Implementing Authentication Context in a SAMLFederation using REST API
Article ID: 193519
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On Agents (SiteMinder)
CA Single Sign On Federation (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
SITEMINDER
Issue/Introduction
We're running an AdminUI and when we try to create a SAML Federation
Partnership that uses an Authentication Context it fails. We use REST
API to create it. We tried to create with AuthenticationContextType =
Static and AuthenticationContextType = Dynamic, and both are failing.
AuthenticationContextType = Static
<StatusMessage>The AuthnRequest with AuthnContexts is not supported!</StatusMessage>
AuthenticationContextType = Dynamic
ERROR:create post failure {u'status': 500, u'responseType':
u'error', u'data': [{u'message':
u'java.lang.IllegalArgumentException: null attribute value
DynAuthDefaultURI'}]}
How can I create a Partnership using curl and RESTAPI ?
Environment
AdminUI 12.8SP3 on RedHat 7;
Resolution
Try to define the status of the partnership as "Defined" and no other
value for the reason as you can't activate the partnership before
having saved the partnership configuration data.
Once you have saved the Partnership data, then can activate
successfully the partnership in the AdminUI.
More, you will notice that in the AdminUI, there's a page in which you
can test your payload :
/ca/api/sso/services/v1/api-doc/
Here's a sample of creating a Partnership using curl and RESTAPI. A
tip. If you need to know the data structure you need to put in a
payload, define first a partnership in the AdminUI. Then you can get
its configuration through RESTAPI. Finally change the values as per
your business needs.
Creating the partnership with the payload in params.json :
curl -v -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..vBfAMWB8A3zCXvAx.VZ2w9E8iC41VydBu-tWL33kQgFLKUfTJGx61F9UpDlBxyNzqoSXgP6TR-OzpYZ9CRja5YZ7PJks1KqoRrNuqfWlseMUJh6RAsqxy30QBmg1ImQiqN4JvGE2504sU-aji0tVYRUcAcdQV8sNd9gpK5G9LbHz7mCWL_SjpYAI6d5_5XDdF2Wsjwo78hOcKmGkiV1b_DNt_3VEHKrJx5FU8O3z8QcJJw_sQR-y-jLSy6vHrVMZolg5tYpDUKHmqgQAruGtDI3R4ecas1_Hf3Y5h5z7DZz7pF_l7trYO0tWyyTShwmcM6ZXUKxZBjZI3v1VHvqVaLZiUm2JcGHN47llqKWMoTwDcGGxE-i_F3B_m8lhJxQ-yWF71JXm3u9alAQFnZiu_bFiYXHdo8a2LsirrVjnut3rnC7XU2V9An7z7Tkcnn7BxYKORVneTNyTkf1WAvJ8VwRHDS89IF6jtEhnfEQzAYCpyYa3O0BR-zY6uHODe_H5gYecvRc4fbxF4GoZ_Ba44FLwOPtZlt1rlJmSMVZUJGvwGWt750yKaQHVKBw.IiBgR3ol1-wTFXTD67jZ_A" -H "Content-Type: application/json; charset=UTF-8" -X POST --data @params.json https://ps.training.com:8443/ca/api/sso/services/policy/v1/FedSPPartnerships
params.json
{
"id": "CA.FED::[email protected]",
"type": "FedSPPartnership",
"Name": "mytestpartnership-1",
"BaseURL": "https://mytestidp.mytestidp.com",
"AllowIDPToCreateUserID": false,
"Status": "Defined",
"EnableIdentityMapping": false,
"FIPSApproved": true,
"SkewTime": 30,
"Policy": {
"TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
"SmUserPolicies": [
{
"id": "CA.SM::[email protected]",
"type": "SmUserPolicy",
"FilterPath": "all",
"UserDirectory": {
"id": "CA.SM::[email protected]"
},
"Exclude": false,
"FilterClass": "ALL"
}
]
},
"AttributeService": {
"id": "CA.FED::[email protected]",
"type": "FedAttributeAuthorityConfig",
"Enabled": false,
"EnableProxiedQuery": false,
"ValidityDuration": 60,
"RequireSignedQuery": false,
"SignAssertion": false,
"SignResponse": false
},
"UserDirectories": [
{
"id": "CA.SM::[email protected]",
"path": "/SmUserDirectories/localhost_userstore",
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::[email protected]",
"desc": "jsmith user store for testing"
}
],
"StatusRedirect": {
"id": "CA.FED::[email protected]",
"type": "FedStatusRedirects",
"EnableUnauthorizedRequestURL": false,
"UnauthorizedAccessRedirectMode": "NoData",
"EnableInvalidRequestURL": false,
"InvalidRequestRedirectMode": "NoData",
"UserNotFoundMode": "NoData",
"UnacceptedMode": "NoData",
"InvalidMode": "NoData",
"ServerErrorRedirectMode": "NoData",
"EnableServerErrorURL": false
},
"RemoteSPEntityName": "mytestsp",
"LocalIdPEntityName": "mytestidp",
"SignatureOptions": {
"DisableSignatureProcessing": true,
"POSTSignatureOptions": "SignAssertion",
"ArtifactSignatureOptions": "SignNeither",
"SLOSOAPSignatureOptions": "SignNeither",
"RequireSignedAuthenticationRequests": false,
"SignArtifactResponse": false,
"SigningAlgorithm": "RSAwithSHA1",
"RequireSignedArtifactResolve": false
},
"Authentication": {
"AllowOpenFormatCookieAuthenticationContextOverride": false,
"UseNewSessionInForceAuthentication": false,
"DelegatedAuthenticationURL": " ",
"SecureAuthenticationURL": false,
"MinimumAuthenticationLevel": 5,
"AuthenticationType": "Dynamic",
"IdleTimeout": 3600,
"MaxTimeout": 7200,
"LocalAuthenticationType": "Basic",
"ForceAuthenticationSessionTimeouts": false,
"AuthenticationURL": "https://mytestidp.mytestidp.com/auth",
"TrackDelegatedAuthenticationStatus": true,
"AuthenticationContextType": "Automatic",
"AuthenticationContextClassReference": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password",
"DelegatedAuthenticationType": "Query",
"EnableSessionAssurance": false,
"IgnoreRequestedAuthenticationContext": false,
"OpenFormatCookieConfiguration": {
"id": "CA.FED::[email protected]",
"type": "FedOpenCookieConfig",
"EncryptionPassword": " ",
"EncryptionTransformation": "AES128/CBC/PKCS5Padding",
"CookieName": "DEFAULT",
"EnableQuotedCookie": false,
"EnableHashMessageAuthenticationCode": false,
"SkewTime": 30
}
},
"Backchannel": {
"Timeout": 0,
"LegacyBackchannelProtectionEnabled": false,
"PartnershipBackchannelProtectionEnabled": true,
"Configuration": {
"Incoming": {
"id": "CA.FED::[email protected]",
"type": "FedBackchannelConfig",
"UserName": "defaultUser",
"AuthenticationType": "NoAuth"
},
"Outgoing": {
"id": "CA.FED::[email protected]",
"type": "FedBackchannelConfig",
"UserName": "defaultUser",
"BackchannelTimeout": 300,
"AuthenticationType": "NoAuth"
}
}
},
"AuthenticationContextConfiguration": {
"AuthenticationContextTemplate": {
"id": "CA.FED::[email protected]",
"path": "/FedAuthnContextTemplates/mytest",
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]"
}
},
"SLO": {
"EnableSLOSOAP": false,
"RelayStateOverridesSLOConfirmURL": false,
"EnableSLOPOST": false,
"SLOValidityDuration": 60,
"EnableSLO": false,
"ReuseSessionIndex": false
},
"AssertionConfiguration": {
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"AttributeSource": {
"id": "CA.FED::[email protected]",
"type": "FedAttributeSource",
"NameIDType": "Static",
"StaticValue": "ok",
"Value": "ok"
}
},
"IDPDiscovery": {
"EnableIDPDiscovery": false,
"PersistentCookie": false
},
"EncryptionOptions": {
"EncryptNameIDinSOAP": false,
"EncryptionConfiguration": {
"id": "CA.FED::[email protected]",
"type": "FedEncryptionConfig",
"EncryptionKeyAlgorithm": "rsa-v15",
"EncryptionBlockAlgorithm": "tripledes",
"EncryptAttributes": false,
"EncryptAssertion": false,
"EncryptNameID": false
}
},
"NameIDManagement": {
"Configuration": {
"id": "CA.FED::[email protected]",
"type": "FedNameIDMgtConfig",
"NotificationAuthType": "NoAuth",
"NotifyUserName": "*",
"RetryCount": 3,
"NotifyPassword": "{RC2}KX+/r5P53icByO98oPYqSQ\u003d\u003d",
"SignRequest": false,
"SOAPTimeout": 60,
"EnablePostBinding": false,
"AllowUserSelfService": false,
"EnableNotification": false,
"SignResponse": false,
"EncryptNameID": false,
"NotifyTimeout": 60,
"RequireSignedRequest": false,
"RequireEncryptedNameID": false,
"EnableRedirectBinding": false,
"DeleteNameID": false,
"EnableSOAPBinding": false,
"RetryBoundary": 15,
"RequireSignedResponse": false
}
},
"SSO": {
"PersistentSessionValidationPeriod": -1,
"EnableAuthenticationRequestPost": false,
"EnableEnhancedClientProxyProfile": false,
"ArtifactEncoding": "URL",
"GUIDCookieValidityDuration": 180,
"AcceptIncomingAssertionConsumerServiceURL": false,
"CustomTimeout": 60,
"EnableArtifact": false,
"EnableAuthenticationRequestRedirect": true,
"LegacyArtifactProtectionEnabled": false,
"EnablePost": true,
"EnableUserConsent": false,
"PartnershipArtifactProtectionEnabled": false,
"RecommendedSPSessionDuration": "AssertionValidity",
"AllowTransactionType": "AllowBoth",
"EnableNegativeAuthenticationResponse": false,
"SSOValidityDuration": 60,
"RemoteAssertionConsumerServices": [
{
"id": "CA.FED::[email protected]",
"type": "FedEndpoint",
"Index": 0,
"Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
"IsDefault": false,
"LocationURL": "https://mytestsp.testsp.com"
}
],
"OneTimeToUseAssertion": false
}
}
Getting the partnership configuration :
curl -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..MqJicc9zqSv2y5Un.kUrgBO4lUGt1lAFvQ4y-K3J798BikKXmDaVTVCjRw9Lv4X_k2qb54fZYcvv9du7J9abXgJnccTMdXC5PiwC1YXxCavhcyf1g-KhYiZzMUEw8vE0BDMnAHpm_HIs9z6xRa77N5clRJf4v2m1iD4tXx5KzaZ8BI091VoaWLmdEHfMqxrhPMayUroGDNIlWsgIlo7IRzsHsdcJtGz6HjtALkVpz-V-6WDENlqoXARo-fZm90MeovrY8iTDkaPVC3LEYjZDwF2Sg-8K8uXKp2kq3Awj4lXZb_0JbCGjv-OiAxi7ts7mK3FWES6-eidQWBWgjcqiNtL94y4gU6Zl4x4UcilzMKlArjUZVAU7et4GwjhzHQJsL_UwugI0_9o7NA83-UXLFLI3OcM8LBLTGUt1ZOywIZW2UX6A4xTLrIPW6L3j9D1xoEbpbMzpmlC-t6lwz-MbijZO757VFhyc3CZ3C63Qgg4-zhfZBSm4lNeQNG7JsquY0WugJovBvDUWF84uUrFQBZ1aKtKF4ElOoqx5MMK7cNjB1p9Eh6ouO89eng.XTw-k0q6QJOeTRn_CuBjjQ" GET https://ps.training.com:8443/ca/api/sso/services/policy/v1/FedSPPartnerships/mytestpartnership-1 -v
response :
{
"responseType": "object",
"data": {
"id": "CA.FED::[email protected]",
"type": "FedSPPartnership",
"Name": "mytestpartnership-1",
"SkewTime": 30,
"Status": "Defined",
"EnableIdentityMapping": false,
"FIPSApproved": true,
"AllowIDPToCreateUserID": false,
"BaseURL": "https://mytestidp.mytestidp.com",
"AttributeService": {
"id": "CA.FED::[email protected]",
"type": "FedAttributeAuthorityConfig",
"SignResponse": false,
"ValidityDuration": 60,
"EnableProxiedQuery": false,
"Enabled": false,
"RequireSignedQuery": false,
"SignAssertion": false
},
"StatusRedirect": {
"id": "CA.FED::[email protected]",
"type": "FedStatusRedirects",
"UnauthorizedAccessRedirectMode": "NoData",
"EnableServerErrorURL": false,
"UnacceptedMode": "NoData",
"InvalidMode": "NoData",
"UserNotFoundMode": "NoData",
"ServerErrorRedirectMode": "NoData",
"EnableInvalidRequestURL": false,
"InvalidRequestRedirectMode": "NoData",
"EnableUnauthorizedRequestURL": false
},
"Policy": {
"TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
"SmUserPolicies": [
{
"id": "CA.SM::[email protected]",
"type": "SmUserPolicy",
"FilterPath": "all",
"UserDirectory": {
"id": "CA.SM::[email protected]"
},
"Exclude": false,
"FilterClass": "ALL"
}
]
},
"UserDirectories": [
{
"id": "CA.SM::[email protected]",
"path": "/SmUserDirectories/localhost_userstore",
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::[email protected]",
"desc": "jsmith user store for testing"
}
],
"RemoteSPEntityName": "mytestsp",
"LocalIdPEntityName": "mytestidp",
"SignatureOptions": {
"RequireSignedAuthenticationRequests": false,
"ArtifactSignatureOptions": "SignNeither",
"POSTSignatureOptions": "SignAssertion",
"RequireSignedArtifactResolve": false,
"SignArtifactResponse": false,
"DisableSignatureProcessing": true,
"SigningAlgorithm": "RSAwithSHA1",
"SLOSOAPSignatureOptions": "SignNeither"
},
"Authentication": {
"MaxTimeout": 7200,
"EnableSessionAssurance": false,
"ForceAuthenticationSessionTimeouts": false,
"TrackDelegatedAuthenticationStatus": true,
"AllowOpenFormatCookieAuthenticationContextOverride": false,
"DelegatedAuthenticationType": "Query",
"MinimumAuthenticationLevel": 5,
"AuthenticationType": "Dynamic",
"AuthenticationContextClassReference": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password",
"AuthenticationURL": "https://mytestidp.mytestidp.com/auth",
"DelegatedAuthenticationURL": " ",
"AuthenticationContextType": "Automatic",
"LocalAuthenticationType": "Basic",
"SecureAuthenticationURL": false,
"IgnoreRequestedAuthenticationContext": false,
"UseNewSessionInForceAuthentication": false,
"IdleTimeout": 3600,
"OpenFormatCookieConfiguration": {
"id": "CA.FED::[email protected]",
"type": "FedOpenCookieConfig",
"SkewTime": 30,
"EncryptionPassword": " ",
"CookieName": "DEFAULT",
"EncryptionTransformation": "AES128/CBC/PKCS5Padding",
"EnableHashMessageAuthenticationCode": false,
"EnableQuotedCookie": false
}
},
"Backchannel": {
"LegacyBackchannelProtectionEnabled": false,
"PartnershipBackchannelProtectionEnabled": true,
"Timeout": 0,
"Configuration": {
"Incoming": {
"id": "CA.FED::[email protected]",
"type": "FedBackchannelConfig",
"UserName": "defaultUser",
"AuthenticationType": "NoAuth"
},
"Outgoing": {
"id": "CA.FED::[email protected]",
"type": "FedBackchannelConfig",
"UserName": "defaultUser",
"AuthenticationType": "NoAuth",
"BackchannelTimeout": 300
}
}
},
"AuthenticationContextConfiguration": {
"AuthenticationContextTemplate": {
"id": "CA.FED::[email protected]",
"path": "/FedAuthnContextTemplates/mytest",
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]"
}
},
"SLO": {
"EnableSLOPOST": false,
"ReuseSessionIndex": false,
"EnableSLO": false,
"EnableSLOSOAP": false,
"SLOValidityDuration": 60,
"RelayStateOverridesSLOConfirmURL": false
},
"IDPDiscovery": {
"PersistentCookie": false,
"EnableIDPDiscovery": false
},
"AssertionConfiguration": {
"NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"AttributeSource": {
"id": "CA.FED::[email protected]",
"type": "FedAttributeSource",
"NameIDType": "Static",
"StaticValue": "ok",
"Value": "ok"
}
},
"EncryptionOptions": {
"RequireEncryptedNameIDInSOAP": false,
"EncryptNameIDinSOAP": false,
"EncryptionConfiguration": {
"id": "CA.FED::[email protected]",
"type": "FedEncryptionConfig",
"EncryptAssertion": false,
"EncryptNameID": false,
"EncryptAttributes": false,
"EncryptionKeyAlgorithm": "rsa-v15",
"EncryptionBlockAlgorithm": "tripledes"
}
},
"NameIDManagement": {
"Configuration": {
"id": "CA.FED::[email protected]",
"type": "FedNameIDMgtConfig",
"SignRequest": false,
"EncryptNameID": false,
"NotifyPassword": "{RC2}kluny2SjVIvjpaTC/GpDjA\u003d\u003d",
"NotifyTimeout": 60,
"EnablePostBinding": false,
"NotificationAuthType": "NoAuth",
"RequireSignedResponse": false,
"EnableSOAPBinding": false,
"DeleteNameID": false,
"AllowUserSelfService": false,
"EnableRedirectBinding": false,
"RetryCount": 3,
"RequireSignedRequest": false,
"NotifyUserName": "*",
"RequireEncryptedNameID": false,
"EnableNotification": false,
"SOAPTimeout": 60,
"RetryBoundary": 15,
"SignResponse": false
}
},
"SSO": {
"EnableAuthenticationRequestPost": false,
"SSOValidityDuration": 60,
"EnableEnhancedClientProxyProfile": false,
"EnableArtifact": false,
"PersistentSessionValidationPeriod": -1,
"AllowTransactionType": "AllowBoth",
"RecommendedSPSessionDuration": "AssertionValidity",
"LegacyArtifactProtectionEnabled": false,
"EnableAuthenticationRequestRedirect": true,
"ArtifactEncoding": "URL",
"EnableUserConsent": false,
"PartnershipArtifactProtectionEnabled": false,
"EnableNegativeAuthenticationResponse": false,
"GUIDCookieValidityDuration": 180,
"EnablePost": true,
"AcceptIncomingAssertionConsumerServiceURL": false,
"CustomTimeout": 60,
"RemoteAssertionConsumerServices": [
{
"id": "CA.FED::[email protected]",
"type": "FedEndpoint",
"IsDefault": false,
"LocationURL": "https://mytestsp.testsp.com",
"Index": 0,
"Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}
],
"OneTimeToUseAssertion": false
}
},
"links": {
"self": {
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]"
},
"classinfo": {
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]/classinfo"
},
"editinfo": {
"href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::[email protected]?op=editinfo"
}
}
Feedback
Yes
No
Powered by
