Skip to content
CA API Gateway - 9.3
Documentation powered by DocOps

CA Single Sign-On Context Variables

Last update February 8, 2018

This topic describes all the context variables related to CA Single Sign-On.

Contents:

Common Context Variables

The "smcontext" context variable is common to all the CA Single Sign-On assertions:

All three CA Single Sign-On assertions can set and reference the variable, which has this syntax:

${<prefix>.smcontext}

where the "<prefix>" is specified in the assertions. This variable contains a CA Single Sign-On context object that can be queried for information using the variables in the following table:

Context Variable

Description

${<prefix>.smcontext.authschemes}

Returns an array of the authentication schemes supported by the Policy Server. The Gateway supports the following authentication schemes:
BASIC
SSL
X509CERT
X509CERTISSUEDN
X509CERTUSERDN

${<prefix>.smcontext.authschemes.length}

Returns the size of the authentication schemes array.

${<prefix>.smcontext.attributes}

Returns the CA Single Sign-On attributes that contain information from the Policy Server as a result of authentication/authorization attempts.

Attributes that are known to the agent have names similar to "ATTR_USERDN".

Attributes that are not known to the agent have names that begin with "ATTR" followed by a number returned from the Policy Server, for example: "ATTR_161".

For a list of the attributes, see CA Single Sign-On Attributes below.

${<prefix>.smcontext.attributes.length}

Returns the size of the attribute list.

${<prefix>.smcontext.attributes.<index>.name}

Returns the name of the <index> attribute.

Example: ${siteminder.smcontext.attributes.0.name}

${<prefix>.smcontext.attributes.<index>.value}

Returns the value of the <index> attribute.

Example: ${siteminder.smcontext.attributes.0.value}

${<prefix>.smcontext.attributes.<attribute_name>}

Returns the value of the attribute specified or null if the attribute not found.

For example, ${siteminder.smcontext.attributes.SESS_DEF_REASON} returns a reason value of the failed authentication/authorization session.

${<prefix>.smcontext.sourceIpAddress}

Returns the originating source IP address from the CA Single Sign-On context. This source IP is determined as follows:

If a source IP address was specified in the Check Protected Resource Against CA Single Sign-On Assertion, it is returned here.

If not specified, the remote IP of the request or response message is returned instead.

If the remote IP is null, then the Address value from the CA Single Sign-On Configuration Properties is returned instead (assuming the "Check IP" check box in the properties has been selected; if it has not been selected, then this variable will return NULL).

${<prefix>.smcontext.ssotoken}

Returns the third party SSO Token generated by the Policy Server. This token is used to authenticate a user and can be either returned via a HTTP response or stored in a context variable for subsequent SSO session validation.

The token is set only when authentication/authorization is successful.

${<prefix>.smcontext.transactionid}

Returns the transaction ID used by the agent to associate application activity with security activity. This ID is generated by the Check Protected Resource Against CA SSO assertion and is used by the other CA SSO assertions.

Fetch ACO Properties to the Gateway Policy for Composing SMSESSION Cookie with SSOToken

The Check Protected Resource Against CA Single Sign-On Assertion accepts an agent configuration object name. It then fetches the details from the CA SSO policy server to make it available to the Gateway policy. The policy author can then use these details to construct a proper cookie.

After successful execution of the Check Protected Resource Against CA Single Sign-on assertion, explicitly defined ACO parameters are added to the SMCONTEXT attributes list. ACO parameters are added with a common prefix ATTR_ACO_<propertyname>.

<propertyname> is the CA SSO agent configuration parameter. 

For example: If the CookieDomain property is defined, it is added to the SMCONTEXT attributes list as ATTR_ACO_CookieDomain.

For a complete list of ACO parameters, see CA SSO documentation.

After successful authentication by CA SSO assertion, the SMSESSION cookie string, ATTR_SESSION_COOKIE_STRING, is composed based on ACO parameters and made available to the Gateway policy if the cluster wide property, siteminder.session.generateCookieString, is set to 'true'.

CA Single Sign-On Attributes

The following is a list of the CA Single Sign-On attributes that can be returned by the ${<prefix>.smcontext.attributes.<attribute_name>} variable.

Attribute

Description

ATTR_USERDN

The user’s distinguished name as recognized by CA Single Sign-On.

ATTR_USERNAME

The user's display name.

ATTR_USERMSG

This is text presented to the user as a result of authentication. Some authentication schemes supply challenge text or a reason why a authentication has failed.

ATTR_USERUNIVERSALID

This is the user's universal ID. It could be the name from the LDAP.

ATTR_CLIENTIP

The IP address of the machine where the user initiated a request for a protected resource.

This attribute returns a value only when the "Check IP" option is selected in the CA Single Sign-On Configuration Properties.

ATTR_DEVICENAME

The name of the agent device. In case of decoding existing CA Single Sign-On token, this attribute represents the CA API Gateway.

ATTR_IDENTITYSPEC

ID for the user identity ticket. This attribute is returned if the Web server's user-tracking feature is enabled and the Gateway receives the CA Single Sign-On token from another agent

ATTR_SESSIONID

The CA Single Sign-On session identifier. The session identifier is returned together with ATTR_SESSIONSPEC as a result of authentication.

ATTR_SESSIONSPEC

The CA Single Sign-On session specification returned from the login call.

ATTR_LASTSESSIONTIME

The time that the Policy Sever was last accessed within the session.

ATTR_STARTSESSIONTIME

The time the session started after a successful login.

ATTR_IDLESESSIONTIMEOUT

Maximum idle time for a session. This attribute is currently available as ATTR_225.

ATTR_MAXSESSIONTIMEOUT

Maximum time a session can be active.

ATTR_STATUS_MESSAGE

Status of the authentication/authorization failure.

ATTR_AUTH_DIR_NAME

The name specification of the directory where the user has been authenticated.

ATTR_AUTH_DIR_NAMESPACE

The namespace specification of the directory where the user has been authenticated.

ATTR_AUTH_DIR_OID

The object ID of the directory where the user has been authenticated.

ATTR_AUTH_DIR_SERVER

The server specification of the directory where the user has been authenticated.

<WebAgent-HTTP-Header-Variable-Name>

The value returned for a configured WebAgent-HTTP-Header-Variable (defined under the "Rules" section in the Policy Server).

ATTR_ACO_* The ACO parameters that are added to the SMCONTEXT attributes list after successful execution of the Check Protected Resource Against CA Single Sign-on assertion.
ATTR_SESSION_COOKIE_STRING The name of the SMSESSION cookie string that is composed of ACO details and made available to the Gateway policy.

Authenticate with CA Single Sign-On R12 Assertion

The following context variables can be set when the Authenticate Against CA Single Sign-On Assertion is used.

Note: The "siteminder.ATTR.*" variables in the following table are valid variables that may or may not return data, depending on the configuration of the CA Single Sign-On server. Please consult with your CA Single Sign-On administrator to verify which attributes are available.

Context Variable

Description

siteminder.smsession

Returns the CA Single Sign-On Token for the authorization. This variable is set after the assertion authenticates and authorizes the credentials provided.

siteminder.ATTR_USERDN

Returns the distinguished name for the user, decoded from the CA Single Sign-On Token.

siteminder.ATTR_SESSIONSPEC

Returns the session specification returned from the login call, decoded from the CA Single Sign-On Token.

siteminder.ATTR_SESSIONID

Returns the session ID returned from the login call, decoded from the CA Single Sign-On Token.

siteminder.ATTR_USERNAME

Returns the user's name, decoded from the CA Single Sign-On Token.

siteminder.ATTR_CLIENTIP

Returns the IP address of the machine where the user initiated a request for a protected resource, decoded from the CA Single Sign-On Token.

siteminder.ATTR_DEVICENAME

Returns the name of the agent that is decoding the token, decoded from the CA Single Sign-On Token.

siteminder.ATTR_IDLESESSIONTIMEOUT

Returns the maximum idle time for a session, decoded from the CA Single Sign-On Token.

siteminder.ATTR_MAXSESSIONTIMEOUT

Returns the maximum time a sessions can be active, decoded from the CA Single Sign-On Token.

siteminder.ATTR_STARTSESSIONTIME

Returns the time the session started after a successful login, decoded from the CA Single Sign-On Token.

siteminder.ATTR_LASTSESSIONTIME

Returns the time that the Policy Server was last accessed within the session, decoded from the CA Single Sign-On Token.

siteminder.response.attribute.
headerVar.<variable_name>

Returns the HTTP header attributes from the authorization response, converted to context variables.

siteminder.response.attribute.
headerVar.siteminder.SESS_DEF_REASON

Returns the reason for an authentication or authorization failure (if failure occurred).

Was this helpful?

Please log in to post comments.