Configure a Response

Contents
sm1252sp1
Contents
2
You can create a response by specifying an agent type and an attribute list. A response contains the specified attributes and is sent to the specified agent.
Follow these steps:
  1. Click Policies, Domain, Responses.
  2. Click Create Response.
  3. Select a domain and click Next.
  4. Type the name and a description of the response.
  5. Select Radius or
    CA Single Sign-On
    and an Agent Type.
  6. (Optional) Click Create Response Attribute to create a response attribute and add it to the attribute list.
  7. Click Finish.
    The Response is created.
Configure Response Attributes
Each
CA Single Sign-On
response may contain one or more response attributes. Response attributes identify the pieces of information that the Policy Server passes to a
CA Single Sign-On
Agent. Each
CA Single Sign-On
Agent type can accept different response attributes.
More information on configuring an smetssocookie Web Agent active response attribute, which is needed for enabling single sign-on from
CA Single Sign-On
to CA Single Sign-On, exists in Configure an smetssocookie Web Agent Active Response Attribute.
Response Attribute Types
CA Single Sign-On
supports different types of response attributes. The type of response attribute determines how
CA Single Sign-On
provides appropriate content for the attribute.
You can specify the following types of response attributes when you add response attributes to a
CA Single Sign-On
response:
  • Static
    Returns data that remains constant.
    Use a static attribute to return a string as part of a
    CA Single Sign-On
    response. This type of response can be used to provide information to a Web application. For example, if a group of users has specific customized content on a Web site, the static response attribute, show_button = yes could be passed to the application.
  • User Attribute
    Returns profile information from a user entry in a user directory.
    A user attribute can be retrieved from an LDAP, WinNT, Microsoft SQL Server, or Oracle user directory.
    In order for the Policy Server to return values from user directory attributes as response attributes, configure the user directories on the
    CA Single Sign-On
    User Directory pane.
  • DN Attribute
    Returns profile information from a directory object in an LDAP, Microsoft SQL Server, or Oracle user directory.
    User groups and Organizational Units (OUs) that are part of a user DN are examples of directory objects attributes that can be treated as DN attributes.
    For example, you can use a DN attribute to return a company division for a user that is based on the user membership in a division.
    In order for the Policy Server to return values from DN attributes as response attributes, configure the user directories on the
    CA Single Sign-On
    User Directory pane.
  • Active Response
    Returns values from a customer supplied library that is based on the
    CA Single Sign-On
    Authorization API.
    An Active Response is used to return information from an external source. An Active Response is generated by having the Policy Server invoke a function in a customer-supplied shared library. This shared library conforms to the Authorization API (available separately with the Software Development Kit).
    Make sure that the returned value is valid. When you configure a response attribute, the correct Value Type for the response attribute is displayed on the Response Attribute pane.
  • Variable Definition
    Returns the value of the specified variable at runtime.
    Select Variable Definition when you want to select and use a variable from a list of already-defined variables.
  • Session Variable
    Returns the value of a session variable.
    CA Single Sign-On
    retrieves the value from the session store, or from memory when the response is part of the authentication request.
  • Expression
    Allows the administrator to provide an expression.
    For example, the administrator can configure a Response Attribute to extract a certain string from the Certificate issuerDN attribute and store it as a new session variable.
Configure a Web Agent Response Attribute
You can create a response attribute for a
CA Single Sign-On
Web Agent by selecting
CA Single Sign-On
and Web Agent on the Attributes group box on the Response pane. Web Agent response attributes support HTTP header variables, cookie variables, redirections to other resources, text, and timeout values.
If you have purchased and installed SOA Security Manager, you can create a WebAgent-SAML-Session-Ticket-Variable response attribute.
sm1252sp1
Follow these steps:
  1. Click Create Response Attribute.
  2. Select a response attribute.
  3. Select an attribute type.
    The details in the Attribute Fields are updated to match the specified attribute type.
  4. Complete the details in the Attribute Fields.
    A list of automatically generated
    CA Single Sign-On
    user attributes that you can use in responses exists in Generated User Attributes.
  5. (Optional) Edit the attribute in the Script field.
    Note:
    The Attribute Setup section closes when you edit the attribute on the Advanced section.
  6. Specify Cache Value or Recalculate value every ... seconds.
    The maximum time limit that can be entered is 3600 seconds.
  7. Click Submit.
    The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Response page.
Configure a RADIUS Response Attribute
You can create a response attribute for a RADIUS Agent by selecting RADIUS and a RADIUS vendor on the Attributes group box on the Response pane. RADIUS response attributes support any of the attributes supported by the RADIUS protocol.
sm1252sp1
Follow these steps:
  1. Click Create Response Attribute.
  2. Select a response attribute.
  3. Select an attribute type.
    The details in the Attribute Fields are updated to match the specified attribute type.
  4. Complete the details in the Attribute Fields.
    A list of automatically generated
    CA Single Sign-On
    user attributes that you can use in responses exists in Generated User Attributes.
  5. (Optional) Edit the attribute in the Script field.
    Note:
    The Attribute Setup section closes when you edit the attribute on the Advanced section.
  6. Specify Cache Value or Recalculate value every ... seconds.
    The maximum time limit that can be entered is 3600 seconds.
  7. Click Submit.
    The Create Response Attribute Task is submitted for processing, and the response attribute is added to the Attribute List on the Response page.
Use Variable Objects in Responses
You can create responses that include variable objects by incorporating them in response attributes. Variable objects can be used in response attributes to include dynamic information evaluated during the authorization of a request.
Note
: Variable objects included in responses are only evaluated during the authorization of a request and not during the authentication process. Responses that include variables are limited to authorization events.
Responses can contain any number of response attributes. Each response attribute contains one variable object. Like HTTP header and cookie variables, a
CA Single Sign-On
variable object is a name-value pair.
CA Single Sign-On
variable objects are different from HTTP header and cookie variables, however, in that the variable object name is used to look up the variable object value at runtime. Then, in the case of response attributes, the resulting name-value pair can be returned in an HTTP header or cookie variable.
Configure a Response Attribute that Contains a Variable
A response can contain one or more response attributes whose values are determined by variable objects. Each response attribute contains one variable object. Each variable object is a name-value pair. The name of the variable object is used to look up the value of the variable object at runtime.
CA Single Sign-On
passes the resulting name-value pair to the Web Agent.
Follow these steps:
  1. Follow the instructions in Configure a Response to create a response.
  2. Select
    CA Single Sign-On
    and Web Agent as the Agent Type on the Attributes section.
  3. Click Create Response Attribute on the Attribute List section.
  4. Select a response attribute from the drop-down list on the Attribute Type section.
  5. Select the type of response attribute on the Attribute Kind section.
  6. Type the name of the variable object in the Variable Name field on the Attribute Fields section.
    Note:
    When this field is required,
    CA Single Sign-On
    passes this name to the Web Agent in the form of a name-value pair.
  7. For the selected response attribute type, complete the following fields on the Attribute Fields group section:
    • Static
      Specify the value of the static variable in the Variable Value field.
    • User Attribute
      Specify the name of the user attribute in the Attribute Name field.
    • DN Attribute
      Specify the DN of the user or user group in the DN Spec field and the name of the user attribute in the Attribute Name field.
      (Optional) Click Lookup to search for and select one set of users or user group in a specified user directory.
      (Optional) Select the Allow Nested Groups check box.
    • Active Response
      Specify the name of your library, the name of a library function. Optionally, specify the names of parameters in the Library Name, Function Name, and Parameters fields.
      Note:
      Your library must be based on the
      CA Single Sign-On
      Authorization API.
    • Variable Definition
      Click Lookup to select an existing variable object for the Variable field.
    • Session Variable
      Specify the name of a session variable for which an administrator can retrieve the value.
    • Expression
      Specify an expression that extracts a value from an attribute and stores it as a new session variable.
    Note:
    CA Single Sign-On
    uses the information that you provide in the fields on the Attribute Fields section to determine the value that it passes to the Web Agent in the form of a name-value pair.
  8. Click OK.
    The response attribute is saved.
Select Users for Inclusion in a Response Attribute
The User Lookup pane allows you to select one user directory and search a list of users and user groups in that directory, selecting one set of users or user group for inclusion in a response attribute.
Follow these steps:
  1. Select DN Attribute as the Attribute Kind on the Attribute Setup group box.
    The Attribute Fields group box expands to include the DN Spec field.
  2. Click Lookup on the Attribute Fields group box.
  3. Select the name of one user directory from the list, and click Search.
  4. (Optional) Select a Search type, and click GO:
    • Attribute-value
      Specify an attribute name and value in the fields on the Users/Groups dialog.
    • Expression
      Specify a search expression in the Expression field on the Users/Groups dialog.
    Note:
    You can click Reset to clear the search results.
  5. Select one set of users or user group from the list, and click OK.
  6. Click OK.
    The Response Attribute pane reopens, and the set of users or user group is added to the DN Spec field in the Attribute Fields group box.
Select a Variable Using Variable Lookup
The Select Variable pane allows you to select one variable object from a list of existing variable objects.
Follow these steps:
  1. Select Variable Definition as the Attribute Kind on the Attribute Setup group box.
  2. Click Lookup on the Attribute Fields group box.
  3. Select one variable object from the list, and click OK.
    The Create Response Attribute pane reopens, and the name of the variable object is displayed in the Variable field on the Attribute Fields group box.
Configure Response Attribute Caching
Responses return values to a requesting Agent. The data returned to the Agent can be a fixed value, or it may change over time. When you use a
CA Single Sign-On
Agent to protect a resource, Agents can cache a value for fixed data, so that the value does not need to be recalculated each time the associated policy fires.
For example, a customer’s account number is a fixed value, while the customer’s account balance changes after each transaction. It would be more efficient to retrieve the account number once and then cache it. However, you probably want the balance to be recalculated at a regular interval to make sure the information is current.
CA Single Sign-On
does not cache RADIUS response attributes.
Follow these steps:
  1. Open the response.
    The associated response attributes are listed in the Attribute List group box.
  2. Click the edit icon to the left of the response attribute you want.
  3. Specify the cache settings in the Attribute Caching group box.
  4. Click Submit.
    The cache settings are saved.
Edit a Response
You can edit all of the properties of a response, except the Agent Type. If you want to change the Agent Type, you must delete the response and create a new one.
sm1252sp1
Note
: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.
Delete a Response
Deleting a response removes the response from any policies with which it is associated.
It may take a short amount of time for all deleted objects to be removed from caches.
sm1252sp1
Note
: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.