SMWALKER information
search cancel

SMWALKER information

book

Article ID: 204115

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

We're running a Policy Server and we'd like to know how SmWalker works
with it among the Authentication and Authorization phases ?

 

Resolution

 

At first glance, according to SmWalker documentation, SmWalker is
usually executed at the authorization phase where it is run in an
Active Expression :

SmWalker for CA Single Sign-On - User Guide - Version R14.3

  "SmWalker is most often called by the CA Single Sign-On Policy Server
   as an Active Expression. Active Expressions are the term for the CA
   Single Sign-On policy object implementing a CA Single Sign-On
   authorization API module. Active Expressions can be configured
   through the CA Single Sign-On Administration UI to control rules,
   responses and policies.

   [...]

   SmWalker as an Active Expression
  
   The Advanced Tab format for an Active Expression is:

   <@ lib="smwalker" func="<function>" param="<args>" @>

   [...]

   Active Expressions can be used in a number of places within CA
   Single Sign-On. Mostly, they are used to provide a value for a
   Response (an Active Response)."

   p.6

   "SmWalker as an Authentication Scheme

   SmWalker can also be invoked during the authentication process
   itself (not just during an OnAuth event). Full details of the
   configuration and use of SmWalker as an authentication scheme is in
   the chapter named "Authentication Scheme Wedge""

   p.9

Then, you can get debug tracing in the SmWalker module by configuring
the SmWalker.dat file :

The SmWalker.dat file can be divided into sections. Sections are
identified in the file using a line containing (only) the section name
(case-insensitive), surrounded by square brackets, such as:

  "[SmWalker]

   Everything below the section name will be considered part of that
   section, until a new section name is specified. To configure SmWalker,
   for example, to enable debug and trace information you would use the
   following lines in SmWalker.dat:

   [SmWalker] Debug=false Trace=true

   To reference a name within a section from another expression (or a
   call to Evaluate), you use #<section>.<name>, as in "#SmWalker.Debug"."

  p.11

As per the same documentation, SmWalker will be used when defined in
an Authentication Scheme. The SmWalker is not a standalone
Authentication Scheme. SmWalker is a "Shim", which means that it would
be added to the processing of another Authentication Scheme as
described here :

   "SmWalker does not provide a stand-alone authentication
    scheme. Instead, it provides an authentication scheme wedge. A
    wedge (sometimes called a shim) transparently fits between two
    pieces of code and modifies the behavior of one or the other. In
    this case, SmWalker can perform additional processing on top of
    that performed by the "real" authentication scheme."

    p.13-14

SmWalker will be used to modify the processing of an existing
Authentication Scheme. SmWalker helps to retrieve the User Context
needed by an Authentication Scheme.

    "The SmWalker Authentication Scheme Wedge makes calls to Evaluate
    functions at predefined points in standard authentication scheme
    processing. This allows sites to easily modify the behavior of
    existing authenticating schemes."

    p.15

You can use at the same time SmWalker as Authentication Scheme Wedge
and / or Active Expression in a Policy. You can actually configure it
in all your Policies and / or Authentication Schemes.

The SmWalker module will access the LDAP Store each time it
executes. And its execution depens on how you configure the
Response. If you set the Response to Cache Attribute or to recalculate
it, so the SmWalker will contact the LDAP Store more or less often.

    "When testing responses, please be careful about CA Single
     Sign-On's caches. Often, responses will be sent from a CA Single
     Sign-On cache (usually on the Agent) if available, rather than
     re-evaluating the responses. Often, this causes confusion when
     testing responses."

    p.6

See the screen shot on page 7.

SmWalker will take the value of the variable passed as parameter. See
p.7 the screenshot. In Atttribute Fields, you'll find :

   "Library Name : smwalker
    Function Name : WalkUser
    Parameters : ;mail"

In order to use the definitions from SmWalker.dat file, you need to
set #KEYREF as parameter instead of the configuration above.

As Authentication Scheme Wedge, you need to define the configuration
in the SmWalker.dat file as per documentation :

   "7. Now at the beginning of the "Parameter" field, insert the name
       of a section within your SmWalker.dat file that contains the
       code that SmWalker should call during the Authentication
       process. This section name must not start with a pound sign
       ("#"). There should be a semi-colon between the section name and
       the original library name.

       For example, if the name of the SmWalker section is "MySection"
       then after inserting the SmWalker wedge, the parameter might
       look like:

       MySection;smauthhtml;http://www.example.com/siteminderagent/forms/login.fcc;ACS=0"

   p.21

SmWalker Authentication Wedge is used to add some processing to an
existing Authentication Scheme as explained here :

   "SmWalker does not provide a stand-alone authentication
    scheme. Instead, it provides an authentication scheme wedge. A
    wedge (sometimes called a shim) transparently fits between two
    pieces of code and modifies the behavior of one or the other. In
    this case, SmWalker can perform additional processing on top of
    that performed by the "real" authentication scheme."

From page 19, you'll get a sample of configuration and how SmWalker
Authentication Wedge is configured works with an HTML Form
Authentication Scheme :

   "As previously discussed SmWalker is not a full authentication
    scheme. Instead, SmWalker runs as a wedge between CA Single Sign-On
    and a "real" authentication scheme. CA Single Sign-On is configured
    to call SmWalker instead of the "real" authentication scheme; and
    SmWalker calls the "real" authentication scheme to perform the
    actual authentication functions. However, SmWalker will perform
    additional processing.
  
    To configure SmWalker as an authentication scheme, start with the
    original authentication scheme and perform the following steps:

    [...]"
 
From page 30, you'll find Use Cases and Examples.

The latest SmWalker version is available by downloading the package
here :

  CA Global Delivery Packaged Work Product Download Index
  https://support.broadcom.com/external/content/release-announcements/CA-Global-Delivery-Packaged-Work-Product-Download-Index/4800

That package has the documentation inside.

 

Powered by Wolken Software