Allow Protection Override Java method in Custom Authentication Scheme
search cancel

Allow Protection Override Java method in Custom Authentication Scheme

book

Article ID: 11393

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder)

Issue/Introduction

 

Allow Protection Override check box in Custom Authentication Scheme Setup. 

Allow Protection Override" checkbook on the authentication scheme. In the docs it says:  

"7.(Optional) Select the Allow Protection Override check box in Scheme Common Setup. This option specifies that the protection level in the library takes precedence over the protection level specified in the Administrative UI. (1)" 

How at the custom authentication lib level, this override, could be achieved as there is no detail of it available at the SDK docs level? 

 

Environment

 

SMPS & SDK 12.5 and above

 

Cause


This is part of com.netegrity.policyserver.smapi SmAuthScheme Interface (2).

Public SmAuthenticationResult authenticate(String parameter, String secret, int challengeReason, SmAuthenticationContext context) 

Performs the custom authentication and returns the authentication result.

SiteMinder calls this method at least twice -- during user disambiguation and during user authentication. For information about these two phases of the authentication process, see the Programming Guide for Java.
Parameters:

parameter - The optional parameter string specified in the Policy Server User Interface, to be used in any way that the authentication scheme requires.
secret - The shared secret specified for the authentication scheme in the Policy Server User Interface. The shared secret is used for any purpose that the authentication scheme requires, such as enryption or credentials operations. Your authentication scheme may or may not require a shared secret.
challengeReason - The reason code from a previous authentication that failed or was challenged, or 0 if unknown. The reason code that SiteMinder passes is the REASON_ constant that the authentication scheme returned in SmAuthenticationResult (2) after the failed or challenged authentication.
context - Contains request context objects, and also methods for passing error and user messages directly to SiteMinder.
Returns: An SmAuthenticationResult (2) object containing status and reason codes. How the returned status code is interpreted depends upon the phase during which SiteMinder called the authentication scheme.

%SM_AUTHENTICATIONLEVEL is an User Attributes (3).

When a user is authenticated for a resource, this attribute holds an integer number (of 0 to 1000) that represents the protection level of the authentication scheme under which the user was authenticated.

Here is an example how this might have been set in custom code:

Public SmAuthenticationResult authenticate(String parameter, String secret, int challengeReason, SmAuthenticationContext context) {

...
UserContext theUserContext = context.getUserContext();
...

if (0 != theUserContext.setProp("SM_AUTHENTICATIONLEVEL", "20")) {
context.setUserText("Failed to set the SM_AUTHENTICATIONLEVEL");
}
}

Following the bookshelf, there are other properties that can be set at run time as well (2).

 

Resolution

 

The code sample is provided as it is, no additional support is available. This is custom code development, generally out of support scope.

Any further custom coding questions should be directed to HCL service group, a Broadcom partner. 

 

Additional Information

 

(1)

    Custom Authentication Schemes
    

(2)

    Implement the Java Authentication API Interface
    
    
(3)

    Generated User Attributes