How to access CA SSO generated user attributes in ActiveResponse ?

Document ID:  TEC1680699
Last Modified Date:  08/07/2017
{{active ? 'Hide' : 'Show'}} Technical Document Details

Products

  • CA Single Sign-On

Components

  • SITEMINDER -POLICY SERVER:SMPLC
Summary:

It is often required to access the default CA SSO generated response attributes in the custom active response/rules to evaluate custom logic.

Some sample CA SSO generated attributes are :

  • SM_USERSESSIONIP
  • SM_USERDN
  • SM_USERPASSWORD

The full list of default CA SSO generated attributes can be found by searching for keyword "CA SiteMinder®-Generated User Attributes" in CA SSO documentation

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/responses-and-response-groups/ca-siteminder-generated-user-attributes

Environment:
PS : r12.5 and above
Instructions:

To default CA SSO generated user attributes can be accessed using the SmUserContext.getProp(java.lang.String propName) API call as below.

 

public String invoke(ActiveExpressionContext context, String param)

throws Exception

{

if (context == null)

{

  // should never happen

  throw new IllegalArgumentException("ActiveResponseSample invoked without context");

}

// the User Context is required to use the methods like getProp, setProp..

UserContext theUserContext = context.getUserContext();

if (theUserContext == null)

{

context.setErrorText("No User Context.");

return null;

}

context.getAPIContext().trace(getClass().getSimpleName(), "ActiveResponseSample:: returning ClientIP= ['" + theUserContext.getProp("SM_USERIPADDRESS") +"']");

     return theUserContext.getProp("SM_USERIPADDRESS");

}

 

Step 1: Create an active response as shown below :

activeresponse.png

Step 2 : Configure the Active Response with either OnAuthAccept or OnAccessAccept rule.

Policy.png

Step 3 : Compile the attached sample ActiveResponseSample.java class by running java-build.bat (windows) /java-build.sh (unix).

Download : ActiveResponseSetClientIPCookie.zip

Note: Prior to running you will need to update the path to the JDK install directory in the JAVA_HOME variable by editing the java-build.bat (windows) /java-build.sh (unix) files.

compile.png

 

Step 4. Once compiled, copy the ActiveResponseSample.class and copy it to the <Policy server>/config/properties directory.

 

Note: This "properties" directory is by default in the classpath of Policy server so you don't need to modify JVMOptions.txt.

 

If you choose to deploy the class in any other directory, then you will need to add the path to that directory as a classpath in the JVMOptions.txt file.

properts_dir.png

 

Test:

fiddler.png

 

Policy server Trace Log :

 

[08/07/2017][01:30:07][2908][1564][][SmAuthUser.cpp:700][ServerTrace][][][][][][][][][][][][][][ActiveResponseSample: ActiveResponseSample:: returning ClientIP= ['10.129.160.255']][01:30:07.792][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][ActiveResponseSample:: returning ClientIP= ['10.129.160.255']][][][][][][][][][][][][][]

 

 

 

Additional Information:

1) Not all response attributes are available at all events (OnAuthAccept, OnAuthReject, OnAccessAccept etc.) 

So before implementation please verify if the response attribute you are interested is available for the event that you require it in :

https://docops.ca.com/ca-single-sign-on/12-52-sp1/en/configuring/policy-server-configuration/responses-and-response-groups/ca-siteminder-generated-user-attributes

 

2) Active Response are by default cached. If you need the active response to evaluate every time on the Policy server , disable attribute caching for this active response.( In the active response creation screen in Administrative UI)

 

Please help us improve!

Will this information enable you to resolve your issue?

Please tell us what we can do better.

{{feedbackText.length ? feedbackText.length : '0'}}/255

{{status}}

Not what you were looking for?

Search Again >

Product Information

Support by Product >

Communities

Join a Community >