "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]?op=editinfo"
      }
    }