Authentication, Authorization Events and Rules in Siteminder
Authentication events occur when a user accesses a resource protected by a rule that includes an On-Auth event. Unlike Web Agent actions or authorization events, authentication events always apply to the entire realm. We can’t create an On-Auth rule that applies to a portion of a realm.
Authentication events include the following:
- On-Auth-Accept: Occurs if authentication was successful. This event may be used to redirect a user after a successful authentication.
- On-Auth-Reject: Occurs if authentication failed for a user that is bound to a policy containing an On-Auth-Reject rule. This event may be used to redirect the user after a failed authentication.
- On-Auth-Attempt: Occurs if the user was rejected because Siteminder does not know this user (an unregistered user, for example, can be redirected to register first).
- On-Auth-Challenge: Occurs when custom challenge-response authentication schemes are activated (for example, a token code).
Authorization events will occur as Siteminder verifies whether or not a user is authorized to access a resource. As a rule action, an authorization event causes the Policy Server to fire a rule at a particular point in the authorization process.
Authorization events include the following:
- On-Access-Accept: Occurs when Siteminder successfully authorizes a user to access the resource.
- On-Access-Reject: Occurs when Siteminder rejects a user because the user is not authorized to access the resource.
Four rules that we configure are:
- Allow Access Rule: Get Post Action
- Auth Attempt Rule: On Auth Attempt Action
- Auth Reject Rule: On Auth Reject Action
- Access Reject Rule: On Access Reject Action
|On Auth Accept||Correct||Correct.||Used to redirect a user after a successful authentication.|
|On Auth Reject||Correct||Wrong||Used to redirect the user after a failed authentication.|
|On Auth Attempt||Wrong||Wrong||Occurs if the user was rejected because SiteMinder does not know this user (an unregistered user, for example, can be redirected to register first).|
|On Access Accept||The Credentials provided exists in the User Group attached to the requested resource.||Used to redirect users who are authorized to access a resource.|
|On Access Reject||The Credentials provided does not exist in the User Group attached to the requested resource.||Used to redirect users who are not authorized to access a resource.|