Symantec Access Management

Hello All,

Can anyone help me to understand how to achieve SSO using Web Services Authentication. 

I have following queries. 

1. How to achieve SSO using pure WebServices Authentication? i.e. SPS Java Agent. 

For an example, as part of successful REST login event, Siteminder returns Login Response which contains SessionToken. Having this, how do we achieve SSO between multiple applications which uses only REST authentication.

2. How to achieve SSO between standard web agent and web services sps java agent? 

For an example, I have a normal web agent based application and I wanted to achieve SSO with an application uses REST authentication. Applicable reverse vise scenario like SSO between Rest auth with standard web agent. 

Thanks,

Veera

Hi Veera,

Just like any normal agent, the Auth/AZ web service authentication call also returns SMSESSION cookie.

To be able to SSO with other SPS Java agent or normal agent, you will need to just send this SMSESSION cookie in the request header.

Regards,

Ujwol 

Thanks Ujwal. From the below login Success response, <sessionToken> part contains session info. I believe it represent SMSESSION.. Is this correct? 

Just to be clear: On the SSO part, for an example, application 1 uses REST authentication and SMSESSION send in xml response as part of login success. If an application app1 wants to SSO with another application app2, it can use the SMSESSION in request header. Here, how will application maintain the logged in user session? for an example normal web agent sets the cookie in browser, in web services authentication it is all about xml response and application has to capture the cookie and store it somewhere. Can you help me to understand this better? like where the cookie can be stored and how is it re-used to achieve SSO calls? 

Similarly, app3 which is normal webagent and it need SSO with REST web services based application app1 & app2. In this scenario, if user has a valid smsession generated by the normal web agent, it needs to be passed in header request to achieve the SSO with web services application. 

Is this correct?

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<loginResponse>
  <message>Authentication Successful</message>
  <resultCode>LOGIN_SUCCESS</resultCode>
  <sessionToken>jz/8Lvg6ifFZ3DLVD+dLUfy4XoAbS6ds8V/IqtZgccLOn3jHYVbCDcgj3jqiIvwxu7MgeJax7z5/zFlxekXgJC2Ax6zVI3WGapKtbRDaYyptoN4L7N6TqQ7CVJj0d2ofxwdUSox/u/PHNoFpQ2+hYbS8RlkDJ3ffGdYcEWs4CiFFl7Re0HpIIRSgScaaOs/GDdShHvYJ9LYW9StG5HRrgNVixcWo0fIabaYxTS/4RoUF/JLwtDovZVBkbqWGLIxPRHZLZGpY94PyTx70qeQ5N7YeoloIiB6qolASFcQs89ntiv8/e8fULLZQBeRyUZOUH7XN9gls9eIlmOFN/JynleJQLrV0JEqtdCJSkaDk2R84K7tLtOIS+fJwQmqDJrMw9ibTOdGY++mWsfaiOT3ieAL16NA1Ob4uBogEyt3cwDYhXa4oWI0KvyNkLCpbwH3bMC4YB5GAQi70brUVaaJ2rJQ/KMmY0T0ReXWc+SXWzn+rWwZm5vkkAFHK3xHtGcrd+0sIBFV46E7b8m0fV9sIidS09qTe8Dy5Z/IfcjHznegqtctZtScjzXjT1HUiuKIvfYyoXydn76qxoSINkipfhBI4bEENJ5Z29UabYGxHHhXTqqA3soSh+SfeGQ3gMQQ+ZHnKPH4CidrHEDOCkDbbguZEYHt7hKw7N4CEsebrscIWy5K+9MpWDMbreyDOM9MzsnTQc2/E2HaPC73WWN/jfSxlamRksy6FNscyidEUePQrQdfqXp9/PBrP3uTZJONLFi+FwoU55xCS89dp96UrNtScuaOCUExsCQ31QOyU3r4Nkk4patj7UgSl8OwINzX+LQav1jf8OLXnh/gYb5pcoyihL52ZXyWY8SFVwqyTkRsAoSE6z6JgUPrQals6k40EctW7i1YPxr2voe5RHGvqEDRBRSA81dl2USOMYpDZjFNLclh4Od5+8T4fHb1QwBnJ2eOLhpIiKroBNLCXe9CZpzWoUtBgLUYs+GQRlZrq+TMN310Aw2geXMbGu47PqAZDG+yET/y590/NDzFnqwgE7IAtrU63es7f8dm6mFJAskGYx+PkvvRmMXht5d6158YjpFIkQ0hRL+Yh+BtaDkjTF2+enEyUVGI6xdGCTIHvEOKr19UcPQUp74yyTHEfyvAOzzxHo1zswovgdXwS1SP8DYKL/6JNnr7w</sessionToken>
  <authenticationResponses>
    <response>
      <name>SM_UNIVERSALID</name>
      <value>abc123</value>
    </response>
    <response>
      <name>SMSSOZONE</name>
      <value>SM</value>
    </response>
    <response>
      <name>SM_AUTHTYPE</name>
      <value>Basic</value>
    </response>
    <response>
      <name>SM_REALM</name>
      <value>AuthTest</value>
    </response>
    <response>
      <name>SM_REALMOID</name>
      <value>06-52c04608-884e-10f2-a24a-843bdb4e0000</value>
    </response>
    <response>
      <name>SM_AUTHREASON</name>
      <value>0</value>
    </response>
    <response>
      <name>SM_TRANSACTIONID</name>
      <value>0000000000000000000000000a235b0e-5f29-58770139-0fb0-088063a9</value>
    </response>
  </authenticationResponses>
</loginResponse>

Hi Veera,

Your understanding is correct.

The "sessionToken" returned from Auth/AZ web service call is nothing but SMSESSION cookie.

So, if you are going to do SSO with another SPS Auth/AZ java agent, you will basically need to send this token instead of username and password.

Similarly, if you are going to do SSO with another normal web agent, you will need to create an SMSESSION cookie with this sessionToken value and send this along with your request.

Here is how I tested this to verify :

1. First using SPS Auth/AZ web service and using username and password create the sessionToken

2. Next, for any consequent request, you can send this token and perform SSO instead of sending username and password again :

3. Next, to test the SSO with the normal web agent, in chrome browser using "EditThisCookie" plugin I manually created SMSESSION cookie using the sessionToken value returned from SPS Auth/AZ authentication call :

4. Then, in the same browser session , I was able to access the protected resource without any challenge. This confirms I was able to perform SSO to the normal web agent protected resource using the sessionToken generated by SPS Auth/AZ web service :

Hope this clarifies your question.

Cheers,

Ujwol Shrestha

Ujwol's Single Sign-On Blog 

Thanks Ujwol .. It helps a lot...