This section contains the following topics:
New Architecture to Support SharePoint 2010
CA SiteMinder® and Microsoft SharePoint
Example SharePoint Farm Deployment with Single Web Front End
Example SharePoint Farm Deployment with Multiple Web Front Ends and Load Balancing
Load Balancers and Session Affinity
The CA SiteMinder® Agent for SharePoint is a gateway or a proxy server-based solution that lets you protect resources in your Microsoft SharePoint environment with CA SiteMinder®.
This guide describes how to install and configure the CA SiteMinder® Agent for SharePoint so you can protect resources stored on SharePoint. This guide is intended for the following CA SiteMinder® and SharePoint personnel:
This guide assumes that SharePoint administrators can perform the following tasks:
This guide assumes that CA SiteMinder® administrators can perform the following tasks:
The CA SiteMinder® Agent for SharePoint 2010 features a new architecture designed to protect your SharePoint 2010 resources. This new architecture is based on industry standards and uses a proxy model to streamline enterprise deployments of the CA SiteMinder® Agent for SharePoint, while supporting future growth.
This agent also includes a new SharePoint connection wizard which simplifies the process of creating connections between your SiteMinder objects and SharePoint resources. This wizard creates the CA SiteMinder® objects you need on the Policy Server and generates a PowerShell script that properly configures your SharePoint central administration server.
The following table describes the major differences between the CA SiteMinder® Agent for SharePoint releases:
|
CA SiteMinder® Agent for SharePoint 2007 |
CA SiteMinder® Agent for SharePoint 2010 |
|
Required installation of the following on each SharePoint 2007 server:
|
Deployed as a proxy-server based solution in front of SharePoint 2010 for more centralized configuration and management. |
|
Used one of two SharePoint 2007 authentication methods:
|
Uses the new SharePoint 2010 claims-based authentication option, which is based on industry-standard protocols (WS-Federation / SAML 1.1). |
|
Used a CA SiteMinder® Management UI, installed into SharePoint, to configure protection of SharePoint resources. Included a Role and Membership Provider to facilitate People Picker access to SiteMinder user directories. |
Configuration and administration enhancements include:
|
The CA SiteMinder® Agent for SharePoint integrates Microsoft SharePoint 2010 into the SiteMinder web access management environment.
An access control solution uses policy decision points and policy enforcement points. The CA SiteMinder® Agent for SharePoint uses a gateway or proxy server policy enforcement point to protect resources in a Microsoft SharePoint environment. In the network topology, these enforcement points are physically placed between the user and the resource on SharePoint server.
The following illustration shows the relationship between the CA SiteMinder® components and the SharePoint server.
In the previous illustration, customers, partners, and employees request resources from SharePoint. The requests must pass through the CA SiteMinder® Agent for SharePoint. The agent provides authentication, policy enforcement, and federated single sign-on capabilities. The CA SiteMinder® Policy Server acts as the policy decision point for authentication. The CA SiteMinder® Policy Store which is connected to the Policy Server stores policies and other configuration objects. This solution enables external users to access protected SharePoint resources and internal users to access SharePoint resources.
The CA SiteMinder® Agent for SharePoint solution contains the following SiteMinder components in a specific configuration designed to protect SharePoint resources.
The Policy Server acts as the Policy Decision Point (PDP). The Policy Server evaluates and enforces access control policies, for requests made to resources protected by agents, such as the CA SiteMinder® Agent for SharePoint.
The CA SiteMinder® Agent for SharePoint is a stand-alone server that provides a proxy-based solution for access control. The agent acts as the policy enforcement point (PEP), standing in the network topology physically between the user and the resource on the SharePoint server.
The CA SiteMinder® Claims Provider is used for configuring particular claim values to grant permissions to SharePoint resources. The Claims Provider is packaged as a SharePoint solution (WSP file) with its feature receiver.
Note: Upgrade any SiteMinder components in your environment that do not meet the minimum versions.
If the servers in your SharePoint farm are associated with a single web front end (WFE) server, the following illustration provides one possible deployment scenario:
In the previous example, your setting in the proxyrules.xml file is <nete:forward>http://sharepoint.example.com$0</nete:forward>
If your SharePoint farm has servers associated with a multiple web front end (WFE) servers, the following illustration provides one possible deployment scenario:
In the previous example, your setting in the proxyrules.xml file is <nete:forward>http://sharepoint.example.com$0</nete:forward>
Load balancers that use session affinity dynamically select the best-performing server to when establishing a session. The load balancers send subsequent requests for the same session back to the same server.
Configuring session affinity helps your load balancers operate more efficiently because the CA SiteMinder® caches are used to their full potential. For example, sessions are stored in the Web Agent cache when they are created. Since the session is cached, subsequent requests for resources during the same session are validated using the information from the Web Agent cache. The Policy Server is not contacted, and efficiency is increased.
|
Copyright © 2014 CA.
All rights reserved.
|
|