CA Single Sign-On Context Variables

This topic describes all the context variables related to CA Single Sign-On.
gateway94
This topic describes all the context variables related to CA Single Sign-On.
Contents:
 
 
Common Context Variables
The "smcontext" context variable is common to all the CA Single Sign-On assertions:
All three CA Single Sign-On assertions can set and reference the variable, which has this syntax:
 
${<prefix>.smcontext}
 
where the "<
prefix
>" is specified in the assertions. This variable contains a CA Single Sign-On context object that can be queried for information using the variables in the following table:
 
Context Variable
 
 
Description
 
 
${
 
<prefix>
 
.smcontext.authschemes}
 
Returns an array of the authentication schemes supported by the Policy Server. The Gateway supports the following authentication schemes:
BASIC
SSL
X509CERT
X509CERTISSUEDN
X509CERTUSERDN
 
${
 
<prefix>
 
.smcontext.authschemes.length}
 
Returns the size of the authentication schemes array.
 
${
 
<prefix>
 
.smcontext.attributes}
 
Returns the CA Single Sign-On attributes that contain information from the Policy Server as a result of authentication/authorization attempts.
Attributes that are known to the agent have names similar to "ATTR_USERDN".
Attributes that are not known to the agent have names that begin with "ATTR" followed by a number returned from the Policy Server, for example: "ATTR_161".
For a list of the attributes, see CA Single Sign-On Attributes below.
 
${
 
<prefix>
 
.smcontext.attributes.length}
 
Returns the size of the attribute list.
 
${
 
<prefix>
 
.smcontext.attributes.<index>.name}
 
Returns the name of the <index> attribute.
Example: ${siteminder.smcontext.attributes.0.name}
 
${
 
<prefix>
 
.smcontext.attributes.<index>.value}
 
Returns the value of the <index> attribute.
Example: ${siteminder.smcontext.attributes.0.value}
 
${
 
<prefix>
 
.smcontext.attributes.<attribute_name>}
 
Returns the value of the attribute specified or null if the attribute not found.
For example, ${siteminder.smcontext.attributes.SESS_DEF_REASON} returns a reason value of the failed authentication/authorization session.
 
${
 
<prefix>
 
.smcontext.sourceIpAddress}
 
Returns the originating source IP address from the CA Single Sign-On context. This source IP is determined as follows:
If a source IP address was specified in the Check Protected Resource Against CA Single Sign-On Assertion, it is returned here.
If not specified, the remote IP of the request or response message is returned instead.
If the remote IP is null, then the Address value from the CA Single Sign-On Configuration Properties is returned instead (assuming the "Check IP" check box in the properties has been selected; if it has not been selected, then this variable will return NULL).
 
${
 
<prefix>
 
.smcontext.ssotoken}
 
Returns the third party SSO Token generated by the Policy Server. This token is used to authenticate a user and can be either returned via a HTTP response or stored in a context variable for subsequent SSO session validation.
The token is set only when authentication/authorization is successful.
 
${
 
<prefix>
 
.smcontext.transactionid}
 
Returns the transaction ID used by the agent to associate application activity with security activity. This ID is generated by the Check Protected Resource Against CA SSO assertion and is used by the other CA SSO assertions.
Fetch ACO Properties to the Gateway Policy for Composing SMSESSION Cookie with SSOToken
The Check Protected Resource Against CA Single Sign-On Assertion accepts an agent configuration object name. It then fetches the details from the CA SSO policy server to make it available to the Gateway policy. The policy author can then use these details to construct a proper cookie.
After successful execution of the Check Protected Resource Against CA Single Sign-on assertion, explicitly defined ACO parameters are added to the SMCONTEXT attributes list. ACO parameters are added with a common prefix 
ATTR_ACO_<
 
 
propertyname>
.
 
 
<propertyname> 
 
is the CA SSO agent configuration parameter.
 
 
For example:
 If the CookieDomain property is defined, it is added to the SMCONTEXT attributes list as 
ATTR_ACO_CookieDomain
.
For a complete list of ACO parameters, search for "List of Agent Configuration Parameters" in CA SSO documentation.
After successful authentication by CA SSO assertion, the SMSESSION cookie string, 
ATTR_SESSION_COOKIE_STRING,
 is composed based on ACO parameters and made available to the Gateway policy if the cluster wide property, 
siteminder.session.generateCookieString
, is set to '
true
'.
The following list of ACO parameters compose the SMSESSION cookie string:
  •  
    ATTR_ACO_SSOZoneName
     constitutes 
    SSOZoneName
     property
  •  
    ATTR_ACO_CookiePath
     and 
    ATTR_ACO_CookiePathScope
     constitute 
    Path
     property
  •  
    ATTR_ACO_CookieDomain
     and 
    ATTR_ACO_CookieDomainScope
     constitute 
    Domain 
    property
  •  
    ATTR_ACO_PersistentCookies
     and 
    ATTR_ACO_CookieValidationPeriod
     constitute 
    Expires 
    property
  •  
    ATTR_ACO_UseSecureCookies
     is used to indicate secure flag
  •  
    ATTR_ACO_UseHttpOnlyCookies
     is used to indicate http only
 
Note:
 Except for the above ACO parameters, Gateway does not use any other ACO parameters.
CA Single Sign-On Attributes
The following is a list of the CA Single Sign-On attributes that can be returned by the 
${
 
<prefix>
 
.smcontext.attributes.
 
<attribute_name>
 
}
 variable.
 
Attribute
 
 
Description
 
 
ATTR_USERDN
 
The user’s distinguished name as recognized by CA Single Sign-On.
 
ATTR_USERNAME
 
The user's display name.
 
ATTR_USERMSG
 
This is text presented to the user as a result of authentication. Some authentication schemes supply challenge text or a reason why a authentication has failed.
 
ATTR_USERUNIVERSALID
 
This is the user's universal ID. It could be the name from the LDAP.
 
ATTR_CLIENTIP
 
The IP address of the machine where the user initiated a request for a protected resource.
This attribute returns a value only when the "Check IP" option is selected in the CA Single Sign-On Configuration Properties.
 
ATTR_DEVICENAME
 
The name of the agent device. In case of decoding existing CA Single Sign-On token, this attribute represents the 
Layer7 API Gateway
.
 
ATTR_IDENTITYSPEC
 
ID for the user identity ticket. This attribute is returned if the Web server's user-tracking feature is enabled and the Gateway receives the CA Single Sign-On token from another agent
 
ATTR_SESSIONID
 
The CA Single Sign-On session identifier. The session identifier is returned together with ATTR_SESSIONSPEC as a result of authentication.
 
ATTR_SESSIONSPEC
 
The CA Single Sign-On session specification returned from the login call.
 
ATTR_LASTSESSIONTIME
 
The time that the Policy Sever was last accessed within the session.
 
ATTR_STARTSESSIONTIME
 
The time the session started after a successful login.
 
ATTR_IDLESESSIONTIMEOUT
 
Maximum idle time for a session. This attribute is currently available as ATTR_225.
 
ATTR_MAXSESSIONTIMEOUT
 
Maximum time a session can be active.
 
ATTR_STATUS_MESSAGE
 
Status of the authentication/authorization failure.
 
ATTR_AUTH_DIR_NAME
 
The name specification of the directory where the user has been authenticated.
 
ATTR_AUTH_DIR_NAMESPACE
 
The namespace specification of the directory where the user has been authenticated.
 
ATTR_AUTH_DIR_OID
 
The object ID of the directory where the user has been authenticated.
 
ATTR_AUTH_DIR_SERVER
 
The server specification of the directory where the user has been authenticated.
 
<WebAgent-HTTP-Header-Variable-Name>
 
The value returned for a configured WebAgent-HTTP-Header-Variable (defined under the "Rules" section in the Policy Server).
 
ATTR_ACO_*
 
The ACO parameters that are added to the SMCONTEXT attributes list after successful execution of the Check Protected Resource Against CA Single Sign-on assertion.
 
ATTR_SESSION_COOKIE_STRING
 
The name of the SMSESSION cookie string that is composed of ACO details and made available to the Gateway policy.
Authenticate with CA Single Sign-On R12 Assertion
The following context variables can be set when the Authenticate Against CA Single Sign-On Assertion is used.
 The "siteminder.ATTR.*" variables in the following table are valid variables that may or may not return data, depending on the configuration of the CA Single Sign-On server. Please consult with your CA Single Sign-On administrator to verify which attributes are available.
 
Context Variable
 
 
Description
 
 
siteminder.smsession
 
Returns the CA Single Sign-On Token for the authorization. This variable is set after the assertion authenticates and authorizes the credentials provided.
 
siteminder.ATTR_USERDN
 
Returns the distinguished name for the user, decoded from the CA Single Sign-On Token.
 
siteminder.ATTR_SESSIONSPEC
 
Returns the session specification returned from the login call, decoded from the CA Single Sign-On Token.
 
siteminder.ATTR_SESSIONID
 
Returns the session ID returned from the login call, decoded from the CA Single Sign-On Token.
 
siteminder.ATTR_USERNAME
 
Returns the user's name, decoded from the CA Single Sign-On Token.
 
siteminder.ATTR_CLIENTIP
 
Returns the IP address of the machine where the user initiated a request for a protected resource, decoded from the CA Single Sign-On Token.
 
siteminder.ATTR_DEVICENAME
 
Returns the name of the agent that is decoding the token, decoded from the CA Single Sign-On Token.
 
siteminder.ATTR_IDLESESSIONTIMEOUT
 
Returns the maximum idle time for a session, decoded from the CA Single Sign-On Token.
 
siteminder.ATTR_MAXSESSIONTIMEOUT
 
Returns the maximum time a sessions can be active, decoded from the CA Single Sign-On Token.
 
siteminder.ATTR_STARTSESSIONTIME
 
Returns the time the session started after a successful login, decoded from the CA Single Sign-On Token.
 
siteminder.ATTR_LASTSESSIONTIME
 
Returns the time that the Policy Server was last accessed within the session, decoded from the CA Single Sign-On Token.
 
siteminder.response.attribute.
 headerVar.<variable_name>
 
Returns the HTTP header attributes from the authorization response, converted to context variables.
 
siteminder.response.attribute.
headerVar.siteminder.SESS_DEF_REASON 
 
Returns the reason for an authentication or authorization failure (if failure occurred).