Symantec Access Management

  • Private Community

  • 1.  How authorization decision is made by CA SSO policy ?

    Posted Jun 28, 2018 03:10 AM

    Hi all,

     

    I am looking for a deeper understanding on how the authorization decisions are made in the CA SSO policy. 

     

    1.  I have a policy in CA SSO that has been configured to provide access to a page (/test.html) when the user has Role X or Role Y.

    2. The user has both Role X and Role Y.

     

    Query 1: Which role will siteminder take into account to authorize the user? Is it based on order? How can I consistently maintain the order as if we modify any role, the order changes on its own. 

    Query 2: How can we figure out what role has been taken into account to authorized the user? (Any custom logic or java code to figure out this part)

     

    Thanks,

    Shivam



  • 2.  Re: How authorization decision is made by CA SSO policy ?

    Posted Jun 28, 2018 10:50 AM

    Hi Shivam,

     

    Refer : 

    How to Configure Access Roles - CA Identity Manager - 12.6.5 - CA Technologies Documentation 

     

    When CA SSO® authorizes a role member for a protected resource, the following events take place:

    1. The rule of a policy executes in CA SSO®, triggering the paired response.
    2. The Policy Server obtains entitlement information from CA Identity Manager to include in a response.
    3. The Policy Server passes the response attribute to the Web Agent.
    4. The Web Agent makes the entitlement information available to the application as an HTTP header variable or a cookie.

     

    Regards,

    Leo Joseph.



  • 3.  Re: How authorization decision is made by CA SSO policy ?

    Posted Oct 16, 2018 07:18 AM

    Hi Shivam,

     

    PFB my response (based on my understanding).

     

    Query 1: Which role will siteminder take into account to authorize the user? Is it based on order? How can I consistently maintain the order as if we modify any role, the order changes on its own.

     

    As per my understanding, it depends on the the order in which the Roles (In this case, Role X and Role Y) has been added.

    Note : Here order does not represents the sequence which is displayed on the WAMUI (as we can sort it either ascending/descending). It denotes which Role has been added first.

     

    From my tests, I found that recently added Role/Group will be checked first. So, per my understanding, it follows Stack approach (Last In, First Out)

     

    Query 2: How can we figure out what role has been taken into account to authorized the user? (Any custom logic or java code to figure out this part)

     

    I am not sure if there is any custom logic (or) java, but you can easily find which role has been used from the policy server profiler logs.

     

    For Instance:

    Consider the following simple example.

    Az groups are added in the following order : Group1, Group2 and Group3
    User1 is a member of Group1 and Group 2

     

    Policy Server Profiler Logs:
    [10/16/2018][16:30:04.545][16:30:04][13704][17940][SmDsLdapProvider.cpp:2624][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group3,ou=Groups,o=dkuserstore,c=India', Filter: 'member=cn=User1,ou=NormalUsers,ou=Users,o=dkuserstore,c=India'. Status: 0 entries][][Ldap SearchCount callout succeeds.]
    [10/16/2018][16:30:04.545][16:30:04][13704][17940][SmDsLdapProvider.cpp:2624][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group2,ou=Groups,o=dkuserstore,c=India', Filter: 'member=cn=User1,ou=NormalUsers,ou=Users,o=dkuserstore,c=India'. Status: 1 entries][][Ldap SearchCount callout succeeds.]

     

    Result:
    Group3 is checked first as it is the last added group.

    User1 is authorized using Group2.

     

    Thanks.

     

    Regards,

    Dhilip