CA SOA Security Manager Authorization

Contents

Overview

CA SOA Security Manager can authenticate end-users and authorize them to access protected Web resources. The Enterprise Gateway can interact directly with CA SOA Security Manager by asking it to make authorization decisions on behalf of end-users that have successfully authenticated to the Enterprise Gateway. CA SOA Security Manager decides whether to authorize the user, and relays the decision back to the Enterprise Gateway where the decision is enforced. The Enterprise Gateway, therefore, acts as a Policy Enforcement Point (PEP) in this situation, enforcing the authorization decisions made by the CA SOA Security Manager, which acts a Policy Decision Point (PDP).

Important Note:
A CA SOA Security Manager authentication filter must be invoked before a CA SOA Security Manager authorization filter in a given policy. In other words, the end-user must authenticate to CA SOA Security Manager before they can be authorized for a protected resource.

Prerequisites

CA SOA Security Manager integration requires CA TransactionMinder SDK version 6.0 or later.

Enterprise Gateway
When adding third-party binaries to the Enterprise Gateway, you must perform the following steps:

  1. Add the binary files as follows:
    • Add .jar files to the InstallDir/ext/lib directory.
    • Add .dll files to the InstallDir\win32\lib directory.
    • Add .so files to the InstallDir/platform/lib directory.
  2. Restart the Enterprise Gateway.

Policy Studio
When adding third-party binaries to the Policy Studio, you must perform the following steps:

  1. Add .jar files to the InstallDir/plugins/thirdparty.runtime.dependencies_6.0.3 directory.
  2. Restart the Policy Studio.

Configuration

Configure the following fields on the CA SOA Security Manager Authorization filter:

Name:
Enter an appropriate name for the filter.

Attributes:
If the end-user is successfully authorized, the attributes listed here are looked up in CA SOA Security Manager, and returned to the Enterprise Gateway. These attributes are stored in the attributes.lookup.list message attribute. They can be retrieved at a later stage to generate a SAML attribute assertion.

Select the Set attributes for SAML Attribute token checkbox, and click the Add button to specify an attribute to fetch from CA SOA Security Manager.