Using SiteMinder SDK for User Authentication Attempts

Discussion created by masvi10 Employee on Jul 31, 2012
Latest reply on Jul 31, 2012 by Chris_Hackett

Tuesday Tip by Vijay Masurkar, Principal Support Engineer, for 7-31-12

Here are a couple of example questions that have come up on this topic: How to access number of invalid user authentication attempts? Is that accessible through SiteMinder API?

The CA SiteMinder Software Development Kit (SDK) includes a set of documented application programming interfaces (APIs) that let you integrate and extend the capabilities of SiteMinder within your specific environment. The SiteMinder Event API (C API) lets you create custom event handlers. Through the Event API, SiteMinder can log events using outside sources, providers, or applications. You can then access the logged information through these other sources, providers, or applications.

Each event handler is an instance of a shared library that supports the Event API provider interface. To support custom event handlers, you must build a shared library.

Install the shared library in one of the following locations:

■ On UNIX platforms, in the SiteMinder lib directory
■ On Windows platforms, in the SiteMinder bin directory

The shared library must export the following entry points:

■ SmEventInit():Called by the Policy Server so that an event handler can perform its own initialization procedure.

■ SmEventRecord():Called by the Policy Server when an event has been signalled.

■ SmEventRelease():Called by the Policy Server so that an event handler can perform its own rundown procedure.

To build an event handler, include the SmEventApi.h header file:
#include "SmEventApi.h"

You can use Event API and this event, SmLogObjEvent_FailedLoginAttemptsCount, to access the number of invalid user authentication attempts.

This event is called when a user login fails and there is a password policy that applies. The following table lists the associated SmLog_Obj_t fields:

See Field:Description below.

nVersion: Version number of the SiteMinder server.
nCurrentTime: Time when the event occurred.
szUserName: The user whose login attempt failed.
szSessionId: The session ID of the user.
szObjName: Name of directory where the user was found.
szFieldDesc: User’s DN.
szStatusMsg: Number of times that the login was attempted. This number cannot be higher than the number of attempts that results in a disabled account.

You can then access the logged information, such as the above data structure SmLogObjEvent_FailedLoginAttemptsCount, and, specifically, the content of szStatusMsg field, using the setup of the custom designed sources and providers per your application application need.

Refer to the CA SiteMinder Programming Guide for C for further details.

(Note that the C API cannot make JNI calls. There is no synchronization in the Policy Server to support such calls. It is possible, however, to spawn off a separate process that invokes Java and communicates back to the main process by using sockets.)

When using Java API, to retrieve an existing SmDmsUserPWState object for a user, call getUserPWState() method in the class SmDmsUserPWState.

public int getLoginFailures()

Login failures: getLoginFailures() Retrieves the number of times the user failed to log in since the user’s last successful login.

Refer to the CA SiteMinder Programming Guide for Java r12.0 SP3 and Javadoc for further details.