How to write the Agent API to enable SSO from Standard Agent (Legacy_Onyx KB Id: 210193)
search cancel

How to write the Agent API to enable SSO from Standard Agent (Legacy_Onyx KB Id: 210193)


Article ID: 54844


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



Refer to case 210060, the client creates their own custom agent for SSO. Now, the custom agent works. Based on the SDK, custom agent should handle two scenario for Enabling Single Sign-On:

1. Login Through a Custom Agent - the client has already done it.

2. Login Through a Standard Agent - the standard agent created SMCookie and the user pass to custom agent. Now, we need writing to get SMCookie and pass this information to Siteminder from the following intruction:
1. User logs in through the standard agent.
2. Standard agent authenticates the user by challenging the user for credentials through the login call.
3. SiteMinder creates the SMSESSION cookie in the user?s browser and
inserts the encrypted token containing session information.
4. User requests a resource protected by a custom agent.
5. The custom agent obtains the SMSESSION cookie from the users request and extracts the token.
6. The custom agent passes the token to the method decodeSSOToken().
The method decodes the token and returns a subset of the token's
attributes to the custom agent.
7. The custom agent obtains the session specification from the token and passes the session specification to login(). The logincall validates the user without challenging the user for credentials.
8. User requests a resource protected by a standard SiteMinder agent.
9. The standard agent performs a login operation, which validates the user based on the contents of the SMSESSION cookie. The user is not challenged for credentials.

However, in the point 7, the client doesn't understand how to get the information.

How can my client obtain the session specification from the token by function "decodeSSOToken"? we can't find out any output parameter is session spec.

How can my client pass the information to function "login"? From the sdk, the login requires UserCredentials and SessionDef, but we don't have if the custom agent retrieve the existing SMCookie?

login(java.lang.String clientIpAddress, ResourceContextDef rcd, RealmDef rd, UserCredentials uc, SessionDef sd, AttributeList al)

Performs session login or validates an existing session.

Please advise how we can do to validate an existing session and what parameter we should pass to login function.


I did a quick test. You will need to pass only the SessionDef into the login method. You need to look for the SessionDef in the Attribute list from the decodeSSOToken method.
Look for the attribute id 209 (int) inside the attirbute list.


Component: SMSDK