August 15, 2006

Information Technology CenterNatural Resources Conservation Service

Fort Collins, Colorado

Coding Best Practices

III. eAuthentication

I. Confidentiality

A) Information provided at logon

B) Information provided after logon for application flow

C) Application behavior upon Siteminder failure

III. eAuthentication – Confidentiality – Information Provided at Logon Confidentiality of the data supplied through

the Siteminder webagent is the responsibility of the application itself.

The attributes of the authorized user are passed to a protected resource (as http header variables) within the application. This is performed over an encrypted (https) connection.

It is then the application’s responsibility to digest these attributes and handle them securely.

III. eAuthentication – Confidentiality – Information Provided After Logon for Application Flow

With very few exceptions, there are no direct reads from the Active Directory itself. These reads are supplied through the Siteminder webagent in most cases, and in others through the TEWS suite of web services that Siteminder provides.

Again it is the application’s responsibility to digest these attributes and handle them securely.

III. eAuthentication – Confidentiality – Application Behavior Upon Siteminder Failure

It is very important NOT to assume that Siteminder is operational.

For example, your default behavior if Siteminder is disabled should NOT be to allow the incoming user to access sensitive information.

When in doubt of successful Siteminder authorization, you should deny access.

III. eAuthentication

II. Integrity

A) Location of eAuthentication data

B) Who’s responsible for the eAuthentication data integrity?

C) Active directory replication

III. eAuthentication – Integrity – Location of eAuthentication Data

The user’s data is stored in the active directory.

In most cases, the user’s data cannot be modified by the application digesting this information.

III. eAuthentication – Integrity – Who’s Responsible For the eAuthentication Data?

Data integrity does not pertain to the applications themselves.

The user’s data integrity is the responsibility of the eAuthentication data stewards.

Issues with a user’s data integrity should be reported to the eAuthentication Integration Team at eAuthIntegration@usda.gov.

III. eAuthentication – Integrity – Active Directory Replication There are some known issues with the active

directory replication within the eAuthentication environment which may cause data to be out of date or stale.

In this case, the necessary changes have been made, but they haven’t been copied to the domain controller which is servicing your requests yet.

If this occurs, please contact the eAuthentication Integration Team at eAuthIntegration@usda.gov.

III. eAuthentication

III. Availability

A) Siteminder Webagent communication with the policy server

B) Troubleshooting communication problems

C) Siteminder Policies (Active Directory replication)

III. eAuthentication – Availability – Siteminder Webagent Communication With the Policy Server

The Siteminder webagent relies on its ability to talk to the Siteminder policy server in order to process requests.

The webagent will try to talk to several policy servers before it fails.

When the webagent cannot talk to the policy server, it will not allow any requests through, returning a 500 http error code.

If this happens, please contact the eAuthentication Integration Team at eAuthIntegration@usda.gov.

III. eAuthentication – Availability – Troubleshooting Communication Problems

The webagent communicates with the policy server on ports 44441 – 44444.

Telnet from the application host machine to the target policy server on ports 44441 – 44444 to test connectivity.

You may find out which policy servers your webagent is trying to talk to (and in which order it tries to talk to them) configured in the SmHost.config file.

This can be located anywhere really, but normally it is deployed to “c:\program files\netegrity \webagent\config\SmHost.config”.

III. eAuthentication – Availability – Siteminder Policies (Active Directory Replication)

The data within the active directory is replicated between each domain controller in the forest.

Sometimes this data can take a while to replicate, so if a Siteminder policy change is made, or a user’s attributes are modified, these changes may take a while to propagate into a place where they take effect.

Each policy server points to a different primary user store and policy store, and this may not necessarily be the place where the changes were initially made.

If this occurs, please contact the eAuthentication Integration Team at eAuthIntegration@usda.gov.