Symantec Access Management

Hi,

Currently my user store in an MS SQL database.  Siteminder uses ODBC to connect to it.  A custom stored procedure is called to authenticate the user (ie ,check the password).

We are having to change how we store password in MS SQL.  We are switching to pbkdf2 for our hashing.  The pbkdf2 hashed password will be stored in MS SQL.  There is no built in way in TSQL to use pbkdf2, so our current method of using an SP to validate the password will no longer work.

Is it possible to write a JAVA extension to be used in Siteminder that will hash the user password and check it against the hashed password in MS SQL?  Nothing in the documentation is jumping out at me.

thanks

chad

Can be easily done using custom authentication scheme.

Sample code below :

public SmAuthenticationResult

    authenticate(String parameter,

                String secret,

                int challengeReason,

                SmAuthenticationContext context)

    {

..

...

        UserCredentialsContext theUserCredentialsContext = context.getUserCredentialsContext();

        String thePassword = theUserCredentialsContext.getPassword();

        String theHashPassword = pbkdf2Hash(thePassword);//custom implementation of pbkdf2 hashing

        authUserText = context.getUserContext().authenticateUser(theHashPassword );

  }

I couldn't get the stored procedure to work for MS SQL,,, I was able to with Oracle however.  What I did for our MS SQL user directory was use a stored scalar function, This made it transparent to Siteminder for the most part because it can be called in a standard select statement, similar to the way its done with plain text.  It took a little bit of work to get all the kinks worked out and our scalar functions are for encryption and decryption because they wanted it that way instead of a  hash.  A function to return a hash to Siteminder should be a simple task to write.