Tuesday, October 29, 2013

Analyze Siteminder Logs

Here is the understanding of analyzing Siteminder Event logs

If the event category is authentication  or authorization , the format is:
lpszEvent lpszHostName lpszTimeString "szClientIp szUserName" "szAgentName szAction szResource" [szTransactionId] [nReason] szStatusMsg
 
The above format is described as follows,
  • lpszEvent. The name (type) of the access event: 
    SmLogAccessEvent_AuthAccept : lpszEvent = "AuthAccept"
SmLogAccessEvent_AuthReject : lpszEvent = "AuthReject"
SmLogAccessEvent_AuthAttempt : lpszEvent = "AuthAttempt"
SmLogAccessEvent_AuthChallenge : lpszEvent = "AuthChallenge"
SmLogAccessEvent_AzAccept : lpszEvent = "AzAccept"
SmLogAccessEvent_AzReject : lpszEvent = "AzReject"
SmLogAccessEvent_AdminLogin : lpszEvent = "AdminLogin"
SmLogAccessEvent_AdminLogout : lpszEvent = "AdminLogout"
SmLogAccessEvent_AdminReject : lpszEvent = "AdminReject"
SmLogAccessEvent_AuthLogout : lpszEvent = "AuthLogout"
SmLogAccessEvent_ValidateAccept : lpszEvent = "ValidateAccept"
SmLogAccessEvent_ValidateReject : lpszEvent = "ValidateReject"
  • lpszHostName. The name of the host.
  • lpszTimeString. The timestamp of the occurrence of the event, in the format: [//:::
    ]. For example: [27/Jun/2000:11:27:29 -0500]
  • szClientIp. The IP address of the client machine.
  • szUserName. The name of the user.
  • szAgentName. The name of the agent.
  • szAction. The action associated with the resource.
  • szResource. The accessed resource.
  • [szTransactionId]. A string that contains: idletime=.
  • [nReason]. The reason associated with the event. Reasons are enumerated in Sm_Api_Reason_t, which is in SmApi.h.
  • szStatusMsg. The message associated with the event. The message depends on the event type, as shown in in the following table:
For example:
AuthAccept testbox [27/Jun/2000:11:27:29 -0500] "190.158.4.90 uid=scarter,ou=people,o=airius.com" "testagent GET /test/index.html" [idletime=3600;maxtime=7200;authlevel=5;] [0]
In this example,
  • lpszEvent is AuthAccept
  • lpszHostName is testbox
  • lpszTimeString is [27/Jun/2000:11:27:29 -0500]
  • szClientIp is 190.158.4.90
  • szUserName is uid=scarter,ou=people,o=airius.com
  • szAgentName is testagent
  • szAction is GET
  • szResource is /test/index.html
  • [szTransactionId] is [idletime=3600;maxtime=7200;
        authlevel=5;]
  • [nReason] is [0]
  • szStatusMsg is not specified. 

 
Posted by at No comments:

Monday, October 7, 2013

Siteminder Impersonation



Definition: Impersonation is a method where a Priveleged User assumes the identity of another user,without losing the privileged users session.
Example:
Admin URL : www.xyz.com  
Target URL: www.xyz.com/imperso/targetURL
EndUser Application : www.xyz.com/application
Impersonator : Priveleged User who can assume the identity of another user
Impersonatee :A User whose identity is assumed by the Impersonator

Request Flow:
1)Impersonator logs into Admin URL www.xyz.com which is protected by Siteminder .
Siteminder creates a SMSESSION for the Impersonator.
2)Impersonator clicks on the Target URL: www.xyz.com/imperso/targetURL which initiates Impersonation Journey since the Target URL is protected by Impersonation Authentication Scheme
Impersonation Authentication Scheme prompts for Impersonatee’s user name
3)Impersonator lands to the Target URL  as a Impersonatee
Siteminder creates a SMSESSION for Impersonatee and saves the Impersonators session as SMSAVEDSESSION
4)Now Impersonator assumes the identity of Impersonatee and access the End User Application.
5)Impersonator clicks logout to end Impersonation journey which does the following,
SMSAVEDSESSION Cookie of Impersonator gets restored to SMSESSION and SMSAVEDSESSION returns a NULL value

 
Siteminder Configurations:
In the above example ,Consider Imperso.fcc,Impersologout.fcc and TargetURL are placed under www.xyz.com/imperso/
Realm 1:Create a realm for /imperso/
Authentication Scheme : Impersonation Auth Scheme [www.xyz.com/imperso/Imperso.fcc ]
Rules : Get/Post,ImpersoStart,ImpersoStartUser

Realm 2 for Admin URL[It will be an existing realm which creates a SMSESSION for the Impersonator]
Authentication Scheme: HTML Forms Authentication Scheme
Rules:Get/Post [existing Rules]

Realm 3 for EndUser Application :[Existing Realm]
Rules:Create a ImpersoStart and ImpersoStartUser Actions for all the each existing Rules.

Policies:
Impersonator Policy :
Add all the ImpersoStart Rules under this policy.
User Group:Only Impersonator

Impersonatee policy:
Add all the ImpersoStartUser Rules under this policy.
User Group:Only Impersonatee

Access policy:
Add Get/Post Rule from Realm 1

As part of Impersonation,Imperso.fcc file as to be protected,Since FCC files are ignored as part of IgnoreExt parameter in ACO,Create the following:
OverrideIgnoreExt = /Imperso.fcc

Hope this Documentation Helps!!!Any Queries please comment
Posted by at 4 comments:
Subscribe to: Posts (Atom)