Is there a way to Identify what AuthScheme is linked to what Domain in Siteminder ?
All Siteminder Supported releases
Couple of options:
*** Option 1 --> Use the REST API
Link on how to use the REST API --> https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/programming/policy-object-rest-apis.html
Write a script that uses the REST API as follows
1) get an access token as indicated in the guide
2) call the following REST API to get the list of all the domains you have
Example
https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/SmDomains
{
"responseType": "links",
"path": "children",
"xpsclass": "SmDomains",
"data": [
{
"id": "CA.SM::Domain@03-7745137c-xxxxxxxxxxxxxxxxxx",
"path": "/SmDomains/samlidp%3Aspidppartnership",
"href": "https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-7745137c-xxxxxxxxxxxxxxxxxx",
"desc": "Backing Domain for IdPPartnership"
},
{
"id": "CA.SM::Domain@03-000b6963-40d0-115b-xxxxxxxxxxxxxxxxxx",
"path": "/SmDomains/%40MetlifeDomain",
"href": "https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-000b6963-xxxxxxxxxxxxxxxxxx"
},
{
"id": "CA.SM::Domain@03-00042a32-ba14-1148-xxxxxxxxxxxxxxxxxx",
"path": "/SmDomains/%40LDAPDomain",
"href": "https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-00042a32-ba14-xxxxxxxxxxxxxxxxxx"
},
{
......
],
"links": {}
}
3) Take the list of the Domains from above and appemd the "?op=expanded" to it as seen below and perform a GET and you will get the following in Response
https://<adminuiHost>:8443/ca/api/sso/services/policy/v1/objects/CA.SM::Domain@03-00063415-042b-xxxxxxxxxxxxxxxxxx?op=expanded
The response will have the Expanded realm and the associated auth Scheme in this example my Auth Scheme is --> CA.SM::AuthScheme@0d-000a500c-04a8-xxxxxxxxxxxxxxxxxx"
Response:
------------
{
"responseType": "tree",
"data": {
"id": "CA.SM::Domain@03-00063415-042b-xxxxxxxxxxxxxxxxxx",
"type": "SmDomain",
"Name": "testFedappRedirectDomain",
"IsDLP": false,
"IsAffiliate": false,
"Mode": [
"GlobalPoliciesApply"
],
"UserDirectoriesLink": [
{
"id": "CA.SM::UserDirectory@0e-9cf6d529-be12-xxxxxxxxxxxxxxxxxx"
}
]
},
"children": [
{
"data": {
"id": "CA.SM::Realm@06-0009b33d-0452-16f3-xxxxxxxxxxxxxxxxxx",
"type": "SmRealm",
"Name": "testFedappRedirectRealm",
"HidingMask": [],
"IdleTimeout": 3600,
"ProcessAzEvents": true,
"ProcessAuthEvents": true,
"SessionDrift": -1,
"ProtectAll": true,
"SessionType": "Non-peristent",
"SyncAudit": false,
"ResourceFilter": "/affwebservices/testapp/dump_headers.jsp",
"MinUserConfidenceLevel": 0,
"MaxTimeout": 7200,
"AuthSchemeLink": {
"id": "CA.SM::AuthScheme@0d-000a500c-04a8-16f3-xxxxxxxxxxxxxxxxxx"
},
"AgentLink": {
"id": "CA.SM::Agent@01-fe0e2c96-3e2a-40b6-xxxxxxxxxxxxxxxxxx"
}
},
"children": [
{
"data": {
"id": "CA.SM::Rule@0b-000b7744-0463-16f3-xxxxxxxxxxxxxxxxxx",
"type": "SmRule",
"Name": "testFedappRedirectRule",
"HidingMask": [],
"RegularExpression": false,
"IsEnabled": true,
"Resource": "*",
"AllowAccess": true,
"Actions": [
"Get",
"Post"
],
"TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f"
}
}
]
},
{
"data": {
"id": "CA.SM::Policy@04-0008ae77-0480-16f3-xxxxxxxxxxxxxxxxxx",
"type": "SmPolicy",
"Name": "testFedappRedirectPolicy",
"HidingMask": [],
"IsEnabled": true,
"AllowAccess": true,
"ValidateIdentity": false,
"TimeRestriction": "00000000-00000000-7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f7f",
"ValidateIdTimeDelay": 0,
"ValidateIdDifferentUser": false,
"SmPolicyLinks": [
{
"id": "CA.SM::PolicyLink@05-000413b0-0498-16f3-xxxxxxxxxxxxxxxxxx",
"type": "SmPolicyLink",
"HidingMask": [],
"RuleLink": {
"id": "CA.SM::Rule@0b-000b7744-0463-16f3-xxxxxxxxxxxxxxxxxx"
}
}
],
"SmUserPolicies": [
{
"id": "CA.SM::UserPolicy@0f-000ebb98-0495-16f3-xxxxxxxxxxxxxxxxxx",
"type": "SmUserPolicy",
"PolicyFlags": [],
"FilterPath": "All",
"PolicyResolution": "All",
"FilterClass": "All",
"UserDirectory": {
"id": "CA.SM::UserDirectory@0e-9cf6d529-be12-43a0xxxxxxxxxxxxxxxxxx"
}
}
]
}
}
]
}
** Option 2 --> Run a Full XPSExport ful_dump.xml -xb
look for the Auth Scheme OID in the XML and see the domains that it is listed under