Siteminder Java Dev Enu
Siteminder Java Dev Enu
This Documentation may not be copied, transferred, reproduced, disclosed, modified or duplicated, in whole or in part,
without the prior written consent of CA. This Documentation is confidential and proprietary information of CA and may
not be used or disclosed by you except as may be permitted in a separate confidentiality agreement between you and
CA.
Notwithstanding the foregoing, if you are a licensed user of the software product(s) addressed in the Documentation,
you may print a reasonable number of copies of the Documentation for internal use by you and your employees in
connection with that software, provided that all CA copyright notices and legends are affixed to each reproduced copy.
The right to print copies of the Documentation is limited to the period during which the applicable license for such
software remains in full force and effect. Should the license terminate for any reason, it is your responsibility to certify
in writing to CA that all copies and partial copies of the Documentation have been returned to CA or destroyed.
TO THE EXTENT PERMITTED BY APPLICABLE LAW, CA PROVIDES THIS DOCUMENTATION "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT WILL CA BE LIABLE TO THE END USER
OR ANY THIRD PARTY FOR ANY LOSS OR DAMAGE, DIRECT OR INDIRECT, FROM THE USE OF THIS DOCUMENTATION,
INCLUDING WITHOUT LIMITATION, LOST PROFITS, LOST INVESTMENT, BUSINESS INTERRUPTION, GOODWILL, OR
LOST DATA, EVEN IF CA IS EXPRESSLY ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.
The use of any software product referenced in the Documentation is governed by the applicable license agreement and
is not modified in any way by the terms of this notice.
Provided with "Restricted Rights." Use, duplication or disclosure by the United States Government is subject to the
restrictions set forth in FAR Sections 12.212, 52.227-14, and 52.227-19(c)(1) - (2) and DFARS Section
252.227-7014(b)(3), as applicable, or their successors.
Copyright 2009 CA. All rights reserved. All trademarks, trade names, service marks, and logos referenced herein
belong to their respective companies.
CA Product References
This document references the following CA products:
CA SiteMinder
Contact CA
Contact Technical Support
For your convenience, CA provides one site where you can access the
information you need for your Home Office, Small Business, and Enterprise CA
products. At http://ca.com/support, you can access the following:
Online and telephone contact information for technical assistance and
customer services
Information about user communities and forums
Product and documentation downloads
CA Support policies and guidelines
Other helpful resources appropriate for your product
Provide Feedback
Contents 5
Implement the JNI Java Agent API............................................................... 32
Implement the Pure Java Agent API ............................................................. 34
Connection to a Policy Server ................................................................... 35
User Access to Resources ....................................................................... 36
How Web Agents Use the Agent API ............................................................. 38
Java Agent API Services......................................................................... 39
Session Services ................................................................................ 39
Session Creation and the Session Specification ............................................... 39
Session Validation .......................................................................... 40
Session Delegation .......................................................................... 40
Session Termination ........................................................................ 41
Authorization Services .......................................................................... 41
Auditing Services and Transaction Tracking ...................................................... 41
Management Services ........................................................................... 42
Cache Commands ........................................................................... 42
Encryption Commands ...................................................................... 42
Tunnel Services ................................................................................. 43
Response Attributes............................................................................. 43
Single Sign-on .................................................................................. 43
Log on through a Custom Agent ............................................................. 44
Log on through a Standard Agent ............................................................ 45
Standard Agent Support..................................................................... 45
How Information Is Bound to a Session ...................................................... 46
Advantages of Session Variables ............................................................. 47
Requirements for Using Session Variables .................................................... 47
End of Session Cleanup ..................................................................... 47
Server Clusters ................................................................................. 47
Clustered and Non-Clustered Servers ........................................................ 48
Cluster Configuration ........................................................................ 48
Cluster Failover ............................................................................. 49
Timeouts ....................................................................................... 50
Agent Type ..................................................................................... 51
Contents 7
SAML Artifact Template ..................................................................... 89
SecurID HTML Form Template ............................................................... 91
SecurID Template ........................................................................... 93
smauthetsso Authentication Scheme ......................................................... 94
TeleID Template ............................................................................ 96
Windows Authentication Template ........................................................... 97
X.509 Client Cert and Basic Template ........................................................ 99
X.509 Client Cert and Form Template ....................................................... 101
X.509 Client Cert or Basic Template ........................................................ 102
X.509 Client Cert or Form Template ........................................................ 104
X.509 Client Cert Template ................................................................. 105
Performance Consideration ..................................................................... 107
Index 159
Contents 9
Chapter 1: Java API Overview
This section contains the following topics:
Installation Path
The Java APIs, documentation, and samples are installed to the following
location:
UNIX platforms: <install_path>/sdk
Windows platforms: <install_path>\sdk
<install_path> refers to the installation path where you installed the SDK
software.
Code Samples
The SiteMinder SDK includes tested samples of SiteMinder client applications.
The source files for these samples are located as follows:
UNIX platforms:
<install_path>/sdk/samples/<api-name>
Windows platforms:
<install_path>\sdk\samples\<api-name>
The samples smjavaagentapi and javadmsapi use the policy store created by
the sample javapolicyapi. Run smjavapolicyapi before running
smjavaagentapi or javadmsapi.
All the samples use the same logging options and output format.
When executing the Java samples on a 64-bit UNIX platform, note the
following:
Use a 64-bit JVM. Running the 64-bit samples using a 32-bit JVM is not
supported.
However, the Policy Server is required for running the applications. The
application runtime files can either be local or remote to the Policy Server.
When using the Java Agent API, you code your agent in Java and let the Agent
API perform the connection to the Policy Server.
You can choose to use either implementation. Because there are no native-mode
components, the pure Java Agent API is highly portable to new platforms. It
requires certification only against the Java Virtual Machine hosting the
implementation, rather than against individual operating systems and hardware
platforms.
Important! To use the pure Java API, your Java JCE must be unlimited strength
jurisdiction. You can download the files from Sun at the following URL:
http://java.sun.com/products/jce/javase.html#UnlimitedDownload.
You can manage policies by creating, deleting, associating, and modifying policy
objects such as policy domains, realms, and policies.
Authentication API
Use the Authentication API to create a custom authentication scheme.
Authorization API
Use the Authorization API to implement custom functionality for controlling
access to protected resources. The functionality is provided through custom Java
classes that are referenced in Policy Server active expressions. An active
expression is a string of variable definitions that appears in the following Policy
Server objects:
Active policy
Active response
Active rule
Utilities Package
Use the methods in the Utilities package to implement the APIs in the Policy
Management API and the DMS API.
Client Application
Agent API
Authentication Authorization
API API
Policy Server
Network Architecture
You can use the Java APIs to write client applications that connect to a remote
SiteMinder Policy Server. These applications have access to the following built-in
functionality of the Java Agent API:
Security
Load balancing
Failover
The network architecture of the Java APIs is shown in the following figure:
The Policy Management API and the DMS API use the Java Agent API to access
the Policy Server. A single API client instance makes a single, secure, Agent API
connection to the SiteMinder Policy Server. As long as they share the same
process space, multiple API clients can re-use a single Agent API connection. For
example, you can use the Java Agent API to establish a connection, then use that
connection to make DMS API calls.
2. Obtain a Session
Allows connections to the Agent API object from both Policy Management
and DMS clients.
You can establish multiple connections to the Policy Server through the
single Agent API object instance.
A user-defined connection handle. You can create multiple user-defined
connection objects; each one can support multiple connections to the Policy
Server.
If you have not already established a connection to the Policy Server, you can
request an automatic connection. If SiteMinder establishes a connection for you
automatically, it creates a default Java Agent API object and handle. However, if
a valid user-defined handle already exists, SiteMinder does not create a default
object and handle. A user-defined handle takes precedence over a default
handle.
SmApiConnection m_defaultConnection =
new SmApiConnection(true,false);
You may already have a connection to the Policy Server. For example, you may
have written a custom agent and established a connection using the Java Agent
API. To make subsequent Policy Management API or DMS API calls, you can use
the existing connection.
SmApiConnection (netegrity.siteminder.javaagent.AgentAPI
agentApiConnection)
SmApiConnection myConnection =
new SmApiConnection (myAgentApiConnection);
If you do not already have a default connection but you want a user-defined
connection object, you can use the Agent API to create the agent object and then
create the new connection, as follows:
You can create an agent object based on connection parameters from either
of the following sources:
Note: With SiteMinder v6.0 and later, the authorization, authentication, and
accounting servers are combined into a single server process. Consequently,
authorizationPort, authenticationPort, and accountingPort can all be set to
the same value.
After creating the agent object, you create the new connection in either of
these ways:
Pass the agent object you just created into the constructor of the new
SmApiConnection objectfor example:
If you establish the connection in this way, the Java Agent API handle will be
a user-defined handle.
Obtain a Session
After obtaining a connection to the Policy Server, you need to obtain a user or
administrator session. (To use the Policy Management API, you must connect as
a SiteMinder Administrator. The SiteMinder Policy Server validates a users rights
to perform an operation.)
When you obtain a session object, you pass it to the Policy Management API or
the DMS API through the constructor for the SmPolicyApiImpl class or the
SmDmsApiImpl class.
You dont have an You want to connect as a Use the Java Agent API to
existing session. non-Administrator. obtain a session
specification for the user.
Note: To use the Policy Management API, you must connect as a SiteMinder
Administrator.
You might already have a session specification for a user that has been
authenticated. For example, you have written a custom agent and obtained a
session specification using the Java Agent API. To make DMS API calls as a user,
you can use that session specification. You need not obtain a new session
specification.
result=mySession.login (username,
password,
IPaddress,
challengeReason);
To obtain a new session specification for a user, use the Java Agent API to obtain
a session specification. Then, create an SmApiSession object and associate the
session specification with that object.
After establishing a session, you can call the methods in your client application.
A result is a response from the Policy Server to a Java API request. Results are
returned in an SmApiResult object.
You can check whether a request was successful by calling the method
isSuccess() on the result object. The method returns true if the request was
successful, or false if it was not successful.
You can compare the current result object to a specified result object by calling
the equals() method.
You can use the equals() method to compare the current result object with
SmApiResult constants that represent different kinds of results. For example, in
the following code, the result represented by the unique constant
SERVER_INVALID_PASSWORD is compared against the current result object:
For example, if your Java Development Kit is on Windows and you want to trace
the Policy Management API sample application, the command line would be:
Javadoc Reference
Throughout this Guide you can follow the links to the appropriate sections of the
Javadoc reference to see details about a particular class or method. These details
include syntax, parameters, return values, and exception information. Use the
back arrow in the menu bar of the browser to return to topic where you left the
Guide.
The description of each package, class, and interface in the Javadoc reference
includes a Since heading that indicates the SiteMinder or SDK version when the
component was introduced. Individual methods and fields will only include a
Since heading if they were added in a later version of the class or interface.
SmApiPropertySets
SmApiExportFileHandler
SmApiImportFileHandler
SmFlag
These classes are used internally to define methods in the Policy Management
API and the DMS API.
Connection Class
You use the SmApiConnection class to create an API connection object and
establish a connection between the Agent API and Policy Server. Depending
upon the constructor you use, you can establish either a default connection or a
user-defined connection.
Method Description
Note: Do not call the execute() method from your client application. This
method is for internal use only.
Session Class
The Session class, SmApiSession, lets you create a session object by passing in
a valid API connection and, depending upon the constructor you use, a session
specification. (A session specification is also known as a session ticket).
Method Description
Method Description
Note: For login and logout of end users, DMS organization administrators, and
DMS super administrators, use the AgentAPI.login() and AgentAPI.logout()
methods in the Agent API package.
Result Class
The Result class, SmApiResult, stores the result of a SiteMinder Java API
request. A SiteMinder result contains the following elements:
Facility. Origin of the result. For example, the result might originate on the
client or server.
Severity. Significance of the result, such as informational or warning.
Status. Status code of the result. Status codes are unique within each
facility. You can use a facilitys unique status code to distinguish a particular
result from other results that might have originated from the facility.
Message. Additional information about the result, such as descriptive text or
numeric details.
A result might also include a reason code. For example, a password policy result
might include a reason code of 1001, meaning that the password does not
contain the required minimum number of characters. To find a reason code for a
result, call getReason().
All server-side errors are returned as results, not as exceptions. However, when
a client-side exception is thrown, an SmApiResult object is embedded in the
exception.
Status: 4
Message: Unable to get server configuration
You can output a result object as a stringfor example, you can generate a
result string by calling toString() on the SmApiResult object.
For example, suppose you call toString() for an SmApiResult object that occurs
because a user attempted to create a password with fewer than the minimum
number of alphabetic characters. The method might return a result string that
looks like this:
Method Description
Exception Class
The Exception class, SmApiException, contains the result class SmApiResult.
The following packages use SmApiException:
com.netegrity.sdk.policyapi
com.netegrity.sdk.dmsapi
com.netegrity.sdk.apiutil
Method Description
Property Class
The Property class, SmProperty, holds the following information about a
property:
Name
Value
Type (encrypted / plain)
Method Description
SiteMinder Agents
A SiteMinder Agent is a client of the Agent API. The agent enforces access control
policies served by the Policy Server. The Policy Server is a general-purpose
policy engine with no specific knowledge of resources. The specific knowledge of
resources is provided by SiteMinder agents. Agents establish resource semantics
and act as gate keepers to protect resources from unauthorized users.
Different agent types protect different kinds of resources. Some agent types are
pre-defined, standard agents that are shipped as part of the SiteMinder
productfor example, the Web Agent, which provides HTTP access control for
Web Servers. However, you can also use the Agent API to implement custom
agents.
The Agent API lets you create a custom agent that can authenticate and
authorize users in a variety of context-specific ways. For example, you could
create an agent for FTP transfers that does the following:
Implements certificate-based authentication instead of basic name and
password credentials.
Allows uploads and downloads based on an individual users authorization
level.
BinaryBuffer
InitDef
ManagementContextDef
RealmDef
ResourceContextDef
ServerDef
SessionDef
TokenDescriptor
TunnelServiceRequest
UserCredentials
Additional benefits provided by the Java Agent API include full session
management support, automatic encryption key rollover, and real-time policy
updates.
4. Ensure that your system can find the JNI support library when the Java
Virtual Machine (JVM) is invoked, as follows:
<install_path>\sdk\bin
<install_path>/sdk/bin
<install_path>/sdk/bin
<install_path>/sdk/bin
<install_path>/sdk/bin
5. Ensure that SiteMinder can find the JNI Java AgentAPI JAR file when you
compile or run an agent that uses the Java Agent API. The JAR file,
smjavaagentapi.jar, is stored in the following locations:
Windows platforms:
<install_path>\sdk\java
UNIX platforms:
<install_path>/sdk/java
7. Configure the Policy Server to use the Java Agent API application.
Additional benefits provided by the Java Agent API include full session
management support, automatic encryption key rollover, and real-time policy
updates.
4. Ensure that SiteMinder can find the pure Java Agent API .jar file when you
compile or run an agent that uses the Java Agent API. The JAR file,
smagentapi.jar, is stored in the following locations:
Windows platforms:
<install_path>\sdk\java
UNIX platforms:
<install_path>/sdk/java
6. Configure the Policy Server to use the Java Agent API application.
Backward compatibility
The pure Java Agent API maintains binary and source compatibility with the JNI
Java Agent API. The pure Java Agent API supports all of the other SiteMinder
Java SDK interfaces that rely on the Agent API for connectivity to the SiteMinder
Policy Server, including the SiteMinder Policy Management API and the
SiteMinder DMS API, in addition to extending the portability of those interfaces.
Configuration limitations
The pure Java Agent API does not change the configuration of either the
SiteMinder Application Server Agents or any agents developed with the
SiteMinder SDK. The configuration of the pure Java Agent API is identical to the
configuration of the JNI Java Agent API with the following exceptions:
Migration of UNIX agents from the JNI Java Agent API to the pure Java Agent
API requires re-registration of the trusted host entity with the SiteMinder
Policy Server because the shared secret in the JNI Java API is computed
differently from the pure Java implementation.
On both Unix and Windows systems (due to file-locking incompatibilities with
the native code Agent API), the SmHost.conf file cannot be shared between
agents using the C/C++ or JNI Java Agent API and agents using the pure
Java Agent API. Therefore, a separate copy of the bootstrap configuration
file must be kept for pure Java Agent API agents.
Upgrades from the JNI Java Agent API on Unix systems requires users of
custom 4.x-based agents that use shared secrets encrypted with the 4.x
encryptkey tool to update their shared secret on the agent side for upgraded
agents.
The pure Java Agent API does not obtain Agent configuration information
from the Windows Registry.
After the Agent API is initialized, all API calls are fully thread-safe with respect to
the initialized API instance.
It is possible to initialize more than one API instance (for example, when working
with Policy Servers that use separate policy stores).
After the Agent API has been initialized, the agent can perform useful work. At
this point it can start accepting requests from its users, such as receiving GET
requests for URLs.
Call login() to collect the required credentials from the user and to
authenticate the user.
The agent can now perform session management by caching user session
information and keeping track of session expiration.
Call authorize() to validate that the user has access to the requested
resource.
Both the authentication and authorization steps log the relevant information
about the user, the protected resource, and the agent. However, if the agent
performs authorizations out of its cache, the transaction can still be logged
through the audit() method.
Now that the users identity is known, authorization has been verified, and
the required entitlements obtained, give the authorized user access to
the resource.
This is an optional step that is used to poll the Policy Server for update
commands. In response to a command, agents update encryption keys or
flush caches or both.
When the agent is no longer needed, issue the unInit() method for each API
instance. This closes TCP connections to all policy servers.
Note: The Agent API does not provide a facility for caching in a manner that
enforces session validity. By choosing to cache user sessions and/or
resource-specific privileges, the agent becomes obligated to perform its own
session management during each user request. This is required, since caching on
the agent removes the need to contact the SiteMinder Policy Server to perform
session validation and/or resource authorizations.
Session Services
Sessioning is used to maintain consistent user sessions across multi-tiered
application environments.
Agents that perform session management use the sessioning services of the
Java Agent API to create, delegate, validate, and terminate user sessions.
Note: For login and logout of SiteMinder administrators for Policy Server or DMS
sessions, use the methods SmApiSession.login() and SmApiSession.logout() in
the Utility package.
A session is created after a successful user login. Once created, a user session
persists until it is terminated.
The SiteMinder environment where the user session was created is responsible
for the creation, maintenance, and persistent storage of the session
specification. For example, the Web Agent (HTTP environment) stores the
session specification in an HTTP cookie.
Agents create sessions using login(). This method authenticates the user
credentials and gets the information for session specification (including the
unique session id). Once created, the session specification is updated on
subsequent Java Agent API calls that also return updated expiration times.
Agents can use this information to perform custom session management and
keep track of session timeouts.
Session Validation
Session Delegation
Session Termination
To terminate a session, the agent must discard the session specification. Once a
session is terminated, the user must log in again to establish a new session.
Authorization Services
Agents that perform access control functions use the authorization services of
the AgentAPI class. These services enable clients to verify a users rights to
access a resource, retrieve a users privileges with respect to specific resources,
and determine the specific access control, if any, that is imposed upon a
resource.
Once the users identity is validated, the agent calls the authorize() method to
determine if the requesting user has access to the requested resource. Agents
can perform fine-grained access control by leveraging the collection of response
attributes that this method retrieves.
Management Services
A management protocol exists between agents and the SiteMinder Policy Server.
This protocol helps an agent manage its caches and encryption keys in a manner
consistent with both SiteMinder policies and administrative changes on the Policy
Server.
Cache Commands
Cache commands inform the agent of any changes to its caches that may need to
be made as a result of administrative updates to the Policy Server.
Encryption Commands
Encryption commands inform the agent of new encryption keys that are
generated administratively or automatically by the Policy Server. Agents save
secure state can use this protocol to keep track of the latest encryption keys.
Tunnel Services
Tunnel services enable agents to establish secure communications with a
callable service located on the Policy Server. This allows agents to perform
custom actions over a secure, VPN-like channel without having to address issues
such as encryption key management.
Response Attributes
Response attributes enable the Policy Server to deliver information to agents.
Response attributes are managed through methods in the AgentAPI class.
The well-known attributes are always returned by the Policy Server after certain
calls such as login(). These attributes represent static, fixed data such as the
user DN and Universal ID.
The policy-based attributes are returned by the login() and authorize() methods.
These attributes are based on policies and are the vehicle for delivering static
and dynamic data from the Policy Server to agents, which can distinguish
between authentication and authorization attributes. The actual source of the
data is defined on the Policy Server using the responses feature that can be
configured to deliver data from a variety of sources. Data may include static
information, information from a directory profile, or a custom Policy Server
plug-in. Once the responses are properly configured, agents are capable of
performing fine-grained access control as well as profile-driven personalization.
Based on a policy definition, response attributes can time out or be cached for
the duration of the user session. The Policy Server delivers an attribute along
with the TTL (Time-To-Live) value, calculated in seconds. If the agent is caching
user sessions and/or authorizations, it is responsible for keeping the relevant
attributes up to date. Agents issue the updateAttributes() method to update
stale attributes.
Single Sign-on
In a single sign-on environment, a user who successfully authenticates through
a given agent does not have to re-authenticate when accessing a realm
protected by a different agent. When a custom agent is involved in a single
sign-on environment, the two agents must be in the same cookie domainfor
example, xxx.domainname.com.
Class AgentAPI contains two methods that allow custom agents to participate in
a single sign-on environment with standard SiteMinder Web Agents:
decodeSSOToken()
The custom agent extracts the cookies contents, called a token, from an
existing SMSESSION cookie and passes the token to this method. The
method decrypts the token and extracts the specified information. This
method can also be used to update the last-access timestamp in the token.
createSSOToken()
After the user successfully logs in through the custom agent, the custom
agent passes information about the user to this method. The method creates
an encrypted token from this user information and from session information
returned from the login call. The custom agent writes the token to the
SMSESSION cookie.
See the sample custom agent code for an example of setting up the
parameters for the single sign-on methods and parsing the results. The
sample custom agent code is located in the smjavaagentapi directory of
<install_path>\sdk\samples.
Here is the typical sequence of events in a single sign-on environment when the
initial login is through the custom agent:
2. Custom agent calls login() to authenticate the user. The user is challenged
for credentials.
4. Custom agent creates the SMSESSION cookie in the users browser and
writes the token to the cookie.
6. The standard agent performs a login operation, which validates the user
based on the information in the single sign-on cookie. The user is not
challenged for credentials.
3. SiteMinder creates the SMSESSION cookie in the users browser and inserts
the encrypted token containing session information.
5. The custom agent obtains the SMSESSION cookie from the users request
and extracts the token.
6. The custom agent passes the token to the method decodeSSOToken(). The
method decodes the token and returns a subset of the tokens attributes to
the custom agent.
7. The custom agent obtains the session specification from the token and
passes the session specification to login(). The login call validates the user
without challenging the user for credentials.
9. The standard agent performs a login operation, which validates the user
based on the contents of the SMSESSION cookie. The user is not challenged
for credentials.
Custom agents created with the SiteMinder SDK v6.x can accept SMSESSION
cookies created by a standard SiteMinder v4.x, v5.x, or v6.x Web Agent.
However, standard SiteMinder v4.x or v5.x Web Agents can only accept cookies
created by a custom agent if the standard agent has been upgraded with the
appropriate Siteminder Agent Quarterly Maintenance Release (QMR). For
information about the QMR version required for each standard agent version, see
the accompanying SDK release notes.
To enable a SiteMinder v4.x or v5.x agent with the appropriate QMR upgrade to
accept SMSESSION cookies created by a custom agent, the standard agents
Agent configuration file (LocalConfig.conf with IIS servers or WebAgent.conf
with other servers) or central configuration object (for v5.x or higher) must
contain the following entry:
AcceptTPCookie="yes"
Session information can consist of more than the session specification. Session
information can include any information that the client application wants to
associate with the users session.
The class AgentAPI provides the following methods for setting, retrieving, and
deleting session variables:
setSessionVariables()
getSessionVariables()
delSessionVariables()
Session variables are stored in a server-side database called the session store.
The session store is managed by the Policy Server.
When the user logs out and the agent discards the session specification, the
session ends. In the case of a persistent session, SiteMinder removes all session
information, including any session variables, from the session store.
Server Clusters
To help prevent service interruptions, SiteMinder includes a failover feature. If
the primary Policy Server fails and failover is enabled, a backup Policy Server
takes over policy operations. Beginning with SiteMinder v6.0, failover can occur
not only between Policy Servers, but between groups, or clusters, of Policy
Servers.
An agent running against Agent API v6.x can be associated with one or more
Policy Servers, or with one or more clusters of Policy Servers, as follows:
Clustered servers
In the ServerDef object for each clustered server, set clusterSeq() to the
sequence number for the cluster. All servers in a cluster have the same
cluster sequence number.
Non-clustered servers
In the ServerDef object for each non-clustered server, set the method
clusterSeq() to 0.
Note: The same agent cannot be associated with both clustered and
non-clustered servers.
Cluster Configuration
You can configure a cluster through the Agent API or through a host
configuration object using the Policy Server User Interface. If you configure a
cluster through the Agent API, be sure that the configuration does not conflict
with any cluster configuration information that may be defined in the host
configuration object.
You configure the individual servers or clusters of servers that the agent is
associated with through the InitDef and ServerDef classes.
The failover threshold percentage applies to all clusters associated with the
agent.
Cluster Failover
If your site uses clusters, you typically will have a primary cluster and one or
more backup clusters.
The primary cluster is the cluster to which SiteMinder sends requests as long as
the number of available servers in the cluster does not fall below the failover
threshold. If there are not enough available servers in the primary cluster,
failover to the next cluster in the cluster sequence occurs. If that cluster also
fails, failover to the third cluster occurs, and so on.
If the number of available servers falls below the failover threshold in all clusters
associated with the agent, policy operations do not stop. Requests are sent to
the first cluster in the cluster sequence that has at least one available server.
The following table shows the minimum number of servers that must be
available within each cluster:
C1 3 60 1
C2 5 60 3
If the number of available servers falls below the threshold in each cluster, so
that C1 has no available servers and C2 has just two, the next incoming request
will be dispatched to a C2 server with the best response time. After at least two
of the three C1 servers are repaired, subsequent requests are load-balanced
among the available C1 servers.
Timeouts
Agents can enforce session timeouts or rely on the Policy Server to validate each
request. Typically, caching of user sessions or privileges by the agent requires
some form of timeout enforcement on the agent side. In this case, the agent is
responsible for keeping track of last access time and knowing when the session
is going to expire.
Agents that do not cache can leverage the Policy Servers enforcement of
timeouts. The following Java Agent API methods return the updated timeout
information after every call:
login()
authorize()
audit()
Agent Type
The Agent Type defines the behavior of an agent. After you have developed a
custom agent, you must configure a new Agent Type for the agent in the Policy
Server User Interface. For example, if you developed a custom FTP Agent, you
would then need to configure an Agent Type for the FTP Agent in the Policy
Server User Interface.
Note: For information on configuring an Agent Type for your custom agent, see
the SiteMinder Programming Guide for C.
Creating an administrator
Creating a realm
Creating a rule
Creating a response
Creating a policy
Note: If an application built with the Policy Management API runs on the
same machine as the Policy Server, the application must run as the same user
who installed the Policy Server (for example, smuser on UNIX platforms).
<install_path>\sdk\java
UNIX platforms:
<install_path>/sdk/java
Trusted Hosts
Authentication schemes
Authentication/authorization maps
Certificate maps
Domains
Password policies
Registration schemes
User directories
Response attributes
When you are working in the Policy Server user interface, you will see most of the
above objects listed in the System and Domain tabs of the SiteMinder
Administration window.
The SiteMinder SDK contains a sample of how to use the classes and methods in
the Java Policy Management API.
Allows connections to the Agent API object from both Policy Management
and DMS clients.
You can establish multiple connections to the Policy Server through the
single Agent API object instance.
A user-defined connection handle. You can create multiple user-defined
connection objects; each one can support multiple connections to the Policy
Server.
Once login is successful, the session object will hold a valid administrator session
specification.
In the example, policyApi is the new Policy Management API object and
apiSession is the session obtained when the administrator successfully logged in.
After you obtain a session object and create a Policy Management API object,
you are ready to make Policy Management requests. Most of the methods in the
Policy Management API are categorized according to the SiteMinder object that a
given method acts uponfor example, agents, policies, and rules.
There is also a Utilities category for methods that perform services, such as
cache and encryption key management. Use these categories to help you find a
particular Policy Management API method to use in your custom policy
management applications.
Note: The methods in the policyapi package can only be called from a
Siteminder administrator session.
When you are finished making Policy Management API requests, log out the
administrator by calling the logout() method in the SmApiSession class of the
Utilities package.
Administrator Methods
Unless otherwise specified, the following methods are in the class
SmPolicyApiImpl. The following methods act on administrator objects. You
create an administrator object by instantiating SmAdmin.
Method Description
Agent Methods
Unless otherwise specified, the methods listed in this table are in the class
SmPolicyApiImpl. The following methods act on agent objects. You create an
agent object by instantiating SmAgent.
Method Description
Method Description
Method Description
Method Description
Method Description
Domain Methods
Unless otherwise specified, the methods listed in this table are in the class
SmPolicyApiImpl. The following methods act on domain objects. You create
domain objects by instantiating SmDomain.
Method Description
Method Description
Method Description
Group Methods
Unless otherwise specified, the methods listed in this table are in the class
SmPolicyApiImpl. The following methods act on group objects. Group objects are
created with SmAgentGroup (for agent groups), SmResponseGroup (for
response groups), or SmRuleGroup (for rule groups).
Method Description
Method Description
Method Description
Method Description
Policy Methods
The following methods act on policy and policy link objects. A policy link is an
association of a policy, a rule, and optionally, a response. Unless otherwise
specified, these methods are in the class SmPolicyApiImpl.
Policy objects are created with SmPolicy. Policy link objects are created with
SmPolicyLink.
Method Description
Functionally, the remote policy data export and import methods behave in the
same manner as the smobjexport and smobjimport utilities.
Policy export attributes are set with SmExportAttr. Policy import parameters are
set with SmImportAttr.
Method Description
Method Description
Realm Methods
The following methods act on realm objects. Realm objects are created with
SmRealm.
Method Description
Response Methods
The following methods act on response and response attribute objects. Unless
otherwise specified, these methods are in the class SmPolicyApiImpl. Response
objects are created with SmResponse. Response attribute objects are created
with SmResponseAttr.
Method Description
Method Description
Method Description
Rule Methods
The following methods act on rule objects. Unless otherwise specified, the
methods listed in this table are in the class SmPolicyApiImpl. You create rule
objects by instantiating SmRule.
Method Description
Self-Registration Methods
The following methods act on self-registration objects. Unless otherwise
specified, the methods listed in this table are in the class SmPolicyApiImpl. You
create self-registration objects by instantiating SmSelfReg.
Method Description
Method Description
For example:
To specify which user attribute holds the disabled state of the user, call
setDisabledAttr() in SmUserDirectory.
To disable and enable users, use the DMS API.
The following methods act on user directory objects. Unless otherwise specified,
the methods listed in this section are in the class SmPolicyApiImpl. You create
user directory objects by instantiating SmUserDirectory.
Method Description
Method Description
Method Description
Utility Methods
The following methods provide a variety of services, including cache and
encryption key management. Unless otherwise specified, the methods listed in
this table are in the class SmPolicyApiImpl.
Method Description
Object Associations
Some objects can be associated with or disassociated from one anotherfor
example, AddAdminToDomain() adds an administrator object to a domain, and
RemoveAdminFromDomain() removes an administrator object from a domain.
An add-to operation requires that both objects exist prior to the call. After a
remove-from operation, both objects still exist, but they are no longer
associated with one other.
When you are looking for a method that associates or disassociates two objects,
look in the category of the method that you are adding or removing. For
example, AddAdminToDomain() and RemoveAdminFromDomain() are both
found in Administrator Methods.
agent.setName ("myAgent");
agent.setSecret ("siteminder");
agent.setDescription ("Sample agent");
agent.setAgentType (SmAgentType.DefaultAgentType);
Call the add... method for the object you just createdfor example,
addAgent() for an agent object, or addDomain() for a domain
objectand pass in the object you want to add to the policy store.
For example:
result = policyApi.addAgent(agent);
1. Create an object of the relevant class to store the returned properties. For
example, the following code creates an agent object:
2. Call the appropriate get... function for the object you just createdfor
example, getAgent() for an agent object, or getDomain() for a domain
objectand pass in the object you just created. For example, if youre
retrieving an agent named myAgent:
If the method succeeds, it populates myAgent with the properties of the specified
agent object. (If a get... method retrieves a list, the list is written to a vector.) If
no matching objects are found, the properties of the receiving object retain their
initial values.
To delete an object, use the object-deletion method for the object youre
deletingfor example, deleteAgent() for an agent object, or deleteDomain() for
a domain object
When you configure an authentication scheme, you use the get... and set...
methods in the SmScheme class to provide the following information:
Scheme type
Protection level
Protection level values can range from 1 through 1000. The higher the
number, the greater the degree of protection provided by the scheme.
Library
Parameter
Shared Secret
Information that is known to both the authentication scheme and the Policy
Server. Different authentication schemes use different kinds of secrets. Most
schemes use no secret.
Is template?
Is used by administrator?
Save Credentials?
Is RADIUS?
A flag that specifies whether the scheme can be used with RADIUS agents.
Ignore password check?
A flag that specifies whether password policies for the scheme are enabled.
If True (1), password policies will be disabled.
Anonymous Template
Use this table when configuring an authentication scheme based on the scheme
type Anonymous. The Java methods referenced in the table are in the class
SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthanon")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the guest DN. Policies associated with
the guest DN must apply to anonymous users.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Basic Template
Use this table when configuring an authentication scheme based on the scheme
type Basic. The Java methods referenced in the table are in the class SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthdir")
The default library for this scheme type.
Parameter setParameter("")
Set to an empty string. Not applicable to this scheme.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(1)
administrator? Set to true (1)scheme can be used to authenticate
administrators.
Is RADIUS? setIsRadius(1)
Set to true (1)scheme can be used with RADIUS
agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthcert")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the domain or IP address of the SSL
server and the name of the SSL Credentials Collector
(SCC). Format:
https://server/SCC?basic
The following example uses the default SCC:
https://my.server.com/siteminderagent/
nocert/smgetcred.scc?basic
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0) for this scheme.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthcryptocard")
The default library for this scheme type.
Parameter setParameter("")
Set to an empty string. Not applicable to this scheme.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(1)
administrator? Set to true (1)scheme can be used to authenticate
administrators.
Is RADIUS? setIsRadius(1)
Set to true (1)scheme can be used with RADIUS
agents.
Custom Template
Use this table when configuring an authentication scheme based on the scheme
type Custom. You create custom schemes using the C Authentication API. For
more information, see the Developers Guide for C. The Java methods referenced
in the table are in the class SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary(customLibName)
The name of the custom shared library you created using
the C Authentication API.
Parameter setParameter(param)
Any string of one or more parameters required by your
custom authentication scheme.
For a custom authentication scheme that uses SSL, you
must supply a URL that points to a SiteMinder Web Agent
library required for the SSL-based authentication.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(flag)
administrator? Set to true (1) to specify that the scheme can be used to
authenticate administrators, or to false (0) to specify
that the scheme cannot be used to authenticate
administrators. Default is 0.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthhtml")
The default library for this scheme type.
Parameter setParameter(param)
A string containing a user attribute list plus the location
of the forms credential collector (FCC). The attribute list
must begin with AL= and use commas as the list
delimiter character, and it must end with a
semicolonfor example:
AL=Password,SSN,age,zipcode;
The complete parameter format is:
attr-list;https:/server/fcc
The following example uses the default FCC:
AL=PASSWORD,SSN,age,zipcode;
http://my.server.com/siteminderagent/
forms/login.fcc
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Impersonation Template
Use this table when configuring an authentication scheme based on scheme type
Impersonation. The Java methods referenced in the table are in the class
SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthimpersonate")
The default library for this scheme type.
Parameter setParameter(param)
A string containing a user attribute list plus the location
of the forms credential collector (FCC). The attribute list
must begin with AL= and use commas as the list
delimiter character, and it must end with a
semicolonfor example:
AL=Password,SSN,age,zipcode;
The complete parameter format is:
attr-list;https:/server/fcc
The following example uses the default FCC:
AL=PASSWORD,SSN,age,zipcode;
http://my.server.com/siteminderagent/
forms/imp.fcc
Is template? setIsTemplate(templateFlag)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
MS Passport Template
Use this table when configuring an authentication scheme based on scheme type
MS Passport. The Java methods referenced in the table are in the class
SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthmspp")
The default library for this scheme type.
Parameter setParameter(param)
The following information, separated by semicolons:
Is template? setIsTemplate(templateFlag)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthchap")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the name of a user directory
attribute. This attribute is used as the clear text
password for authentication.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(1)
Set to true (1)scheme can be used with RADIUS
agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthradius")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the IP address and port of the
RADIUS serverfor example:
123.123.12.12:1645
The default UDP port is 1645.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(1)
administrator? Set to true (1)scheme can be used to authenticate
administrators.
Is RADIUS? setIsRadius(1)
Set to true (1)scheme can be used with RADIUS
agents..
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthenigmahtml")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the name and location of the forms
credentials collector. This example shows the default
credentials collector:
http://my.server.com/
siteminderagent/forms/safeword.fcc
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(1)
administrator? Set to true (1)scheme can be used to authenticate
administrators.
Is RADIUS? setIsRadius(1)
Set to true (1)scheme can be used with RADIUS
agents..
SafeWord Template
Use this table when configuring an authentication scheme based on the scheme
type SafeWord. The Java methods referenced in the table are in the class
SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthenigma")
The default library for this scheme type.
Parameter setParameter("")
Set to an empty string. Not applicable to this scheme.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(1)
administrator? Set to true (1)scheme can be used to authenticate
administrators.
Is RADIUS? setIsRadius(1)
Set to true (1)scheme can be used with RADIUS
agents..
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthsaml")
The default library for this scheme type.
Parameter setParameter(param)
The following required parameters:
Is template? setIsTemplate(templateFlag)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthacehtml")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the name of the attribute that
contains the ACE IDs, the Web server where the forms
credential collector (FCC) is installed, and the target
executable file required for processing SecurID
authentication with forms support. It also specifies
whether an SSL connection is required. Format:
attr;https://server/target
Note: The "s" in "https" is optional, depending on
whether you want an SSL connection.
The following example uses the default for processing
SecurID authentication with forms support:
ace_id;https://my.server.com/
siteminderagent/pwcgi/smpwservicescgi.exe
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
SecurID Template
Use this table when configuring an authentication scheme based on the scheme
type SecurID. The Java methods referenced in the table are in the class
SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthace")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the attribute in the authentication
user directory that contains the ACE Server user ID.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(1)
administrator? Set to true (1)scheme can be used to authenticate
administrators.
Is RADIUS? setIsRadius(1)
Set to true (1)scheme can be used with RADIUS
agents.
When the eSSO cookie is the only credential, the authentication scheme uses the
ETWAS API to connect to the configured eSSO Policy Server to validate the
cookie and extract the user Distinguished Name (DN) from it.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthetsso")
The name of the library for this authentication scheme.
Parameter setParameter(param)
An ordered set of tokens, separated by semi-colons:
<Mode>[; <Target>]; <Admin>; <eTPS_Host>
You can add spaces to make the string easier to read.
<Mode> specifies the type of credentials that the
authenticaion scheme will accept. The following values
are possible:
cookie -- Only SSO Cookies are acceptable.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(flag)
administrator? Set to true (1) to specify that the scheme can be used to
authenticate administrators, or to false (0) to specify that
the scheme cannot be used to authenticate
administrators. Default is 0.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS agents.
TeleID Template
Use this table when configuring an authentication scheme based on the scheme
type TeleID. The Java methods referenced in the table are in the class
SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthencotone")
The default library for this scheme type.
Parameter setParameter("")
Set to an empty string. Not applicable to this scheme.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(1)
administrator? Set to true (1)scheme can be used to authenticate
administrators.
Is RADIUS? setIsRadius(1)
Set to true (1)scheme can be used with RADIUS
agents..
The Java methods referenced in the table are in the class SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthntlm")
The default library for this scheme type.
Parameter setParameter(param)
The value of param determines the style of
authentication to perform for this scheme:
NTLM authentication (for WinNT or Active Directory
running in mixed mode)
Format:
iis-web-server-url/path-to-ntc-file
In the format, iis-web-server-url is the name of the IIS
web server that is the target of the redirection, and
path-to-ntc-file is the location of the .ntc file that collects
the WinNT credentials.
For example:
http://myiiswebserver.mycompany.com/
siteminderagent/ntlm/creds.ntc
A SiteMinder Web Agent must be installed on the
specified server. By default, the Web Agent installation
creates a virtual directory for NTLM credential collection.
Windows Authentication (for Active Directory
running in native mode)
With this authentication style, param has an LDAP filter
added to the beginning of the redirection URL. The filter
and URL are separated by a semi-colon (;). For example:
cn=%{UID},ou=Users,ou=USA,dc=%{DOMAIN},
dc=mycompany,dc=com;http://
myiiswebserver.mycompany.com/
siteminderagent/ntlm/creds.ntc
SiteMinder uses the LDAP filter to map credentials
received from the browser/Web Agent to an LDAP DN or
search filter.
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthcert")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the domain or IP address of the SSL
server and the name and path of the SSL Credentials
Collector (SCC). The server redirects a users X.509
certificate over an SSL connection. Format:
https://server:port/SCC?cert+basic
The following example uses the default SCC:
https://my.server.com:80/siteminderagent/
cert/smgetcred.scc?cert+basic
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthcert")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the domain or IP address of the SSL
server and the name and path of the forms credentials
collector (FCC). The server redirects a users X.509
certificate over an SSL connection. Format:
https://server:port/FCC?cert+forms
The following example uses the default FCC:
https://my.server.com:80/siteminderagent/
certoptional/forms/login.fcc?cert+forms
Is template? setIsTemplate(0)
Set to 0 to indicate that the scheme is not a template, or
1 if the scheme is a template. Default is 0.
Is used by setIsUsedByAdmin(0)
administrator? Set to 0scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to 0scheme is not used with RADIUS agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthcert")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the following information:
Server for establishing an SSL connection. This server
redirects a users X.509 certificate over an SSL
connection.
Name and path of the SSL Credentials Collector (SSC).
If you are using basic authentication over SSL, also
provide the following two pieces of information:
The fully qualified name of the SSL server used for
establishing an SSL connection for basic authentication.
Name and path of the SSL Credentials Collector (SSC).
https://SSLserver:port/SCC?certorbasic;
[https://BasicServer/SCC]
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthcertorform")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the following information:
Is template? setIsTemplate(0)
Set to 0 to indicate that the scheme is not a template, or
1 if the scheme is a template. Default is 0.
Is used by setIsUsedByAdmin(0)
administrator? Set to 0scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to 0scheme is not used with RADIUS agents.
Use this table when configuring an authentication scheme based on the scheme
type X.509 Client Certificate. The Java methods referenced in the table are in the
class SmScheme.
Description setDescription(description)
The description of the authentication scheme.
Library setLibrary("smauthcert")
The default library for this scheme type.
Parameter setParameter(param)
A string containing the domain or IP address of the
server responsible for establishing the SSL connection
and the name and path of the SSL Credentials Collector
(SCC). The server redirects a users X.509 certificate
over an SSL connection. Format:
https://server/SCC?cert
The following example uses the default SCC value:
https://my.server.com/siteminderagent/
cert/smgetcred.scc?cert
Is template? setIsTemplate(0)
Set to false (0) to indicate that the scheme is not a
template.
Is used by setIsUsedByAdmin(0)
administrator? Set to false (0)scheme is not used to authenticate
administrators.
Is RADIUS? setIsRadius(0)
Set to false (0)scheme is not used with RADIUS
agents.
Performance Consideration
The following properties of the SmRealm object are set to true by default:
PropProcessAuthEvents. When true, authentication event processing
occurs.
PropProcessAzEvents. When true, authorization event processing occurs.
com.myorg.sdk.myclass
With active policies, active rules, and active responses, specify the name
of the class you implemented from the base interface ActiveExpression.
If any parameters are specified in the parameter field after the class name,
the class name is separated from the parameters list by a space character.
2. Deploy the custom class or jar file on the Policy Server machine, and specify
its location in the classpath directive of the JVMOptions.txt file. This file is
located in Netegrity/siteminder/config within the SiteMinder installation
path.
Shared Information
Custom authentication and authorization objects may sometimes need to
communicate request-specific information between themselves, such as to
preserve state between object instances. These objects can share information
through AppSpecificContext, which is retrieved through ApiContext. ApiContext
is one of the common classes that is passed to both authentication and
authorization objects.
Common Classes
The following classes are used by both the Authentication API and the
Authorization API. The services that these classes provide include:
Sending logging, tracing, and error messages to the Policy Server
Providing a mechanism for custom authentication and authorization objects
to share information
Making user context information available to authentication and
authorization objects
Class Description
If the standard authentication schemes included with the Policy Server do not
provide the kind of authentication functionality required at your site, you can use
the Java Authentication API to create a custom authentication scheme.
The base interface in the Java Authentication API is SmAuthScheme. All custom
authentication schemes created with the Java Authentication API must
implement this interface.
SmAuthScheme Methods
SiteMinder calls the following methods in the base interface SmAuthScheme:
Method Description
Method Description
Class Description
Class Description
Immediately after the scheme is loaded, SiteMinder calls the following methods
in the custom class implemented from SmAuthScheme:
query(). SiteMinder passes SMAUTH_QUERY_DESCRIPTION in the request
parameter, requesting that the authentication scheme pass back the version
number and description of the Java Authentication API.
The following figure shows the key activities that occur during authentication:
Supported Credentials
You specify the authentication credentials that are required through the
setResponseBuffer() method in the object SmAuthQueryResponse. This object
contains a number of constants that indicate the specific credentials that are
required or whether no credentials are required.
1. User login. The user supplies a login ID (such as jsmith) for authentication
purposes.
2. Disambiguation phase. Before the user lookup in the data store can begin,
a complete DN or a search expression must be constructed based upon the
supplied login ID. For example, if the login ID is jsmith, the DN used to
search the user store might be constructed as follows:
uid=jsmith,ou=marketing,o=myorg.org
(&(objectclass=inetOrgPerson)(uid=jsmith))
Multiple results are possible, given that the LDAP DN or the ID stored in the
ODBC database might apply to different users who have different passwords.
User Disambiguation
The status codes are set in the SmAuthStatus object. This object is passed in the
status parameter of the SmAuthenticationResult constructor.
SmAuthenticationResult is returned from authenticate():
SMAUTH_NO_USER_CONTEXT
When returning this status code, the authentication scheme should also
return an empty string through the setUserText() method. SiteMinder gets
the login ID from the Agent, constructs the DN or search expression based
on the login ID and the information defined in the SiteMinder User Directory
Properties dialog box, and disambiguates the user by looking up the user in
the user store.
SMAUTH_SUCCESS
SMAUTH_SUCCESS_USER_DN
User Authentication
Redirection
Your authentication scheme can have the Policy Server instruct the agent to
perform a redirect. To build redirection capabilities into your authentication
scheme:
Specify the redirection URL in:
SmAuthenticationContext.setErrorText()
Authentication Events
The SiteMinder SAML (1.x and 2.0) and WS-Federation authentication schemes
process response messages. For business reasons, for example, you might want
to add additional steps to further process a response. The Message Consumer
Extension API defines an interface that enables you to elaborate on the SAML or
WS-Federation response in two ways during the authentication process:
To report detailed failure reasons during user disambiguation
To customize user credential validation
Method Description
1. The Federation Web Services (FWS) application forwards a request for user
authentication to the Policy Server.
d. When the authentication scheme does not provide the user store
SearchSpec, the Policy Server core searches for the user with the search
string defined with the User Directory object. The
MessageConsumerPlugin is not called.
5. When the user has been successfully disambiguated by the Policy Server, the
authentication scheme, or the plug-in, the Policy Server returns the user DN
to the Policy Server and proceeds to credential validation (Step 8 and
following).
6. If the user has not been successfuly disambiguated for this user directory by
either the Policy Server, the authentication scheme, or
MessageConsumerPlugin, the FWS application checks the next user directory
and repeats Steps 2 - 6 before proceeding with credential validation.
7. When a user has been disambiguated, the Policy Server again calls the
authentication scheme to determine whether the user has the proper
credentials for the authentication request. The authentication scheme
determines whether the response message is acceptable.
10. The final result is passed back to the Policy Server by the authenticaiton
scheme.
11. If necessary, the FWS application can process any failure and redirect the
user to an appropriate URL.
The functionality is provided through custom Java classes that are referenced in
Policy Server active expressions. An active expression is a string of variable
definitions that appears in the following Policy Server objects:
Active policyA policy that provides dynamic authorization based on
external business logic.
For example, you might implement a custom Java class that returns true if
the user belongs to a particular organizational unit (ou) in an LDAP directory.
The ou is passed to the custom Java class in the parameter (param) field of
the active expression.
Active responseA response returned from a custom Java class. Using an
active response is one way you can define user-specific privilege
information.
For example, you might define an active response that returns a users
common name (cn) if the user belongs to the ou passed in the param field of
the active expression.
Active ruleA rule that provides dynamic authorization based on external
business logic.
For example, you might define a custom Java class that returns true if a user
is a member of a group, such as Directory Administrator, that has permission
to view a realm. The group name is passed to the Java class in the param
field of the active expression.
Active Expressions
Active expressions are constructed in the Policy Server User Interface using the
following syntax:
An active expression based on the Java Authorization API has the following
required fields:
lib contains the shared library name smjavaapi. This library is used with all
active expressions that reference a custom Java class in param.
func contains the function name JavaActiveExpression. This function is the
entry point for the smjavaapi library. It is used with all active expressions
that reference a custom Java class in param.
param contains the following information.
You define an active expression when you configure the active policy, rule, or
response in the Policy Server User Interface.
Passes to the instance of the custom Java class the optional parameter string
plus the following context objects:
APIContext
RequestContext
UserContext
The instance of the Java class performs the custom functionality and returns
a result to SiteMinder. Results are returned from the custom Java classs
invoke() method.
SiteMinder interprets the result returned by the instance of the custom Java class
according to the type of active expression that references the Java class, as
follows:
Active PolicyIf the result returned is an empty string or if an exception is
thrown, authorization is denied.
The policy does not fire if the result returned matches any of the following
strings (not case-sensitive): FALSE, F, or 0.
(The URL that is passed back might vary according to information passed
into the custom Java class. For example, a group name could be passed
in the param field of the active expression. The custom Java class could
then test for the group name to determine the URL to pass back.)
You specify the cookie name in the SiteMinder Response Attribute Editor.
If the method fails (that is, the method returns -1 or 0), the response
attribute is ignored.
ActiveExpression Methods
The base interface in the Java Authorization API is ActiveExpression. All Java
classes that provide custom authorization functionality must implement this
interface.
The name of the class that you implement from the base interface must appear
in the param field of any associated active expression.
Method Description
Class Description
RequestContext
UserContext
RequestContext Provides information about the users
access requestfor example, the server or
resource portion of the request.
For SAML 1.x support, on the Advanced tab of the SiteMinder Affiliate
Properties dialog.
For SAML 2.0 support, on the Advanced tab of the SiteMinder Service
Provider Properties dialog.
The following steps outline the interaction between SiteMinder and a custom
assertion generator plug-in. The activities begin when an authorized user makes
a request, through a SiteMinder Policy Server, for a resource at a site that
consumes assertions:
3. If an assertion generator plug-in is defined for the site that consumes the
assertion, the SiteMinder Assertion Generator Framework requests an
instance of the plug-in object from the plug-in cache.
Note: The site consuming assertions can have no more than one assertion
generator plug-in defined for it.
b. SiteMinder calls the plug-ins init() method. This method performs any
initialization procedures that you have implemented for the plug-in.
8. Steps through are repeated whenever a user requires an assertion for the
service provider.
When SiteMinder is about to shut down, SiteMinder calls the plug-ins release()
method to allow the plug-in to perform any rundown activities it might require.
When developing and deploying a custom assertion generator plug-in, keep the
following points in mind:
The implemented plug-in class must provide a public default constructor
method with no parameters.
The implementation must be statelessthat is, the single plug-in instance
can be concurrently used for multiple threads.
The syntax requirements and use of the parameter string that is passed into
the customizeAssertion() method is the responsibility of the custom object.
The custom object must parse the default assertion that is passed to
customizeAssertion()for example, through a Document Object Module
(DOM) parser or a Simple API for XML (SAX) parser. The sample plug-in class
AssertionSample.java uses a DOM parser.
The Delegated Management Services (DMS) API lets you perform directory
management operations on LDAP and ODBC directories.
With LDAP directories, you can use the DMS API to write a client application that
allows a user with the specified privileges to perform tasks such as (but not
limited to):
Creating an organization
Creating a group
With ODBC directories, you can perform many but not all DMS API operations.
Note: The DMS API (available in Java only) has different functionality than the
DMS Workflow API (available in C/C++ only). The DMS API lets you develop
directory management applications that perform similar operations as the
SiteMinder DMS product. The DMS Workflow API works in conjunction with DMS
and fires when certain pre-process and post-process DMS events occur, allowing
you to develop applications that perform additional functionality before and/or
after these events.
<install_path>\sdk\java
UNIX platforms:
<install_path>/sdk/java
SiteMinder user directories can exist within other SiteMinder user directories. In
the preceding illustration, the Engineering organizational unit has three
SiteMinder user directories within it. These have the attribute and organization
names ou=dev, ou=qa, and ou=doc. The Human Resources organizational unit
has two SiteMinder user directories within itou=benefits and ou=recruit.
Sub DNs are managed by the class SmDmsConfig. When you create an
SmDmsConfig object, you can keep the default sub DN names or assign
new ones.
Attribute-based Delegation
In addition to hierarchical organization, DMS also provides an administration
model for sites that have implemented a flat directory structure. In this model,
delegation is based on attributes in user profiles instead of hierarchical levels.
In a flat directory, DMS adds attribute/value pairs to user profiles to group users
together. Once users are grouped together, another attribute/value pair
determines which users can manage the groups.
OrgAdminSubDn="(title=OrgAdmin)";
The organization(s) that an organization administrator can manage. By
default, DMS uses the departmentnumber attribute to store managed
organizations.
OrgAdminOrgs="departmentnumber";
The organization to which a user belongs. By default, DMS uses the ou
attribute.
DnOrgs="ou";
DMS Users
DMS users are assigned one of the following categories of directory management
privileges. The categories are listed below from lowest to highest:
End userCan manage certain information about the end users own
account, such as changing the users password and viewing (but not adding)
the roles that the user is a member of.
Organization administratorCan manage an entire organization and any
organizations below it.
You use different login() methods to log in different categories of DMS users.
Implementation Class
Interface SmDmsApi is implemented by the class SmDmsApiImpl. Use this class
as the starting point for the DMS API.
This class lets you determine how you want to access the information in the
SmDmsDirectory object. You can do so by providing either of two kinds of
information:
The name or OID of the target user directory. To provide this information,
call getDirectoryContext().
The OID of the protected realm that the user is attempting to access. To
provide this information, call getDmsContext().
These methods fill the context object that is passed into them.
Context Class
The getDirectoryContext() and getDmsContext() methods in class
SmDmsApiImpl create a context objecteither SmDmsDirectoryContext
or SmDmsContext. The context object contains information such as user
directory, session, and connection information. The context object is so-named
because its information is derived within the context of the provided realm OID
or the user directory name or OID. When you have a context object, you call its
getDmsDirectory() method to retrieve an SmDmsDirectory object. This object
represents an LDAP or other namespace and gives you access to organizations
and other elements in the namespace.
Object Class
The Object class, SmDmsObject, and its subclasses provide methods for creating
and managing directory objects. SmDmsObject and its subclasses are shown
below:
Object Model
Search Class
The Search class, SmDmsSearch, represents a configuration object for the
search operation. It holds the search base and the filter. The filter expects a
string-based search expression for the object class.
The search class returns a list of distinguished names paired with the
corresponding class identifier, and optionally, selected attribute information for
the items retrieved in the search.
Cursor Class
The SmDmsCursor class lets you define sorting and paging behavior for result
set operationsfor example:
Set the sort parameter of the SmDmsCursor constructor to specify the
columns to use for sorting rows.
Call setBlockSize() to define the maximum number of rows that can be
returned from a result set at one timethat is, the maximum number of
rows in a page.
Call setOffset() to specify the starting offset (row number) of the block
returned from the result set.
If you specify true, a result set will be retrieved only if it can be sorted.
search()
searchForward()
searchBack()
searchRefresh()
SmDmsObject.getGroups()
SmDmsOrganization.getGroups()
SmDmsGroups.getMembers()
Sorting and paging operations are not supported for Active Directories through
the AD namespace. Sorting and paging operations are supported for Active
Directories through the LDAP namespace.
You specify whether sorting and paging operations are critical in the
SmDmsCursor constructor.
If the login is successful, the session specification is put into the spec
field of the SessionDef object. Set the spec value in the SmApiSession
object.
After obtaining a valid session, create a DMS API object by passing the
session to the constructor of the SmDmsApiImpl classfor example:
In the example, dmsApi is the new DMS API object, and apiSession is the
session obtained when the administrator successfully logged in.
Note: Whenever you create a DMS API object, you pass the session and
connection information to the object.
To use the DMS API to access a user directory, you need to know either:
The OID of a realm that has a self-registration scheme configured for it.
DMS context and directory context provide two different avenues for
reaching the same destinationan SmDmsDirectory object where you can
access and manipulate directory information.
The following figure illustrates the process flow of the DMS API through a
context object:
Once you choose the context information you want to provide, you create the
context.
After creating a context, you can create and manipulate directory objects
using the DMS Object Model. When working with directory objects, you need
to know:
Top-level organization
Organizational unit
Group
User
Role
DMS Context
DMS context lets you access an SmDmsDirectory object within the context of a
realm OID that you provide. The DMS context class is SmDmsContext.
You can retrieve a DMS context object, use the method getDmsContext() in the
class SmDmsApiImpl.
Before retrieving the DMS context object information, you need to create a realm
object to pass into the getDmsContext() call. The realm object must:
Have a valid object identifier (OID) obtained from an agent call to
AgentAPI.isProtected().
Be configured with a registration scheme.
Then, set the realm OID by calling setOid(). You can call this method through an
object that extends the SmObjectImpl class of the Policy Management API.
After setting the OID for the realm object, call getDmsContext() and pass in the
realm object.
Example:
To get just the directory OID, call dmsContext.getSelfReg(), and then call
SmSelfReg.getUserDir().
Directory Context
Directory context lets you access an SmDmsDirectory object within the context
of a user directory name or OID that you provide. The directory context class is
SmDmsDirectoryContext. To get a directory context, use the method
getDirectoryContext() in the class SmDmsApiImpl.
After getDmsContext() is called and DMS context is established for the session,
its possible to change the user type for subsequent operations in the session.
For example, after a SiteMinder administrator opens a session in DMS context,
you might want an end user to modify his user profile later in the same session.
To make the profile request on the end users behalf rather than the SiteMinder
administrators, you need to change the user type.
1. Create the object that will be the target of requests by the new user type.
For example, to make requests against the new user object dmsUser in
organization dmsOrg on behalf of an end user with the distinguished name
USER_DN:
2. Get a session specification for the new user in either of these ways:
With custom agents, use the Agent API to log in the new user.
3. Pass in the session specification for the new user and DMS object. For
example, if sessionSpec is the session specification:
dmsUser.getApiSession().setSessionSpec(sessionSpec);
More Information:
Create an Object
SmDmsOrganization org=dmsDir.newOrganization("o=swdev.com");
3. Use the organization object to create other objects, such as group objects or
organizational unit objects. The following example creates a group object
named grp with the distinguished name ou=UI,ou=eng, o=swdev.com.
SmDmsGroup grp=org.newGroup("ou=UI,ou=eng,o=swdev.com");
Note: This code does not add the group to the directory.
The following figure illustrates the DMS API flow for creating directory objects:
result = grp.addObject();
When adding an object, you can set multiple values for the objectclass attribute,
but not for other attributes. When modifying an object with the modifyObject()
method, you can set multiple values for any attribute.
For example, to pass in a string containing the values top and organizationalunit,
you could use the following code:
group.setAttribute("objectclass","top^organizationalunit");
To pass in a vector for the same values, you could use the following code:
Note: For existing objects, object class can be modified through the
modifyObjectClass() method. This method also allows you to set multiple values
for object class.
To add a user to a role, call the addToRole() method (class SmDmsUser). In the
following example, the user user1 is added to the role role:
For example, to get the attributes of the organization org whose DN is referenced
by ORG_ROOT in the directory namespace dmsDir:
ORG_ROOT="o=swdev.com";
SmDmsDirectory dmsDir = dmsContext.getDmsDirectory();
SmDmsOrganization org = dmsDir.newOrganization(ORG_ROOT);
SmApiResult result = org.getObject();
To modify an objects attributes, you first fetch the existing attributes with
getObject(). Then, you set the new attribute(s) by calling setAttribute() (in class
SmDmsObject), just as you do when adding an object.). For example, to modify
the user USER_DN1 in the organization org above by setting attribute l to the
value Boston:
You can modify multiple values for all attributes, not just the objectclass
attribute.
Searches
You can search LDAP directories and ODBC directories. You search an
organization using one of the search... methods in the class
SmDmsOrganization.
You can specify the search parameters to use when searching the directory.
There are two times when you can specify search parameters:
When you create the search object
After you create the search object
You can use either option or both options. They are not mutually exclusive.
To specify a search parameter when you create a search object, pass one or
more search parameter names to the constructor of the SmDmsSearch class.
There are some search parameters that you cannot specify during creation of the
search objectfor example, scope. The constructor for the SmDmsSearch class
accepts only the following search parameters:
filter
root
propertyNames
maxItems
You can create an SmDmsSearch object without passing any search parameters
to the constructor.
After a search object is created, you can use the set... methods in the
SmDmsSearch class to:
Set additional search parameters.
Reset search parameters that you set when the search object was created.
By using the set... methods, you can set or reset any of the parameters shown in
the following table:
The search filter defines the items you want to retrieve in the search. You can set
the search filter through an SmDmsSearch constructor or through the
SmDmsSearch method setFilter().
The search filter is described differently for LDAP directories and ODBC
directories.
With LDAP directories, you provide a complete LDAP search filter in the filter
parameter of an SmDmsSearch constructor or setFilter() method. For example,
if you pass filter and root to the SmDmsSearch constructor to search the
organization swdev.com for groups, you could specify the following:
A search of an ODBC directory is performed through a SQL query. The DMS API
supports the SQL SELECT statement.
The information you provide in the search filter depends on whether your search
uses an SmDmsCursor object to provide sorting and paging operations:
With ODBC searches that do not pass an SmDmsCursor object to the search
method, use a fully defined SQL SELECT statement in the search filter.
With ODBC searches that do pass an SmDmsCursor object to the search
method, use a partial SQL SELECT statement in the search filter, consisting
only of FROM and WHERE clauses.
With ODBC database searches that pass an SmDmsCursor object to the search
method, the DMS API constructs the complete SQL SELECT statement from
various sources, as follows:
The FROM and WHERE clauses are taken from the filter parameter of an
SmDmsSearch constructor or setFilter() method.
The SELECT columns portion of the query is taken from attributes specified in
either of the following parameters:
The DMS API uses the information in the previous example to build the following
SQL statement:
Search an Organization
To search an organization:
1. Create a search object. This search object holds the search parameters.
Note: The root is the top level of the SiteMinder user directory to search. It
is not necessarily the top level of the entire directory structure.
Use the set... methods in the SmDmsSearch class to set any other search
parametersfor example:
mySearch.setScope(2);
Reset 0
Forward 1
Back 2
Refresh 3
4. To get the items returned from the search, call getResults() on the search
objectfor example:
The first element of the results vector contains the search parameters in a
SmDmsSearchResultParams object. The remaining elements are
SmDmsObject objects. To distinguish object types, the classId attribute of
each object is set through the setClassId() method. For example, if the
classId is DMSOBJECT_CLASS_USER, the object is a user. If the classId is
DMSOBJECT_CLASS_GROUP, the object is a group.
Examples of a Search
The following example searches an organization using the search parameters set
through the search.set... methods below. The results of the forward search are
assigned to the vector vsearch and are printed along with the search
parameters.
// Search
SmDmsOrganization test = org.newOrganization("");
SmDmsSearch search = new SmDmsSearch (
"(&(objectclass=organizationalUnit) (ou=groups))",
"o=swdev.com");
// Define search parameters
search.setScope(2); // Number of levels to search.
search.setNextItem(0); // Initialize forward search start
search.setMaxItems(20); // Max number of items to display
search.setPreviousItem(0); // Initialize back search start
search.setMaxResults(500); // Max items in the result set
result = test.search(search, 1);
Vector vsearch = search.getResults();
System.out.println("Search object vector size " + vsearch.size());
SmDmsSearchResultParams searchParams =
(SmDmsSearchResultParams)vsearch.firstElement();
System.out.println("***Search Parameters***");
System.out.println(searchParams.toString());
System.out.println("removed element at 0");
vsearch.removeElementAt(0);
System.out.println("Search object vector size " + vsearch.size());
for (int i=0; i<vsearch.size(); i++)
{
SmDmsObject dmsObj = (SmDmsObject)vsearch.elementAt(i);
System.out.println("***Search**** " + dmsObj);
printObject (dmsObj, result);
}
The following code fragment configures sorting and paging features through
an SmDmsCursor object and performs a search. The parameters for the
SmDmsSearch object search would be defined in the same way as in the
previous example:
The following table lists the password state attributes you can access for a given
user, and the method used to set or retrieve an attribute value. All methods are
in the class SmDmsUserPWState, unless otherwise noted.
If you change a password state attribute, the change applies to the current
password state object only. To apply the change to a password state object that
may be subsequently retrieved, pass the current password state object in a call
to SmDmsUser.setUserPWState(). This method sets a new password state
object containing the attribute values passed into the method.
ODBC Support
When operating against ODBC-based user directories, you can use the following
DMS API methods:
SmDmsApiImpl.getDirectoryContext(SmUserDirectory,
SmDmsConfig, SmDmsDirectoryContext)
SmDmsDirectory.getCapabilities(Vector)
SmDmsDirectory.getUserChallengeText(String)
SmDmsDirectory.getUserTempPassword(String, String)
SmDmsObject.getGroups(Vector, boolean)
SmDmsObject.getObject()
SmDmsObject.getObject(Vector)
SmDmsUser.authenticate(String)
SmDmsUser.changePassword(String, String, boolean)
DMS roles are not supported. Also not supported are operations such as adding
and deleting users and groups, adding users to a group, and removing users
from a group.
Restricted Methods
Some of the methods in the DMS API can only be called within a session
established at a minimum level of the user privilege hierarchy or higher. For
example, adding an end user to a role requires an organization administrator
session, Siteminder administrator session, or super administrator session.
The following table shows the DMS methods (plus the login() and logout()
methods in the apiutil package) that have security restrictions, the minimum
privilege level required to call the methods, and the classes that the methods are
called from:
login() No session
SmApiSession class
Index 159
authorizing 36, 122 Context Class 134
automatic connections 18 cookies, SMSESSION 43
Core Methods in the Result Class 29
B Create a Custom Authentication Scheme 112
backup Policy Server 47 Create an Object 144
balancing Policy Server load 47 create token 43
base interface 112 createSSOToken() 43
Basic Over SSL Template 76 creating 18, 19, 35, 144
Basic Template 75 creating objects 144
block offset 136 credentials, custom authentication 112, 113,
block size 136 115, 116
building and running applications 12 CRYPTOCard RB-1 Template 77
Cursor Class 136
C custom authentication 112, 115
custom authorization 122
CA Product References iii
Custom Classes for Authentication and
Cache Commands 42
Authorization 110
cached authorization 36, 41
Custom Template 78
calling sequence 114
customizeAssertion() 126
Certificate Map Methods 61
challenging a user 119 D
Change the User Type in DMS Context 142
changeDynamicKey() 70 decodeSSOToken() 43
changePassword() 156 decrypt token 43
changePersistentKey() 70 default object handle 17
changeSessionKey() 70 Delegated Management Services API 15, 129
changing user type 142 Delete Objects from the Policy Store 72
class identifiers 135 deleteAdmin() 59
classes 113, 125 deleteAgent() 59
Classes and Interfaces in the Authentication API deleteAgentConfig() 60
112 deleteAuthAzMap() 60
Classes for Internal Use 25 deleteCertMap() 61
Cluster Configuration 48 deleteDomain() 61
Cluster Failover 49 deleteGroup() 63
Clustered and Non-Clustered Servers 48 deleteHostConfig() 63
Code Samples 12 deleteObject() 146, 156
Common Classes 111 deleteODBCQuery() 64
components 13, 16 deletePasswordPolicy() 64
configuration 109 deletePolicy() 65
configuration file 18, 19, 45 deletePolicyLink() 65
Configuration of All Custom Classes 109 deleteRealm() 66
Configure Attribute-based Delegation 133 deleteResponse() 66
configuring 72, 109 deleteResponseAttribute() 66
Connection Class 26 deleteRootConfig() 67
connection handles 17 deleteRule() 67
connection parameters 35 deleteScheme() 61
Connection to a Policy Server 35 deleteSelfReg() 68
connection types 17 deleteTrustedHost 68
Contact CA iii deleteUserDirectory() 68
containers in directories 131 deleteUserPolicy() 69
Index 161
getLastPWChangeTime() 154 How Web Agents Use the Agent API 38
getLoginFailures 154 HP-UX 11 agent 32
getMembers() 156 HTML Form Template 80
getMessage() 29
getName() 30 I
getObject() 62, 146, 156 identity ticket 39
getODBCQuery() 64 identity tracking 39
getOid() 62 Impersonation Template 81
getOrganizations() 156 Implement the JNI Java Agent API 32
getPasswordPolicy() 64 Implement the Pure Java Agent API 34
getPolicy() 65 Implementation Class 134
getPolicyLinks() 65 initializing a connection 35
getPrevLoginTime() 154 initializing an Agent API instance 35
getRealm() 66 Installation Path 11
getRealmRules() 66 installation path of Java APIs 11
getRealmUserPolicies() 66 Interaction between SiteMinder and an
getReason() 27, 29 Assertion Generator 126
getResponse() 66 Interpret a Result Object 28
getResponseAttrs() 66 Interpret an Active Expression Result 124
getResults() 152 interpreting as an object 28
getRoles() 156 invoke() 125
getRootConfig() 67 isDomainObject() 61
getRule() 67 isEnabled() 64
getScheme() 61 isEntireDir() 64
getSelfReg() 68 isProtected() 36, 41
getSessionSpec() 26 isSuccess() 23, 29, 71
getSessionVariables() 46 isValidApiConnection() 26
getSeverity() 29 isWriteable() 62
getStatus() 29
getType() 30 J
getUserChallengeText() 156
JAR file 32, 55, 130
getUserDirectory() 68
jar file deployment 110
getUserDirSearchOrder() 68
Java Agent API 13, 32
getUserPolicies() 69
Java Agent API Services 39
getUserPWState() 154, 156
Java API Flow 17
getUserTempPassword() 156
Java API Overview 11
getValue() 30
Java Authentication API 112
global objects 55
Java Authorization API 122
Group Methods 63
Java components 13
H Java components of SDK 13
Java Components of the SiteMinder SDK 13
hierarchical directories 130 Java DMS API 129
Host Configuration Object Methods 63 Java Policy Management API 54
How Information Is Bound to a Session 46 Javadoc 24
How Java Components Fit Together 16 Javadoc Reference 24
How SiteMinder Initializes Authentication JVMOptions.txt 109, 110, 127
Processing 114
How SiteMinder Loads a Custom Authentication L
Scheme 114
LDAP directories 150
Index 163
Performance Consideration 107 required, attribute-based delegation 133
performance issue with realms 107 requirements 32
persistent sessions 47 Requirements for Using Session Variables 47
plug-in. See SAML assertions 126 resource access 36, 41
policies, active 122, 124 resources, check if protected 36, 41
Policy Management API 14, 53, 55, 57, 58 response attributes 36, 41, 43, 124
Policy Management Setup 55 Response Attributes 43
Policy Methods 65 Response Methods 66
Policy Migration Methods 65 responses, active 122, 124
Policy Server 17, 35 Restricted Methods 156
Policy Server Prerequisite 12 Result class 27
Policy Store Objects 55 Result Class 27
policy-based response attributes 43 result objects 23
portals 89 results 124
ports 19 Retrieve Objects from the Policy Store 72
prerequisites for Policy Management setup 55 retrieving an attribute value 144
primary cluster 49 retrieving attributes 146
privilege hierarchy 133 retrieving for object 146
privilege hierarchy in DMS 133 retrieving results 152
process flow 38 Root Configuration Methods 67
properties 30 root of SiteMinder user directory 130, 152
Property class 30 round-robin Policy Servers 48
Property Class 30 Rule Methods 67
PropProcessAuthEvents 107 rules, active 122, 124
PropProcessAzEvents 107 running applications 55
protected resources 36, 41, 122
Purpose of the Java APIs 11 S
Purpose of the Utilities Package 25 SafeWord HTML Form Template 86
SafeWord Template 88
Q
SAML Artifact Template 89
query() 112 samples 12
SAX parser 127
R scheme. See authentication scheme 72
RADIUS CHAP/PAP Template 84 SDK installation path 11
RADIUS Server Template 85 SDK samples 12
Realm Methods 66 Search an Organization 152
reason code for a result 27 Search Class 135
redirection 119 search filter 150
Redirection 119 search() 70, 156
reference documentation 24 search... methods 137
removeAdminFromDomain() 59 searchBack() 156
removeFromGroup() 63, 156 Searches 147
removeUserDirFromDomain() 68 Searches of Microsoft LDAP Directories 137
renameObject() 62 Searches that Support Cursor Operations 137
RequestContext class 125 searchForward() 156
requests, storing results of 27 searching 152
required attributes 133 searching directory 68
Required JAR File 55 searchRefresh() 156
Required Library File 110 SecurID HTML Form Template 91
Index 165
SmExportAttr() 65 ticket. See identity ticket, session specification
SmHostConfig() 63 26
SmImportAttr() 65 timeout information 50
smjavaagentapi.dll 32 Timeouts 50
smjavaagentapi.jar 32 tokens 43
smjavaapi 109, 110 toString() 29
SmJavaApiException class 111 trace information, logging 23
SmODBCQuery() 64 tracking, identity 39
SmPasswordPolicy() 64 transaction ID 41
SmPolicyApiImpl() 59, 60, 61, 62, 63, 64, 65, Trusted Host Object Methods 68
66, 67, 68, 69, 70 Tunnel Services 43
SmProperty class 30 types, and realms 47
SmRealm() 66
SmResponseAttr() 66 U
SmResponseGroup() 63 unInit() 36
SmRootConfig() 67 uninitializing an Agent API instance 36
SmRule() 67 unique constants 28
SmRuleGroup() 63 universal ID 39
SmScheme() 61 updateAttributes() 43
SmSelfReg() 68 updating encryption keys 36, 70
SMSESSION cookie 43 usage flow 17
SmTrustedHost() 68 Use the Authorization API 122
SmUserDirectory() 68 User Access to Resources 36
SmUserPolicy() 69 User Authentication 119
Solaris agent 32 User Directory Methods 68
sorting 136 user disambiguation 116, 117
sorting and paginating results 137 User Disambiguation 117
sorting and paging operations 137 User Disambiguation and Authentication 116
sorting preferences 136 User Password State 154
SQL 150 User Policy Methods 69
SSO. See single sign-on 43 user privilege hierarchy 133
Standard Agent Support 45 UserContext class 111
starting class 134 UserCredentialsContext class 113
Status portion of result 27 user-defined Agent object handle 17
stored as session variables 46 using Authentication 112
sub DNs 131 using Authorization 122
super administrators 39 using Policy Management 57
Support for Custom Code 24 using the DMS API 129
Supported Credentials 116 Utilities Package 15, 25
system objects. See global objects 55 Utility Methods 70
T V
TeleID Template 96 variables, session 46
Terminate the Administrator Session 58 Version Compatibility and Failover Behavior 50
termination 41, 47 version of custom authentication scheme 112
The Required JAR File 130
The Role of the MessageConsumerPlugin 121 W
threshold percentage 49
Web Agent 38
WebAgent.conf 19, 45
X
X.509 Client Cert and Basic Template 99
X.509 Client Cert and Form Template 101
X.509 Client Cert or Basic Template 102
X.509 Client Cert or Form Template 104
X.509 Client Cert Template 105
Index 167