Responses and Response Groups

Contents
sm1252sp1
Contents
2
Responses
A response passes static text, user attributes, DN attributes, customized active responses, or the run time values of defined variables from the Policy Server to an Agent. Responses can be used by servlets, Web applications, or other custom applications to display customized content, change server settings, or redirect users to different resources. When working with Web applications, responses can be used as privileges or entitlements for fine-grained access control.
A policy contains rules and responses which are bound to users and user groups. In a policy, responses are bound to specific rules or rule groups. When a rule fires, the associated response returns information to an Agent.
Responses take the form of name/value pairs. When a rule is triggered, the Policy Server returns the paired response to the Agent. For example, if a user attempts to access a protected Web page, but is not authorized to view the contents of the page, a response can redirect the user to an HTML page that indicates the user does not have access, and provide details for contacting a system administrator.
For Web Agents, the web server adds response attributes to HTTP header variables or HTTP cookie variables so that the responses are available to the Web resource or application named in the rule. In a RADIUS environment, the response is returned to the RADIUS client.
The following topics are explained in this section:
2
Response Types
A response is a container for one or more response attributes. The response attributes are what an Agent receives after the Policy Server processes a response. The available response attributes differ based on the type of response.
The following types of responses are available:
  • Web Agent responses
    Web Agent responses are name/value pairs usable by the Web Agent. These responses can contain attributes for HTTP header variables, cookie variables, and URLs for redirections.
  • RADIUS responses
    RADIUS responses are values usable by a RADIUS Agent. These responses can contain attributes for all supported RADIUS attributes.
You can create responses for custom Agents and response attributes using the APIs, which are available separately with the Software Development Kit.
Response Attributes
Each response contains one or more response attributes. These attributes differ based on the type of response. The following sections discuss the response attributes that are available for each type of response.
Web Agent Response Attributes
Web Agent response attributes are response attributes that Web Agents can interpret and pass on to other applications. The following list describes the generally available Web Agent response attributes:
  • WebAgent-HTTP-Authorization-Variable
    Indicates an attribute that is reserved for future use.
  • WebAgent-HTTP-Cookie-Variable
    Generates a SetCookie header, which then sets a nonpersistent cookie in a web browser. The cookies only exist in the cookie domain where the agent is configured. You can enter multiple WebAgent-HTTP-Cookie-Variables. Use in accept or reject responses. Multiple instances of this attribute are allowed per response.
  • WebAgent–HTTP–Header–Variable
    Specifies an arbitrary dynamic name/value pair for use by a web application. You can enter multiple WebAgent-HTTP-Header-Variables. The agent does not include header variables in the responses that it sends back to a web browser. Instead, these responses reside in the request headers of the web server. Consequently, the header variables are not visible in the debug logs that you can enable from the Policy Server Management Console. Use in accept or reject responses. Multiple instances of this attribute are allowed per response.
  • WebAgent-OnAccept-Redirect
    Defines one of the following URLs, depending on the type of response in which it is used:
    • In an authorization response, a URL to direct the user to if the user is allowed access to a resource.
    • In an authentication response, a URL to direct the user to if the user was authenticated for a security realm.
    To specify whether an authorization response or authentication response, include it in a policy with a rule that specifies an OnAuthAccept or OnAccessAccept event action. Use in accept responses. Only one instance of this attribute is allowed per response.
  • WebAgent-OnAccept-Text
    Specifies text that the Web Agent puts in the HTTP_ONACCEPT_TEXT environment variable when it redirects the user after a successful authorization or authentication attempt. Use in accept responses. Only one instance of this attribute is allowed per response.
    When configuring a Web Agent OnAcceptText response, set the FCC Compatibility Mode parameter (fcccompatmode) corresponding to the Web Agent to yes. This action ensures that user authentication takes place at the Web Agent and that the text in the response is available for display in the browser. If the FCC Compatibility Mode parameter is set to no, user authentication takes place at the Forms Credential Collector (FCC). The response is triggered, but the text in the response is lost
  • WebAgent-OnAuthAccept-Session-Idle-Timeout
    Overrides the number of seconds a user session can be idle. When this limit is reached, the user is forced to authenticate again. Associate this response with a rule configured with an OnAuthAccept authentication event. Use in accept responses. Only one instance of this attribute is allowed per response.
  • WebAgent-OnAuthAccept-Session-Max-Timeout
    Overrides the total number of seconds a user session can be active. When this limit is reached, the user session is terminated and the user is forced to authenticate again. Associate this response with a rule configured with an OnAuthAccept authentication event. Use in accept responses. Only one instance of this attribute is allowed per response.
  • WebAgent-OnAuthAccept-Session-AuthContext
    Specifies an AuthContext response attribute for an authentication scheme. The value of this response attribute is added to the session ticket as the value of the SM_AUTHENTICATIONCONTEXT user attribute. The value is not returned to the client as a user response. Use in accept responses. Only one instance of this attribute is allowed per response.
    The response attribute value is truncated to 80 bytes in length.
  • WebAgent-OnAuthAccept-Session-Variable
    Stores a particular Session Variable in the session store when an administrator has decided against persisting all authentication data. Use in accept responses. Persistent Sessions are enabled.
  • WebAgent-OnReject-Redirect
    • In an authorization response, this response specifies a URL to direct the user to if the user is denied access to a resource.
    • In an authentication response, this response specifies a URL to direct the user to if the user has failed to authenticate for a security realm.
    To specify an authorization response or authentication response, include it in a policy with a rule that specifies an OnAuthReject or OnAccessReject event action. Use in reject responses. Only one instance of this attribute is allowed per response.
  • WebAgent-OnReject-Text
    Specifies text that the Web Agent puts in the HTTP_ONREJECT_TEXT environment variable when it redirects the user after a failed authorization or authentication attempt. Use in reject responses. Only one instance of this attribute is allowed per response.
In addition to the Web Agent response attributes, Web Services Security provides the following Web Agent response attributes that are for use only with WSS Agents:
  • WebAgent-SAML-Session-Ticket-Variable
    Provides Policy Server data that the WSS Agent uses to generate a SAML assertion. The data is inserted into an XML message HTTP or SOAP envelope header or a cookie (as specified by associated response attributes).
    When you configure a SAML Session Ticket response, the Policy Server generates the response data. This data instructs the WSS Agent how to build the assertion. The WSS Agent encrypts a session ticket (and optionally, the public key from a web service consumer) and the response data. The agent then generates the assertion. The agent delivers the assertion to the web service. The token can only be encrypted and decrypted by the WSS Agent using its Agent key.
  • WebAgent-WS-Security-Token
    Provides Policy Server data that the WSS Agent uses to generate WS-Security Username, X509v3, or SAML tokens (as specified by associated response attributes). These tokens are added to a SOAP message header.
    When you configure a WS-Security response, the Policy Server generates the response data. This data instructs the WSS Agent how to build the token. The agent then generates and adds the token to the SOAP request and delivers it to the web service.
RADIUS Agent Response Attributes
RADIUS Agent response attributes are response attributes that RADIUS Agents can interpret. All of the response attributes supported by 
CA Single Sign-On
 correspond to the attributes described in the Request for Comments (RFC) 2138, which describes attributes supported by the RADIUS protocol.
Responses and Directory Mappings
Directory mappings let you specify a separate authorization user directory in application object component or a realm. When you define a separate authorization directory, a user is authenticated based on the information contained in one directory, but authorized based on the information contained in another directory.
When you create a response and associate it with a authentication (OnAuth) event, any information retrieved from a user directory is retrieved from the authentication directory. If you create an authorization (OnAccess) event, any information retrieved from a user directory is retrieved from the authorization directory.
Response Groups
A response group is a collection of responses that are logically grouped so they can be applied to a single rule within a policy. All relevant responses in a response group will fire when a rule paired with the response group fires.
Response groups allow you to combine multiple responses in a single object. When you create policies, you can more easily associate multiple responses with a single rule within those policies.
Configure a Response Group
You can create a response group that applies a set of responses to one rule in a policy.
Follow these steps:
  1. Click Policies, Domain, Response Groups.
  2. Click Create Response Group.
  3. Click OK.
  4. Select a domain and click Next.
  5. Type the name and a description of the response group.
  6. Select Radius or 
    CA Single Sign-On
     and an Agent Type.
    The specified Agent type must correspond to the Agent type of the responses in the group. Only responses with the specified Agent type are available for inclusion in the group.
  7. In Group Members, click Add/Remove.
    The Available Members column lists all responses that are defined in the specified domain for the specified Agent type. When the Agent type is Generic Radius, the Available Members column lists all responses that the Radius agents support.
  8. Select one or more responses from the list of Available Members, and click the right-facing arrows.
    The responses are removed from the list of Available Members and added to the list of Selected Members.
    To select more than one member at a time, hold down the Ctrl key while you click the additional members. To select a block of members, click the first member and then hold down the Shift key while you click the last member in the block.
  9. Click OK.
    The selected responses are added to the response group.
  10. Click Finish.
    The Response Group is created.
Add Responses to a Response Group
You can add responses of the same Agent type to a response group. All of the responses must exist in the same domain.
Follow these steps:
  1. Open the response group.
  2. Click Add/Remove in the Group Members group box.
    The Choose responses group box opens. The Available Members column contains responses available from the selected domain and with the specified Agent type or RADIUS vendor type.
    The Available Members column lists all of the responses supported by RADIUS agents if you specified Generic RADIUS.
  3. Move responses to the Selected Members column to include them in the group, and click OK.
    The Response Group pane opens. The selected rules open in the Group Members group box.
  4. Click Submit.
    The response group is saved.
Modify a Response Group
You can modify all of the properties of a response group, except Agent type.
To change the Agent type, delete the response group and create a new one.
sm1252sp1
Note
: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.
Delete a Response Group
Deleting a response group only deletes the grouping, not the individual responses contained in the group.
sm1252sp1
Note
: More information about modifying and deleting Policy Server objects exists in Manage Policy Server Objects.