Implementing Authentication Context in a SAMLFederation using REST API
search cancel

Implementing Authentication Context in a SAMLFederation using REST API

book

Article ID: 193519

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running an AdminUI and when we try to create a SAML Federation
Partnership that uses an Authentication Context it fails. We use REST
API to create it. We tried to create with AuthenticationContextType =
Static and AuthenticationContextType = Dynamic, and both are failing.

 AuthenticationContextType = Static

     <StatusMessage>The AuthnRequest with AuthnContexts is not supported!</StatusMessage>

 AuthenticationContextType = Dynamic

     ERROR:create post failure {u'status': 500, u'responseType':
     u'error', u'data': [{u'message':
     u'java.lang.IllegalArgumentException: null attribute value
     DynAuthDefaultURI'}]}

How can I create a Partnership using curl and RESTAPI ?

 

Environment

 

AdminUI 12.8SP3 on RedHat 7;

 

Resolution

 

Try to define the status of the partnership as "Defined" and no other
value for the reason as you can't activate the partnership before
having saved the partnership configuration data.

Once you have saved the Partnership data, then can activate
successfully the partnership in the AdminUI.

More, you will notice that in the AdminUI, there's a page in which you
can test your payload :

  /ca/api/sso/services/v1/api-doc/

Here's a sample of creating a Partnership using curl and RESTAPI. A
tip. If you need to know the data structure you need to put in a
payload, define first a partnership in the AdminUI. Then you can get
its configuration through RESTAPI. Finally change the values as per
your business needs.

Creating the partnership with the payload in params.json :

curl -v -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..vBfAMWB8A3zCXvAx.VZ2w9E8iC41VydBu-tWL33kQgFLKUfTJGx61F9UpDlBxyNzqoSXgP6TR-OzpYZ9CRja5YZ7PJks1KqoRrNuqfWlseMUJh6RAsqxy30QBmg1ImQiqN4JvGE2504sU-aji0tVYRUcAcdQV8sNd9gpK5G9LbHz7mCWL_SjpYAI6d5_5XDdF2Wsjwo78hOcKmGkiV1b_DNt_3VEHKrJx5FU8O3z8QcJJw_sQR-y-jLSy6vHrVMZolg5tYpDUKHmqgQAruGtDI3R4ecas1_Hf3Y5h5z7DZz7pF_l7trYO0tWyyTShwmcM6ZXUKxZBjZI3v1VHvqVaLZiUm2JcGHN47llqKWMoTwDcGGxE-i_F3B_m8lhJxQ-yWF71JXm3u9alAQFnZiu_bFiYXHdo8a2LsirrVjnut3rnC7XU2V9An7z7Tkcnn7BxYKORVneTNyTkf1WAvJ8VwRHDS89IF6jtEhnfEQzAYCpyYa3O0BR-zY6uHODe_H5gYecvRc4fbxF4GoZ_Ba44FLwOPtZlt1rlJmSMVZUJGvwGWt750yKaQHVKBw.IiBgR3ol1-wTFXTD67jZ_A" -H "Content-Type: application/json; charset=UTF-8" -X POST --data @params.json https://ps.training.com:8443/ca/api/sso/services/policy/v1/FedSPPartnerships

  params.json

  {
      "id": "CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000",
      "type": "FedSPPartnership",
      "Name": "mytestpartnership-1",
      "BaseURL": "https://mytestidp.mytestidp.com",
      "AllowIDPToCreateUserID": false,
      "Status": "Defined",
      "EnableIdentityMapping": false,
      "FIPSApproved": true,
      "SkewTime": 30,
      "Policy": {
 "TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
 "SmUserPolicies": [
   {
     "id": "CA.SM::UserPolicy@0f-000b0026-d2c9-1ecb-b068-0165c0a80000",
     "type": "SmUserPolicy",
     "FilterPath": "all",
     "UserDirectory": {
       "id": "CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000"
     },
     "Exclude": false,
     "FilterClass": "ALL"
   }
 ]
      },
      "AttributeService": {
 "id": "CA.FED::AttributeAuthorityConfig@000d82bc-d2c8-1ecb-b068-0165c0a80000",
 "type": "FedAttributeAuthorityConfig",
 "Enabled": false,
 "EnableProxiedQuery": false,
 "ValidityDuration": 60,
 "RequireSignedQuery": false,
 "SignAssertion": false,
 "SignResponse": false
      },
      "UserDirectories": [
 {
   "id": "CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000",
   "path": "/SmUserDirectories/localhost_userstore",
   "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000",
   "desc": "jsmith user store for testing"
 }
      ],
      "StatusRedirect": {
 "id": "CA.FED::StatusRedirects@00012a15-d2c9-1ecb-b068-0165c0a80000",
 "type": "FedStatusRedirects",
 "EnableUnauthorizedRequestURL": false,
 "UnauthorizedAccessRedirectMode": "NoData",
 "EnableInvalidRequestURL": false,
 "InvalidRequestRedirectMode": "NoData",
 "UserNotFoundMode": "NoData",
 "UnacceptedMode": "NoData",
 "InvalidMode": "NoData",
 "ServerErrorRedirectMode": "NoData",
 "EnableServerErrorURL": false
      },
      "RemoteSPEntityName": "mytestsp",
      "LocalIdPEntityName": "mytestidp",
      "SignatureOptions": {
 "DisableSignatureProcessing": true,
 "POSTSignatureOptions": "SignAssertion",
 "ArtifactSignatureOptions": "SignNeither",
 "SLOSOAPSignatureOptions": "SignNeither",
 "RequireSignedAuthenticationRequests": false,
 "SignArtifactResponse": false,
 "SigningAlgorithm": "RSAwithSHA1",
 "RequireSignedArtifactResolve": false
      },
      "Authentication": {
 "AllowOpenFormatCookieAuthenticationContextOverride": false,
 "UseNewSessionInForceAuthentication": false,
 "DelegatedAuthenticationURL": " ",
 "SecureAuthenticationURL": false,
 "MinimumAuthenticationLevel": 5,
 "AuthenticationType": "Dynamic",
 "IdleTimeout": 3600,
 "MaxTimeout": 7200,
 "LocalAuthenticationType": "Basic",
 "ForceAuthenticationSessionTimeouts": false,
 "AuthenticationURL": "https://mytestidp.mytestidp.com/auth",
 "TrackDelegatedAuthenticationStatus": true,
 "AuthenticationContextType": "Automatic",
 "AuthenticationContextClassReference": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password",
 "DelegatedAuthenticationType": "Query",
 "EnableSessionAssurance": false,
 "IgnoreRequestedAuthenticationContext": false,
 "OpenFormatCookieConfiguration": {
   "id": "CA.FED::OpenCookieConfig@0000cebe-d2c9-1ecb-b068-0165c0a80000",
   "type": "FedOpenCookieConfig",
   "EncryptionPassword": " ",
   "EncryptionTransformation": "AES128/CBC/PKCS5Padding",
   "CookieName": "DEFAULT",
   "EnableQuotedCookie": false,
   "EnableHashMessageAuthenticationCode": false,
   "SkewTime": 30
 }
      },
      "Backchannel": {
 "Timeout": 0,
 "LegacyBackchannelProtectionEnabled": false,
 "PartnershipBackchannelProtectionEnabled": true,
 "Configuration": {
   "Incoming": {
     "id": "CA.FED::BackchannelConfig@000c2d72-d2c8-1ecb-b068-0165c0a80000",
     "type": "FedBackchannelConfig",
     "UserName": "defaultUser",
     "AuthenticationType": "NoAuth"
   },
   "Outgoing": {
     "id": "CA.FED::BackchannelConfig@000c8467-d2c8-1ecb-b068-0165c0a80000",
     "type": "FedBackchannelConfig",
     "UserName": "defaultUser",
     "BackchannelTimeout": 300,
     "AuthenticationType": "NoAuth"
   }
 }
      },
      "AuthenticationContextConfiguration": {
 "AuthenticationContextTemplate": {
   "id": "CA.FED::AuthnContextTemplate@00027fd8-9d81-1ec2-9be3-0165c0a80000",
   "path": "/FedAuthnContextTemplates/mytest",
   "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::AuthnContextTemplate@00027fd8-9d81-1ec2-9be3-0165c0a80000"
 }
      },
      "SLO": {
 "EnableSLOSOAP": false,
 "RelayStateOverridesSLOConfirmURL": false,
 "EnableSLOPOST": false,
 "SLOValidityDuration": 60,
 "EnableSLO": false,
 "ReuseSessionIndex": false
      },
      "AssertionConfiguration": {
 "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
 "AttributeSource": {
   "id": "CA.FED::AttributeSource@000d294a-d2c8-1ecb-b068-0165c0a80000",
   "type": "FedAttributeSource",
   "NameIDType": "Static",
   "StaticValue": "ok",
   "Value": "ok"
 }
      },
      "IDPDiscovery": {
 "EnableIDPDiscovery": false,
 "PersistentCookie": false
      },
      "EncryptionOptions": {
 "EncryptNameIDinSOAP": false,
 "EncryptionConfiguration": {
   "id": "CA.FED::EncryptionConfig@000cd572-d2c8-1ecb-b068-0165c0a80000",
   "type": "FedEncryptionConfig",
   "EncryptionKeyAlgorithm": "rsa-v15",
   "EncryptionBlockAlgorithm": "tripledes",
   "EncryptAttributes": false,
   "EncryptAssertion": false,
   "EncryptNameID": false
 }
      },
      "NameIDManagement": {
 "Configuration": {
   "id": "CA.FED::NameIDMgtConfig@00019da5-d2c9-1ecb-b068-0165c0a80000",
   "type": "FedNameIDMgtConfig",
   "NotificationAuthType": "NoAuth",
   "NotifyUserName": "*",
   "RetryCount": 3,
   "NotifyPassword": "{RC2}KX+/r5P53icByO98oPYqSQ\u003d\u003d",
   "SignRequest": false,
   "SOAPTimeout": 60,
   "EnablePostBinding": false,
   "AllowUserSelfService": false,
   "EnableNotification": false,
   "SignResponse": false,
   "EncryptNameID": false,
   "NotifyTimeout": 60,
   "RequireSignedRequest": false,
   "RequireEncryptedNameID": false,
   "EnableRedirectBinding": false,
   "DeleteNameID": false,
   "EnableSOAPBinding": false,
   "RetryBoundary": 15,
   "RequireSignedResponse": false
 }
      },
      "SSO": {
 "PersistentSessionValidationPeriod": -1,
 "EnableAuthenticationRequestPost": false,
 "EnableEnhancedClientProxyProfile": false,
 "ArtifactEncoding": "URL",
 "GUIDCookieValidityDuration": 180,
 "AcceptIncomingAssertionConsumerServiceURL": false,
 "CustomTimeout": 60,
 "EnableArtifact": false,
 "EnableAuthenticationRequestRedirect": true,
 "LegacyArtifactProtectionEnabled": false,
 "EnablePost": true,
 "EnableUserConsent": false,
 "PartnershipArtifactProtectionEnabled": false,
 "RecommendedSPSessionDuration": "AssertionValidity",
 "AllowTransactionType": "AllowBoth",
 "EnableNegativeAuthenticationResponse": false,
 "SSOValidityDuration": 60,
 "RemoteAssertionConsumerServices": [
   {
     "id": "CA.FED::Endpoint@000dd95a-d2c8-1ecb-b068-0165c0a80000",
     "type": "FedEndpoint",
     "Index": 0,
     "Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
     "IsDefault": false,
     "LocationURL": "https://mytestsp.testsp.com"
   }
 ],
 "OneTimeToUseAssertion": false
      }
  }

Getting the partnership configuration :

curl -k -H "Authorization: Bearer eyJlbmMiOiJBMTI4R0NNIiwiYWxnIjoiZGlyIn0..MqJicc9zqSv2y5Un.kUrgBO4lUGt1lAFvQ4y-K3J798BikKXmDaVTVCjRw9Lv4X_k2qb54fZYcvv9du7J9abXgJnccTMdXC5PiwC1YXxCavhcyf1g-KhYiZzMUEw8vE0BDMnAHpm_HIs9z6xRa77N5clRJf4v2m1iD4tXx5KzaZ8BI091VoaWLmdEHfMqxrhPMayUroGDNIlWsgIlo7IRzsHsdcJtGz6HjtALkVpz-V-6WDENlqoXARo-fZm90MeovrY8iTDkaPVC3LEYjZDwF2Sg-8K8uXKp2kq3Awj4lXZb_0JbCGjv-OiAxi7ts7mK3FWES6-eidQWBWgjcqiNtL94y4gU6Zl4x4UcilzMKlArjUZVAU7et4GwjhzHQJsL_UwugI0_9o7NA83-UXLFLI3OcM8LBLTGUt1ZOywIZW2UX6A4xTLrIPW6L3j9D1xoEbpbMzpmlC-t6lwz-MbijZO757VFhyc3CZ3C63Qgg4-zhfZBSm4lNeQNG7JsquY0WugJovBvDUWF84uUrFQBZ1aKtKF4ElOoqx5MMK7cNjB1p9Eh6ouO89eng.XTw-k0q6QJOeTRn_CuBjjQ" GET https://ps.training.com:8443/ca/api/sso/services/policy/v1/FedSPPartnerships/mytestpartnership-1 -v

response :  

 {
    "responseType": "object",
    "data": {
      "id": "CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000",
      "type": "FedSPPartnership",
      "Name": "mytestpartnership-1",
      "SkewTime": 30,
      "Status": "Defined",
      "EnableIdentityMapping": false,
      "FIPSApproved": true,
      "AllowIDPToCreateUserID": false,
      "BaseURL": "https://mytestidp.mytestidp.com",
      "AttributeService": {
 "id": "CA.FED::AttributeAuthorityConfig@000d82bc-d2c8-1ecb-b068-0165c0a80000",
 "type": "FedAttributeAuthorityConfig",
 "SignResponse": false,
 "ValidityDuration": 60,
 "EnableProxiedQuery": false,
 "Enabled": false,
 "RequireSignedQuery": false,
 "SignAssertion": false
      },
      "StatusRedirect": {
 "id": "CA.FED::StatusRedirects@00012a15-d2c9-1ecb-b068-0165c0a80000",
 "type": "FedStatusRedirects",
 "UnauthorizedAccessRedirectMode": "NoData",
 "EnableServerErrorURL": false,
 "UnacceptedMode": "NoData",
 "InvalidMode": "NoData",
 "UserNotFoundMode": "NoData",
 "ServerErrorRedirectMode": "NoData",
 "EnableInvalidRequestURL": false,
 "InvalidRequestRedirectMode": "NoData",
 "EnableUnauthorizedRequestURL": false
      },
      "Policy": {
 "TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
 "SmUserPolicies": [
   {
     "id": "CA.SM::UserPolicy@0f-000b0026-d2c9-1ecb-b068-0165c0a80000",
     "type": "SmUserPolicy",
     "FilterPath": "all",
     "UserDirectory": {
       "id": "CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000"
     },
     "Exclude": false,
     "FilterClass": "ALL"
   }
 ]
      },
      "UserDirectories": [
 {
   "id": "CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000",
   "path": "/SmUserDirectories/localhost_userstore",
   "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.SM::UserDirectory@0e-0007dfef-caea-1a4c-bbec-00017f000000",
   "desc": "jsmith user store for testing"
 }
      ],
      "RemoteSPEntityName": "mytestsp",
      "LocalIdPEntityName": "mytestidp",
      "SignatureOptions": {
 "RequireSignedAuthenticationRequests": false,
 "ArtifactSignatureOptions": "SignNeither",
 "POSTSignatureOptions": "SignAssertion",
 "RequireSignedArtifactResolve": false,
 "SignArtifactResponse": false,
 "DisableSignatureProcessing": true,
 "SigningAlgorithm": "RSAwithSHA1",
 "SLOSOAPSignatureOptions": "SignNeither"
      },
      "Authentication": {
 "MaxTimeout": 7200,
 "EnableSessionAssurance": false,
 "ForceAuthenticationSessionTimeouts": false,
 "TrackDelegatedAuthenticationStatus": true,
 "AllowOpenFormatCookieAuthenticationContextOverride": false,
 "DelegatedAuthenticationType": "Query",
 "MinimumAuthenticationLevel": 5,
 "AuthenticationType": "Dynamic",
 "AuthenticationContextClassReference": "urn:oasis:names:tc:SAML:2.0:ac:classes:Password",
 "AuthenticationURL": "https://mytestidp.mytestidp.com/auth",
 "DelegatedAuthenticationURL": " ",
 "AuthenticationContextType": "Automatic",
 "LocalAuthenticationType": "Basic",
 "SecureAuthenticationURL": false,
 "IgnoreRequestedAuthenticationContext": false,
 "UseNewSessionInForceAuthentication": false,
 "IdleTimeout": 3600,
 "OpenFormatCookieConfiguration": {
   "id": "CA.FED::OpenCookieConfig@0000cebe-d2c9-1ecb-b068-0165c0a80000",
   "type": "FedOpenCookieConfig",
   "SkewTime": 30,
   "EncryptionPassword": " ",
   "CookieName": "DEFAULT",
   "EncryptionTransformation": "AES128/CBC/PKCS5Padding",
   "EnableHashMessageAuthenticationCode": false,
   "EnableQuotedCookie": false
 }
      },
      "Backchannel": {
 "LegacyBackchannelProtectionEnabled": false,
 "PartnershipBackchannelProtectionEnabled": true,
 "Timeout": 0,
 "Configuration": {
   "Incoming": {
     "id": "CA.FED::BackchannelConfig@000c2d72-d2c8-1ecb-b068-0165c0a80000",
     "type": "FedBackchannelConfig",
     "UserName": "defaultUser",
     "AuthenticationType": "NoAuth"
   },
   "Outgoing": {
     "id": "CA.FED::BackchannelConfig@000c8467-d2c8-1ecb-b068-0165c0a80000",
     "type": "FedBackchannelConfig",
     "UserName": "defaultUser",
     "AuthenticationType": "NoAuth",
     "BackchannelTimeout": 300
   }
 }
      },
      "AuthenticationContextConfiguration": {
 "AuthenticationContextTemplate": {
   "id": "CA.FED::AuthnContextTemplate@00027fd8-9d81-1ec2-9be3-0165c0a80000",
   "path": "/FedAuthnContextTemplates/mytest",
   "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::AuthnContextTemplate@00027fd8-9d81-1ec2-9be3-0165c0a80000"
 }
      },
      "SLO": {
 "EnableSLOPOST": false,
 "ReuseSessionIndex": false,
 "EnableSLO": false,
 "EnableSLOSOAP": false,
 "SLOValidityDuration": 60,
 "RelayStateOverridesSLOConfirmURL": false
      },
      "IDPDiscovery": {
 "PersistentCookie": false,
 "EnableIDPDiscovery": false
      },
      "AssertionConfiguration": {
 "NameIDFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
 "AttributeSource": {
   "id": "CA.FED::AttributeSource@000d294a-d2c8-1ecb-b068-0165c0a80000",
   "type": "FedAttributeSource",
   "NameIDType": "Static",
   "StaticValue": "ok",
   "Value": "ok"
 }
      },
      "EncryptionOptions": {
 "RequireEncryptedNameIDInSOAP": false,
 "EncryptNameIDinSOAP": false,
 "EncryptionConfiguration": {
   "id": "CA.FED::EncryptionConfig@000cd572-d2c8-1ecb-b068-0165c0a80000",
   "type": "FedEncryptionConfig",
   "EncryptAssertion": false,
   "EncryptNameID": false,
   "EncryptAttributes": false,
   "EncryptionKeyAlgorithm": "rsa-v15",
   "EncryptionBlockAlgorithm": "tripledes"
 }
      },
      "NameIDManagement": {
 "Configuration": {
   "id": "CA.FED::NameIDMgtConfig@00019da5-d2c9-1ecb-b068-0165c0a80000",
   "type": "FedNameIDMgtConfig",
   "SignRequest": false,
   "EncryptNameID": false,
   "NotifyPassword": "{RC2}kluny2SjVIvjpaTC/GpDjA\u003d\u003d",
   "NotifyTimeout": 60,
   "EnablePostBinding": false,
   "NotificationAuthType": "NoAuth",
   "RequireSignedResponse": false,
   "EnableSOAPBinding": false,
   "DeleteNameID": false,
   "AllowUserSelfService": false,
   "EnableRedirectBinding": false,
   "RetryCount": 3,
   "RequireSignedRequest": false,
   "NotifyUserName": "*",
   "RequireEncryptedNameID": false,
   "EnableNotification": false,
   "SOAPTimeout": 60,
   "RetryBoundary": 15,
   "SignResponse": false
 }
      },
      "SSO": {
 "EnableAuthenticationRequestPost": false,
 "SSOValidityDuration": 60,
 "EnableEnhancedClientProxyProfile": false,
 "EnableArtifact": false,
 "PersistentSessionValidationPeriod": -1,
 "AllowTransactionType": "AllowBoth",
 "RecommendedSPSessionDuration": "AssertionValidity",
 "LegacyArtifactProtectionEnabled": false,
 "EnableAuthenticationRequestRedirect": true,
 "ArtifactEncoding": "URL",
 "EnableUserConsent": false,
 "PartnershipArtifactProtectionEnabled": false,
 "EnableNegativeAuthenticationResponse": false,
 "GUIDCookieValidityDuration": 180,
 "EnablePost": true,
 "AcceptIncomingAssertionConsumerServiceURL": false,
 "CustomTimeout": 60,
 "RemoteAssertionConsumerServices": [
   {
     "id": "CA.FED::Endpoint@000dd95a-d2c8-1ecb-b068-0165c0a80000",
     "type": "FedEndpoint",
     "IsDefault": false,
     "LocationURL": "https://mytestsp.testsp.com",
     "Index": 0,
     "Binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
   }
 ],
 "OneTimeToUseAssertion": false
      }
    },
    "links": {
      "self": {
 "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000"
      },
      "classinfo": {
 "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000/classinfo"
      },
      "editinfo": {
 "href": "https://ps.training.com:8443/ca/api/sso/services/policy/v1/objects/CA.FED::PartnershipBase@000450e9-d2c9-1ecb-b068-0165c0a80000?op=editinfo"
      }
    }