Implementing Authentication Context in a SAMLFederation using REST API
Article ID: 193519
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We're running an AdminUI and when we try to create a SAML Federation
Partnership that uses an Authentication Context it fails. We use REST
API to create it. We tried to create with AuthenticationContextType =
Static and AuthenticationContextType = Dynamic, and both are failing.
AuthenticationContextType = Static
<StatusMessage>The AuthnRequest with AuthnContexts is not supported!</StatusMessage>
AuthenticationContextType = Dynamic
ERROR:create post failure {u'status': 500, u'responseType':
u'error', u'data': [{u'message':
u'java.lang.IllegalArgumentException: null attribute value
DynAuthDefaultURI'}]}
How can I create a Partnership using curl and RESTAPI ?
Environment
AdminUI 12.8SP3 on RedHat 7;
Resolution
Try to define the status of the partnership as "Defined" and no other
value for the reason as you can't activate the partnership before
having saved the partnership configuration data.
Once you have saved the Partnership data, then can activate
successfully the partnership in the AdminUI.
More, you will notice that in the AdminUI, there's a page in which you
can test your payload :
/ca/api/sso/services/v1/api-doc/
Here's a sample of creating a Partnership using curl and RESTAPI. A
tip. If you need to know the data structure you need to put in a
payload, define first a partnership in the AdminUI. Then you can get
its configuration through RESTAPI. Finally change the values as per
your business needs.
Creating the partnership with the payload in params.json :
curl -v -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..vBfAMWB8A3zCXvAx.VZ2w9E8iC41VydBu-tWL33kQgFLKUfTJGx61F9UpDlBxyNzqoSXgP6TR-OzpYZ9CRja5YZ7PJks1KqoRrNuqfWlseMUJh6RAsqxy30QBmg1ImQiqN4JvGE2504sU-aji0tVYRUcAcdQV8sNd9gpK5G9LbHz7mCWL_SjpYAI6d5_5XDdF2Wsjwo78hOcKmGkiV1b_DNt_3VEHKrJx5FU8O3z8QcJJw_sQR-y-jLSy6vHrVMZolg5tYpDUKHmqgQAruGtDI3R4ecas1_Hf3Y5h5z7DZz7pF_l7trYO0tWyyTShwmcM6ZXUKxZBjZI3v1VHvqVaLZiUm2JcGHN47llqKWMoTwDcGGxE-i_F3B_m8lhJxQ-yWF71JXm3u9alAQFnZiu_bFiYXHdo8a2LsirrVjnut3rnC7XU2V9An7z7Tkcnn7BxYKORVneTNyTkf1WAvJ8VwRHDS89IF6jtEhnfEQzAYCpyYa3O0BR-zY6uHODe_H5gYecvRc4fbxF4GoZ_Ba44FLwOPtZlt1rlJmSMVZUJGvwGWt750yKaQHVKBw.IiBgR3ol1-wTFXTD67jZ_A" -H "Content-Type: application/json; charset=UTF-8" -X POST --data @params.json https://ps.training.com:8443/ca/api/sso/services/policy/v1/FedSPPartnerships
params.json
{
"id": "CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000",
"type": "FedSPPartnership",
"Name": "mytestpartnership-1",
"BaseURL": "https://mytestidp.mytestidp.com",
"AllowIDPToCreateUserID": false,
"Status": "Defined",
"EnableIdentityMapping": false,
"FIPSApproved": true,
"SkewTime": 30,
"Policy": {
"TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
"SmUserPolicies": [
{
"id": "CA.SM::UserPolicy@0f-000b0026-d2c9-1ecb-b068-0165c0a80000",
"type": "SmUserPolicy",
"FilterPath": "all",
"UserDirectory": {
"id": "CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000"
},
"Exclude": false,
"FilterClass": "ALL"
}
]
},
"AttributeService": {
"id": "CA.FED::AttributeAuthorityConfig@000d82bc-d2c8-1ecb-b068-0165c0a80000",
"type": "FedAttributeAuthorityConfig",
"Enabled": false,
"EnableProxiedQuery": false,
"ValidityDuration": 60,
"RequireSignedQuery": false,
"SignAssertion": false,
"SignResponse": false
},
"UserDirectories": [
{
"id": "CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000",
"path": "/SmUserDirectories/localhost_userstore",
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000",
"desc": "jsmith user store for testing"
}
],
"StatusRedirect": {
"id": "CA.FED::StatusRedirects@00012a15-d2c9-1ecb-b068-0165c0a80000",
"type": "FedStatusRedirects",
"EnableUnauthorizedRequestURL": false,
"UnauthorizedAccessRedirectMode": "NoData",
"EnableInvalidRequestURL": false,
"InvalidRequestRedirectMode": "NoData",
"UserNotFoundMode": "NoData",
"UnacceptedMode": "NoData",
"InvalidMode": "NoData",
"ServerErrorRedirectMode": "NoData",
"EnableServerErrorURL": false
},
"RemoteSPEntityName": "mytestsp",
"LocalIdPEntityName": "mytestidp",
"SignatureOptions": {
"DisableSignatureProcessing": true,
"POSTSignatureOptions": "SignAssertion",
"ArtifactSignatureOptions": "SignNeither",
"SLOSOAPSignatureOptions": "SignNeither",
"RequireSignedAuthenticationRequests": false,
"SignArtifactResponse": false,
"SigningAlgorithm": "RSAwithSHA1",
"RequireSignedArtifactResolve": false
},
"Authentication": {
"AllowOpenFormatCookieAuthenticationContextOverride": false,
"UseNewSessionInForceAuthentication": false,
"DelegatedAuthenticationURL": " ",
"SecureAuthenticationURL": false,
"MinimumAuthenticationLevel": 5,
"AuthenticationType": "Dynamic",
"IdleTimeout": 3600,
"MaxTimeout": 7200,
"LocalAuthenticationType": "Basic",
"ForceAuthenticationSessionTimeouts": false,
"AuthenticationURL": "https://mytestidp.mytestidp.com/auth",
"TrackDelegatedAuthenticationStatus": true,
"AuthenticationContextType": "Automatic",
"AuthenticationContextClassReference": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password",
"DelegatedAuthenticationType": "Query",
"EnableSessionAssurance": false,
"IgnoreRequestedAuthenticationContext": false,
"OpenFormatCookieConfiguration": {
"id": "CA.FED::OpenCookieConfig@0000cebe-d2c9-1ecb-b068-0165c0a80000",
"type": "FedOpenCookieConfig",
"EncryptionPassword": " ",
"EncryptionTransformation": "AES128/CBC/PKCS5Padding",
"CookieName": "DEFAULT",
"EnableQuotedCookie": false,
"EnableHashMessageAuthenticationCode": false,
"SkewTime": 30
}
},
"Backchannel": {
"Timeout": 0,
"LegacyBackchannelProtectionEnabled": false,
"PartnershipBackchannelProtectionEnabled": true,
"Configuration": {
"Incoming": {
"id": "CA.FED::BackchannelConfig@000c2d72-d2c8-1ecb-b068-0165c0a80000",
"type": "FedBackchannelConfig",
"UserName": "defaultUser",
"AuthenticationType": "NoAuth"
},
"Outgoing": {
"id": "CA.FED::BackchannelConfig@000c8467-d2c8-1ecb-b068-0165c0a80000",
"type": "FedBackchannelConfig",
"UserName": "defaultUser",
"BackchannelTimeout": 300,
"AuthenticationType": "NoAuth"
}
}
},
"AuthenticationContextConfiguration": {
"AuthenticationContextTemplate": {
"id": "CA.FED::AuthnContextTemplate@00027fd8-9d81-1ec2-9be3-0165c0a80000",
"path": "/FedAuthnContextTemplates/mytest",
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::AuthnContextTemplate@00027fd8-9d81-1ec2-9be3-0165c0a80000"
}
},
"SLO": {
"EnableSLOSOAP": false,
"RelayStateOverridesSLOConfirmURL": false,
"EnableSLOPOST": false,
"SLOValidityDuration": 60,
"EnableSLO": false,
"ReuseSessionIndex": false
},
"AssertionConfiguration": {
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"AttributeSource": {
"id": "CA.FED::AttributeSource@000d294a-d2c8-1ecb-b068-0165c0a80000",
"type": "FedAttributeSource",
"NameIDType": "Static",
"StaticValue": "ok",
"Value": "ok"
}
},
"IDPDiscovery": {
"EnableIDPDiscovery": false,
"PersistentCookie": false
},
"EncryptionOptions": {
"EncryptNameIDinSOAP": false,
"EncryptionConfiguration": {
"id": "CA.FED::EncryptionConfig@000cd572-d2c8-1ecb-b068-0165c0a80000",
"type": "FedEncryptionConfig",
"EncryptionKeyAlgorithm": "rsa-v15",
"EncryptionBlockAlgorithm": "tripledes",
"EncryptAttributes": false,
"EncryptAssertion": false,
"EncryptNameID": false
}
},
"NameIDManagement": {
"Configuration": {
"id": "CA.FED::NameIDMgtConfig@00019da5-d2c9-1ecb-b068-0165c0a80000",
"type": "FedNameIDMgtConfig",
"NotificationAuthType": "NoAuth",
"NotifyUserName": "*",
"RetryCount": 3,
"NotifyPassword": "{RC2}KX+/r5P53icByO98oPYqSQ\u003d\u003d",
"SignRequest": false,
"SOAPTimeout": 60,
"EnablePostBinding": false,
"AllowUserSelfService": false,
"EnableNotification": false,
"SignResponse": false,
"EncryptNameID": false,
"NotifyTimeout": 60,
"RequireSignedRequest": false,
"RequireEncryptedNameID": false,
"EnableRedirectBinding": false,
"DeleteNameID": false,
"EnableSOAPBinding": false,
"RetryBoundary": 15,
"RequireSignedResponse": false
}
},
"SSO": {
"PersistentSessionValidationPeriod": -1,
"EnableAuthenticationRequestPost": false,
"EnableEnhancedClientProxyProfile": false,
"ArtifactEncoding": "URL",
"GUIDCookieValidityDuration": 180,
"AcceptIncomingAssertionConsumerServiceURL": false,
"CustomTimeout": 60,
"EnableArtifact": false,
"EnableAuthenticationRequestRedirect": true,
"LegacyArtifactProtectionEnabled": false,
"EnablePost": true,
"EnableUserConsent": false,
"PartnershipArtifactProtectionEnabled": false,
"RecommendedSPSessionDuration": "AssertionValidity",
"AllowTransactionType": "AllowBoth",
"EnableNegativeAuthenticationResponse": false,
"SSOValidityDuration": 60,
"RemoteAssertionConsumerServices": [
{
"id": "CA.FED::Endpoint@000dd95a-d2c8-1ecb-b068-0165c0a80000",
"type": "FedEndpoint",
"Index": 0,
"Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
"IsDefault": false,
"LocationURL": "https://mytestsp.testsp.com"
}
],
"OneTimeToUseAssertion": false
}
}
Getting the partnership configuration :
curl -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..MqJicc9zqSv2y5Un.kUrgBO4lUGt1lAFvQ4y-K3J798BikKXmDaVTVCjRw9Lv4X_k2qb54fZYcvv9du7J9abXgJnccTMdXC5PiwC1YXxCavhcyf1g-KhYiZzMUEw8vE0BDMnAHpm_HIs9z6xRa77N5clRJf4v2m1iD4tXx5KzaZ8BI091VoaWLmdEHfMqxrhPMayUroGDNIlWsgIlo7IRzsHsdcJtGz6HjtALkVpz-V-6WDENlqoXARo-fZm90MeovrY8iTDkaPVC3LEYjZDwF2Sg-8K8uXKp2kq3Awj4lXZb_0JbCGjv-OiAxi7ts7mK3FWES6-eidQWBWgjcqiNtL94y4gU6Zl4x4UcilzMKlArjUZVAU7et4GwjhzHQJsL_UwugI0_9o7NA83-UXLFLI3OcM8LBLTGUt1ZOywIZW2UX6A4xTLrIPW6L3j9D1xoEbpbMzpmlC-t6lwz-MbijZO757VFhyc3CZ3C63Qgg4-zhfZBSm4lNeQNG7JsquY0WugJovBvDUWF84uUrFQBZ1aKtKF4ElOoqx5MMK7cNjB1p9Eh6ouO89eng.XTw-k0q6QJOeTRn_CuBjjQ" GET https://ps.training.com:8443/ca/api/sso/services/policy/v1/FedSPPartnerships/mytestpartnership-1 -v
response :
{
"responseType": "object",
"data": {
"id": "CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000",
"type": "FedSPPartnership",
"Name": "mytestpartnership-1",
"SkewTime": 30,
"Status": "Defined",
"EnableIdentityMapping": false,
"FIPSApproved": true,
"AllowIDPToCreateUserID": false,
"BaseURL": "https://mytestidp.mytestidp.com",
"AttributeService": {
"id": "CA.FED::AttributeAuthorityConfig@000d82bc-d2c8-1ecb-b068-0165c0a80000",
"type": "FedAttributeAuthorityConfig",
"SignResponse": false,
"ValidityDuration": 60,
"EnableProxiedQuery": false,
"Enabled": false,
"RequireSignedQuery": false,
"SignAssertion": false
},
"StatusRedirect": {
"id": "CA.FED::StatusRedirects@00012a15-d2c9-1ecb-b068-0165c0a80000",
"type": "FedStatusRedirects",
"UnauthorizedAccessRedirectMode": "NoData",
"EnableServerErrorURL": false,
"UnacceptedMode": "NoData",
"InvalidMode": "NoData",
"UserNotFoundMode": "NoData",
"ServerErrorRedirectMode": "NoData",
"EnableInvalidRequestURL": false,
"InvalidRequestRedirectMode": "NoData",
"EnableUnauthorizedRequestURL": false
},
"Policy": {
"TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
"SmUserPolicies": [
{
"id": "CA.SM::UserPolicy@0f-000b0026-d2c9-1ecb-b068-0165c0a80000",
"type": "SmUserPolicy",
"FilterPath": "all",
"UserDirectory": {
"id": "CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000"
},
"Exclude": false,
"FilterClass": "ALL"
}
]
},
"UserDirectories": [
{
"id": "CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000",
"path": "/SmUserDirectories/localhost_userstore",
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000",
"desc": "jsmith user store for testing"
}
],
"RemoteSPEntityName": "mytestsp",
"LocalIdPEntityName": "mytestidp",
"SignatureOptions": {
"RequireSignedAuthenticationRequests": false,
"ArtifactSignatureOptions": "SignNeither",
"POSTSignatureOptions": "SignAssertion",
"RequireSignedArtifactResolve": false,
"SignArtifactResponse": false,
"DisableSignatureProcessing": true,
"SigningAlgorithm": "RSAwithSHA1",
"SLOSOAPSignatureOptions": "SignNeither"
},
"Authentication": {
"MaxTimeout": 7200,
"EnableSessionAssurance": false,
"ForceAuthenticationSessionTimeouts": false,
"TrackDelegatedAuthenticationStatus": true,
"AllowOpenFormatCookieAuthenticationContextOverride": false,
"DelegatedAuthenticationType": "Query",
"MinimumAuthenticationLevel": 5,
"AuthenticationType": "Dynamic",
"AuthenticationContextClassReference": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password",
"AuthenticationURL": "https://mytestidp.mytestidp.com/auth",
"DelegatedAuthenticationURL": " ",
"AuthenticationContextType": "Automatic",
"LocalAuthenticationType": "Basic",
"SecureAuthenticationURL": false,
"IgnoreRequestedAuthenticationContext": false,
"UseNewSessionInForceAuthentication": false,
"IdleTimeout": 3600,
"OpenFormatCookieConfiguration": {
"id": "CA.FED::OpenCookieConfig@0000cebe-d2c9-1ecb-b068-0165c0a80000",
"type": "FedOpenCookieConfig",
"SkewTime": 30,
"EncryptionPassword": " ",
"CookieName": "DEFAULT",
"EncryptionTransformation": "AES128/CBC/PKCS5Padding",
"EnableHashMessageAuthenticationCode": false,
"EnableQuotedCookie": false
}
},
"Backchannel": {
"LegacyBackchannelProtectionEnabled": false,
"PartnershipBackchannelProtectionEnabled": true,
"Timeout": 0,
"Configuration": {
"Incoming": {
"id": "CA.FED::BackchannelConfig@000c2d72-d2c8-1ecb-b068-0165c0a80000",
"type": "FedBackchannelConfig",
"UserName": "defaultUser",
"AuthenticationType": "NoAuth"
},
"Outgoing": {
"id": "CA.FED::BackchannelConfig@000c8467-d2c8-1ecb-b068-0165c0a80000",
"type": "FedBackchannelConfig",
"UserName": "defaultUser",
"AuthenticationType": "NoAuth",
"BackchannelTimeout": 300
}
}
},
"AuthenticationContextConfiguration": {
"AuthenticationContextTemplate": {
"id": "CA.FED::AuthnContextTemplate@00027fd8-9d81-1ec2-9be3-0165c0a80000",
"path": "/FedAuthnContextTemplates/mytest",
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::AuthnContextTemplate@00027fd8-9d81-1ec2-9be3-0165c0a80000"
}
},
"SLO": {
"EnableSLOPOST": false,
"ReuseSessionIndex": false,
"EnableSLO": false,
"EnableSLOSOAP": false,
"SLOValidityDuration": 60,
"RelayStateOverridesSLOConfirmURL": false
},
"IDPDiscovery": {
"PersistentCookie": false,
"EnableIDPDiscovery": false
},
"AssertionConfiguration": {
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"AttributeSource": {
"id": "CA.FED::AttributeSource@000d294a-d2c8-1ecb-b068-0165c0a80000",
"type": "FedAttributeSource",
"NameIDType": "Static",
"StaticValue": "ok",
"Value": "ok"
}
},
"EncryptionOptions": {
"RequireEncryptedNameIDInSOAP": false,
"EncryptNameIDinSOAP": false,
"EncryptionConfiguration": {
"id": "CA.FED::EncryptionConfig@000cd572-d2c8-1ecb-b068-0165c0a80000",
"type": "FedEncryptionConfig",
"EncryptAssertion": false,
"EncryptNameID": false,
"EncryptAttributes": false,
"EncryptionKeyAlgorithm": "rsa-v15",
"EncryptionBlockAlgorithm": "tripledes"
}
},
"NameIDManagement": {
"Configuration": {
"id": "CA.FED::NameIDMgtConfig@00019da5-d2c9-1ecb-b068-0165c0a80000",
"type": "FedNameIDMgtConfig",
"SignRequest": false,
"EncryptNameID": false,
"NotifyPassword": "{RC2}kluny2SjVIvjpaTC/GpDjA\u003d\u003d",
"NotifyTimeout": 60,
"EnablePostBinding": false,
"NotificationAuthType": "NoAuth",
"RequireSignedResponse": false,
"EnableSOAPBinding": false,
"DeleteNameID": false,
"AllowUserSelfService": false,
"EnableRedirectBinding": false,
"RetryCount": 3,
"RequireSignedRequest": false,
"NotifyUserName": "*",
"RequireEncryptedNameID": false,
"EnableNotification": false,
"SOAPTimeout": 60,
"RetryBoundary": 15,
"SignResponse": false
}
},
"SSO": {
"EnableAuthenticationRequestPost": false,
"SSOValidityDuration": 60,
"EnableEnhancedClientProxyProfile": false,
"EnableArtifact": false,
"PersistentSessionValidationPeriod": -1,
"AllowTransactionType": "AllowBoth",
"RecommendedSPSessionDuration": "AssertionValidity",
"LegacyArtifactProtectionEnabled": false,
"EnableAuthenticationRequestRedirect": true,
"ArtifactEncoding": "URL",
"EnableUserConsent": false,
"PartnershipArtifactProtectionEnabled": false,
"EnableNegativeAuthenticationResponse": false,
"GUIDCookieValidityDuration": 180,
"EnablePost": true,
"AcceptIncomingAssertionConsumerServiceURL": false,
"CustomTimeout": 60,
"RemoteAssertionConsumerServices": [
{
"id": "CA.FED::Endpoint@000dd95a-d2c8-1ecb-b068-0165c0a80000",
"type": "FedEndpoint",
"IsDefault": false,
"LocationURL": "https://mytestsp.testsp.com",
"Index": 0,
"Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}
],
"OneTimeToUseAssertion": false
}
},
"links": {
"self": {
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000"
},
"classinfo": {
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000/classinfo"
},
"editinfo": {
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000?op=editinfo"
}
}
Feedback
Yes
No
Powered by
