• 1 reply
  • Latest Post - ‏2010-01-28T15:08:23Z by nlaigle
4 Posts

Pinned topic AAA: WS-Security UsernameToken, Authenication via Siteminder

‏2010-01-12T17:28:37Z |

I'd like to authenticate an extracted username and password via DataPower to Siteminder. Is this possible? Alas, I don't have Siteminder up and running so I can't just run the scenario myself.

I have an inbound message containing a WS-Security UsernameToken.
In my AAA, I extract the identity via "Password-carrying UsernameToken Element from WS-Security Header".
In my Authenticate phase, I 'Contact Netegrity Siteminder".
Now, from the documentation, it looks like this should be a connection to an agent server? The "Netegrity base URI" hints that I'm hitting a web container and not the actual Netegrity server..
I also assume that this step contains logic along the lines of "If a cookie value was returned by siteminder, than the user is authenticated. Else the user is not" ? As you can tell, I'm not a siteminder guru.

My colleague doesn't think that siteminder can be used like this (to authenticate a User/password combo from datapower). I say that it can. We have a bet. Who won?

Dan Zrobok
Technical Architect
Perficient -
"Experts in delivering business-driven technology solutions."
Updated on 2010-01-28T15:08:23Z at 2010-01-28T15:08:23Z by nlaigle
  • nlaigle
    12 Posts

    Re: AAA: WS-Security UsernameToken, Authenication via Siteminder

    Hi, I'm afraid you win the bet !

    In the authentication phase, you just have to provide the URI of a siteminder protected resource so SiteMinder will use the login/password provided in the request to authenticate the user against the siteminder policy protecting this URI.
    This URI corresponds for example to a sort of echo cgi that will returns all siteminder specifics headers and cookies :

    example: datapower.cgi

    #!/usr/bin/perl -w

    use strict;
    my $header = undef;
    my $cookiename = undef;
    my @cookies = undef;
    my $cookie = undef;

    print "Content-Type: text/xml\n\n";

    print "<DPAgentResponses>";

    foreach $header(keys %ENV)
    if($header =~ /^HTTP_/i)
    print "<">$ENV{$header}</">";
    elsif($header =~ /^HTTP_COOKIE/i)
    @cookies = split /;/, $ENV{$header};
    foreach $cookie(@cookies)
    $cookiename = substr($cookie, 0, index($cookie, "="));
    $cookiename =~ s/^\s*(\w*)/$1/;
    print "<Set-Cookie_$cookiename>".substr($cookie, index($cookie, "=") + 1)."</Set-Cookie_$cookiename>";

    print "</DPAgentResponses>\n";
    The Siteminder authentication is successful when a specific header such as "SM_AUTHORIZED=YES" is returned by the cgi.

    Upon successful authentication Siteminder will set the SMSESSION cookie that you can trap and forward up to the client user agent.

    Hint: We have replaced the cgi interface by a simple J2EE webapp running on a tomcat for better performances under heavy authentication request load.