Symantec Access Management

Expand all | Collapse all

capture active response result in a CA SSO domain variable

  • 1.  capture active response result in a CA SSO domain variable

    Posted May 14, 2018 07:47 AM

    Hi Experts,

     

    I have an active expression that does some business logic and returns "yes" or "no".

     

    Now in order to meet my requirement, i need to store the above active response results in a ca sso domain variable. Then use the variable in the expressions tab of policy to allow or deny users. 

     

    In order to achieve that I would like to know whether we can capture active response result in a CA SSO domain variable ?

     

    Any other suggestions to achieve this ?

     

    Thanks,

    Shivam



  • 2.  Re: capture active response result in a CA SSO domain variable

    Posted May 14, 2018 09:52 PM

    Hi Shivam,

     

    It doesn't look like you can directly save the output of an active response directly into a variable.

     

    But you should be able to do this :

     

    1. Save the output of an active resposne into a session store during OnAuthAccept event (your realm need to be persistent)

    Tech Tip – How to save custom data into session store during authentication and access later during authorization 

    2. Set the variable by reading the data from session store.

     

     

    Regards,

    Ujwol



  • 3.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 06:32 AM

    ThanksUjwol for your response. 

    I tried to implement the solution you suggested, but the MySessionVar is not being set at OnAuthAccept rule. In your blog, it's mentioned that "Data couldn’t be saved into a session store during the authentication process (say inside a custom authentication class ) because at this stage even if the Session ID is created for the user session an entry is not created in the session store." 

     

    This could be the reason that the MySessionVar is not being set at OnAuthAccept as the session cookie is not created in the session store at that point. 

     

    I am trying to figure out why should we create a custom authentication class to achieve this. Could you please help us to set the variable in the session store at the time of authentication?

     

    Thanks,

    Shivam



  • 4.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 07:01 AM

    Hi Shivam,

     

    "OnAuthAccept" is triggered after successful authentication, so if your "realm" is persistent, the entry should be already created in the session store by this time. 

     

    For your use case, you do NOT need custom authenticaiton class, you can skip that.

     

    All you have to do is this :

     

    1. Change the realm to persistent.

    2. Protecth the realm with any auth shceme (OOTB form or basic will do )

    3. Create OnAuthAccept rule , and link a response of type "WebAgent-OnAuthAccept-Session-Variable" which would set the result returned by your Active Response (refer to my KB)

    4. Create a variable and configure it to read the session variable (as per the screenshot above)

    5. Use the variable in the Policy -->Expression.

     

    The variables are not evaluated until it is used (during AZ) so it should have no problem accessing the session variable.

     

    Let me know if any question.

     

    Regards,

    Ujwol Shrestha



  • 5.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 07:06 AM

    Hi Ujwol,

     

    I exactly tried the steps you mentioned above, but i am unable fetch the value when i am trying to read it in a variable as per your kb.

     

    I am getting the below error in the logs.

     

    er function CSmAuthUser::GetPropIndex]
    [05/15/2018][04:05:04.600][04:05:04][6932][10396][SmAuthUser.cpp:2280][GetPropIndex][][][][][][][][][][][][][][][][][][][][][Processing Attribute [Property = SM_SESSIONCTXVAR:MySessionVar] [Trim Property = SM_SESSIONCTXVAR:MySessionVar] [Separator = ^]]
    [05/15/2018][04:05:04.600][04:05:04][6932][10396][LdapStore.cpp:376][Lock_LdapHandle][][][][][][][][][][][][][][][][][][][][][Lock LDAP handle. slot=0 ld=0x<NAN>]
    [05/15/2018][04:05:04.600][04:05:04][6932][10396][LdapStore.cpp:1511][SearchObject][][][][][][][][][][][][][][][][][][][][][Searching for objects in container smSessionId=4eBejjkS83fSzlgQPPpkhx/tp5s\=,ou=Sessionstore_Dev,o=one.or.gov, (filter:"(&(objectClass=smSessionVariable)(smVariableName=MySessionVar))")]
    [05/15/2018][04:05:04.600][04:05:04][6932][10396][IsAuthorized.cpp:65][g_ServerTrace][][][][][][][][][][][][][][][][][][][][Provider::GetVariable() failed. Error code : 2][CSmSessionServer::GetVariable(): Provider::GetVariable() failed. Error code : 2]
    [05/15/2018][04:05:04.600][04:05:04][6932][10396][IsAuthorized.cpp:65][g_ServerTrace][][][][][][][][][][][][][][][][][][][][SmSessionVariableProvider::GetSessionVariable() - GetVariable Failed for : MySessionVar
    ][GetSessionVariable: SmSessionVariableProvider::GetSessionVariable() - GetVariable Failed for : MySessionVar
    ]

     

    IS is due to the challenge that is mentioned in your KB ?

     

    Thanks,

    Shivam



  • 6.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 07:08 AM

    Can you check in your session store if the "MySessionVar" is set ?



  • 7.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 07:27 AM

    I do not see MySessionVar being set in the session store. 

     

    I am setting the variable as below snapshot on OnAuthAccept.



  • 8.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 07:28 AM



  • 9.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 07:30 AM
    Have you checked if that ActiveResponse is returning result ?

    Also did you link OnAuthAccept Rule with This Response?




  • 10.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 07:39 AM

    Yes, its returning yes as a response.

     

    Sent from my iPhone



  • 11.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 07:51 AM

    Also, we have linked OnAuthAccept Rule to the response.

     

    Also, the persistent session is also enabled. I am not sure what am i missing.



  • 12.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 02:56 PM

    Hi Ujwol,

    Am i missing something here ?

     

    Thank you.

    Shivam



  • 13.  Re: capture active response result in a CA SSO domain variable

    Posted May 15, 2018 07:27 PM

    Hi Shivam,

     

    This now needs review of the logs. Please open support ticket and upload the ps trace logs and all the screenshots.

     

    Let me also test this at my end, I will get back to you later today.

     

    Regards,

    Ujwol



  • 14.  Re: capture active response result in a CA SSO domain variable
    Best Answer

    Posted May 15, 2018 09:54 PM
      |   view attached

    I just tested and its working fine for me ..few screenshots..of my config and log :

     

     

    [05/16/2018][11:46:19.362][11:46:19][4132][3068][SmJavaAPI.cpp:1244][JavaActiveExpression][][][][][][][][][][][][][true][][][][][][][][Active Expression evaluated for SmJavaAPI: JavaActiveExpression successfully invoked.  Parameter and result follow:][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][][com.netegrity.scriptevaluation.scriptactiveexpression.ActiveScript (MyVar=="YES")][][][][][][][]
    ...
    ..
    [05/16/2018][11:46:19.373][11:46:19][4132][3068][Sm_Az_Message.cpp:828][CSm_Az_Message::FormatAttribute][s3/r15][agent-iis01][][shruj01][][setsessionvar][IIS01][][][][][][][][][][][][][<RVARS><Var name="MyVar" rtype="3"><![CDATA[YES]]></Var></RVARS>][Send response attribute 147, data size is 64][][][][][][][][][][][][N0+CMnJobuZTmF22/lHe5mJjSbV4NAJZh4RxrkAadMw8Qvp6jFzRomlHpKiDxqNJ6CPAjqG5Xe9AOXA2BWhszLQBdoSnkkSTh5B+pjF7eLCB6dyXw4ImQcoKM6C5S9Oam6fXCZ8ZACshFoNaED2/AsDxxiKcpH1IIgcqF7+RJ2Baa8DRuU0L4I6LWUOmTQfH1pcHZcpt4vvk0BaJ9QmzfAe6ZS19haj+sdeje0HPxBMdbPQjaXg9KzwIUwiRvEAUivD1fSPolX/IxBr5lo2jCD6nMHDO5qrzbQ4cGg8tPnrzdACJ3tLok6ZadqJM70Lp8VhTxCEu9tmY0jbmBfLDPMSiJRHaTDgxq7y/R246bg4EUyIsx/DlTHF+BWzUxZNKAqAClpylZJefwjTl1RgQB1NHlAntPFAjaAaDMr6ZbiyyWTRLLwNuaQ==][][][CN=Ujwol Shrestha,CN=Users,DC=sso,DC=lab][][][][][][][][][][][][][AuthorizeEx][3c 52 56 41 52 53 3e 3c 56 61 72 20 6e 61 6d 65 3d 22 4d 79 56 61 72 22 20 72 74 79 70 65 3d 22 33 22 3e 3c 21 5b 43 44 41 54 41 5b 59 45 53 5d 5d 3e 3c 2f 56 61 72 3e 3c 2f 52 56 41 52 53 3e ][][][][][][][][][]
    [05/16/2018][11:46:19.374][11:46:19][4132][3068][Sm_Az_Message.cpp:598][CSm_Az_Message::SendReply][s3/r15][agent-iis01][][shruj01][][setsessionvar][IIS01][][][][][][][][][][][][][][** Status: Authorized. ][][][][][][][][][][][][N0+CMnJobuZTmF22/lHe5mJjSbV4NAJZh4RxrkAadMw8Qvp6jFzRomlHpKiDxqNJ6CPAjqG5Xe9AOXA2BWhszLQBdoSnkkSTh5B+pjF7eLCB6dyXw4ImQcoKM6C5S9Oam6fXCZ8ZACshFoNaED2/AsDxxiKcpH1IIgcqF7+RJ2Baa8DRuU0L4I6LWUOmTQfH1pcHZcpt4vvk0BaJ9QmzfAe6ZS19haj+sdeje0HPxBMdbPQjaXg9KzwIUwiRvEAUivD1fSPolX/IxBr5lo2jCD6nMHDO5qrzbQ4cGg8tPnrzdACJ3tLok6ZadqJM70Lp8VhTxCEu9tmY0jbmBfLDPMSiJRHaTDgxq7y/R246bg4EUyIsx/DlTHF+BWzUxZNKAqAClpylZJefwjTl1RgQB1NHlAntPFAjaAaDMr6ZbiyyWTRLLwNuaQ==][][][CN=Ujwol Shrestha,CN=Users,DC=sso,DC=lab][][][][][][][][][][][][][][][][][][][][][][][]

     

     

     

     

    Session Store :

     

     

    My Active Response : in this I am just returing "YES" 

     

    public String
    invoke(ActiveExpressionContext context,
    String param)
    throws Exception
    {
    if (context == null)
    {
    // should never happen
    throw new IllegalArgumentException("ActiveResponseSample invoked without context");
    }
    // the User Context is required to use the methods like getProp, setProp..
    UserContext theUserContext = context.getUserContext();
    if (theUserContext == null)
    {
    context.setErrorText("No User Context.");
    return null;
    }
    return "YES";

    }

    Attachment(s)



  • 15.  Re: capture active response result in a CA SSO domain variable

    Posted May 16, 2018 07:15 AM

    Hi Ujwol,

     

    I have a question on the solution you suggested.

     

    As per the solution, we are triggering a response that calls active expression and sets the session variable with active expression result. 

     

    Now, if i access a resource - /xyz  >> active expression is triggered>>session variable is set to, lets say, "yes" 

     

    At this point, user is authenticated and authorized.

     

    Now in the new tab, i accessed  /pqr >> Does the OnAuthAccept will trigger again (as the user is authenticated). If the OnAuthAccept doesn't triggere - we will get stuck in implementing the solution/

     

    Thanks,

    Shivam



  • 16.  Re: capture active response result in a CA SSO domain variable

    Posted May 16, 2018 07:35 AM

    No. OnAuthAccept triggers only during authentication.

     

    Sent from my iPhone



  • 17.  Re: capture active response result in a CA SSO domain variable

    Posted May 16, 2018 07:38 AM

    OnAuthAccept wont be triggered again and again and so is the response attached to it, if the user is already authenticated and accessing different resources directly in the same session.

     

    Am i right? 



  • 18.  Re: capture active response result in a CA SSO domain variable

    Posted May 16, 2018 07:43 AM

    correct



  • 19.  Re: capture active response result in a CA SSO domain variable

    Posted May 17, 2018 05:42 AM

    Thanks Ujwol

    DO you have any other solution in mind ?

     

    I see active policy expression in the CA SSO policy advance section. When is that active expression triggered? I am unable to find in the CA documentation about how it works. All i can see is how can we configure it and low level details.

     

    Thanks again,

    Shivam