Is there a way to query or view all domains that are using a specific authentication scheme
search cancel

Is there a way to query or view all domains that are using a specific authentication scheme

book

Article ID: 380127

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Is there a way to Identify what AuthScheme is linked to what Domain in Siteminder ? 

Environment

All Siteminder Supported releases 

Resolution

Couple of options:

 

*** Option 1 --> Use the REST API 

Link on how to use the REST API --> https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/programming/policy-object-rest-apis.html

 

Write a script that uses the REST API as follows 

1) get an access token as indicated in the guide 
2) call the following REST API to get the list of all the domains you have 

Example 

https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/SmDomains


{
    "responseType": "links",
    "path": "children",
    "xpsclass": "SmDomains",
    "data": [
        {
            "id": "CA.SM::Domain@03-7745137c-xxxxxxxxxxxxxxxxxx",
            "path": "/SmDomains/samlidp%3Aspidppartnership",
            "href": "https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-7745137c-xxxxxxxxxxxxxxxxxx",
            "desc": "Backing Domain for IdPPartnership"
        },
        {
            "id": "CA.SM::Domain@03-000b6963-40d0-115b-xxxxxxxxxxxxxxxxxx",
            "path": "/SmDomains/%40MetlifeDomain",
            "href": "https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-000b6963-xxxxxxxxxxxxxxxxxx"
        },
        {
            "id": "CA.SM::Domain@03-00042a32-ba14-1148-xxxxxxxxxxxxxxxxxx",
            "path": "/SmDomains/%40LDAPDomain",
            "href": "https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-00042a32-ba14-xxxxxxxxxxxxxxxxxx"
        },
        {
......
    ],
    "links": {}
}

3) Take the list of the Domains from above and appemd the "?op=expanded" to it as seen below and perform a GET and you will get the following in Response 


https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-00063415-042b-xxxxxxxxxxxxxxxxxx?op=expanded


The response will have the Expanded realm and the associated auth Scheme in this example my Auth Scheme is -->  CA.SM::AuthScheme@0d-000a500c-04a8-xxxxxxxxxxxxxxxxxx"

Response:
------------

{
    "responseType": "tree",
    "data": {
        "id": "CA.SM::Domain@03-00063415-042b-xxxxxxxxxxxxxxxxxx",
        "type": "SmDomain",
        "Name": "testFedappRedirectDomain",
        "IsDLP": false,
        "IsAffiliate": false,
        "Mode": [
            "GlobalPoliciesApply"
        ],
        "UserDirectoriesLink": [
            {
                "id": "CA.SM::UserDirectory@0e-9cf6d529-be12-xxxxxxxxxxxxxxxxxx"
            }
        ]
    },
    "children": [
        {
            "data": {
                "id": "CA.SM::Realm@06-0009b33d-0452-16f3-xxxxxxxxxxxxxxxxxx",
                "type": "SmRealm",
                "Name": "testFedappRedirectRealm",
                "HidingMask": [],
                "IdleTimeout": 3600,
                "ProcessAzEvents": true,
                "ProcessAuthEvents": true,
                "SessionDrift": -1,
                "ProtectAll": true,
                "SessionType": "Non-peristent",
                "SyncAudit": false,
                "ResourceFilter": "/affwebservices/testapp/dump_headers.jsp",
                "MinUserConfidenceLevel": 0,
                "MaxTimeout": 7200,
                "AuthSchemeLink": {
                    "id": "CA.SM::AuthScheme@0d-000a500c-04a8-16f3-xxxxxxxxxxxxxxxxxx"
                },
                "AgentLink": {
                    "id": "CA.SM::Agent@01-fe0e2c96-3e2a-40b6-xxxxxxxxxxxxxxxxxx"
                }
            },
            "children": [
                {
                    "data": {
                        "id": "CA.SM::Rule@0b-000b7744-0463-16f3-xxxxxxxxxxxxxxxxxx",
                        "type": "SmRule",
                        "Name": "testFedappRedirectRule",
                        "HidingMask": [],
                        "RegularExpression": false,
                        "IsEnabled": true,
                        "Resource": "*",
                        "AllowAccess": true,
                        "Actions": [
                            "Get",
                            "Post"
                        ],
                        "TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f"
                    }
                }
            ]
        },
        {
            "data": {
                "id": "CA.SM::Policy@04-0008ae77-0480-16f3-xxxxxxxxxxxxxxxxxx",
                "type": "SmPolicy",
                "Name": "testFedappRedirectPolicy",
                "HidingMask": [],
                "IsEnabled": true,
                "AllowAccess": true,
                "ValidateIdentity": false,
                "TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
                "ValidateIdTimeDelay": 0,
                "ValidateIdDifferentUser": false,
                "SmPolicyLinks": [
                    {
                        "id": "CA.SM::PolicyLink@05-000413b0-0498-16f3-xxxxxxxxxxxxxxxxxx",
                        "type": "SmPolicyLink",
                        "HidingMask": [],
                        "RuleLink": {
                            "id": "CA.SM::Rule@0b-000b7744-0463-16f3-xxxxxxxxxxxxxxxxxx"
                        }
                    }
                ],
                "SmUserPolicies": [
                    {
                        "id": "CA.SM::UserPolicy@0f-000ebb98-0495-16f3-xxxxxxxxxxxxxxxxxx",
                        "type": "SmUserPolicy",
                        "PolicyFlags": [],
                        "FilterPath": "All",
                        "PolicyResolution": "All",
                        "FilterClass": "All",
                        "UserDirectory": {
                            "id": "CA.SM::UserDirectory@0e-9cf6d529-be12-43a0xxxxxxxxxxxxxxxxxx"
                        }
                    }
                ]
            }
        }
    ]
}

 

** Option 2 --> Run a Full XPSExport ful_dump.xml -xb    

look for the Auth Scheme OID in the XML and see the domains that it is listed under