Previous Topic: Cleanup Submitted TasksNext Topic: SiteMinder Administrators

Single Sign-On ServiceSSO Policy Server Configuration GuideAdministrative User Interface ManagementProtecting the Administrative UI with SiteMinder

Protecting the Administrative UI with SiteMinder

Protecting the CSP console with CA SiteMinder® requires that you configure an agent to function with a reverse proxy server and configure an external administrator store. Rather than accessing the CSP console directly on the application server, you access the CSP console through the reverse proxy server.

Consider the following:

How to Protect the Administrative UI with SiteMinder

You can protect the CSP console with CA SiteMinder®:

Follow these steps:

  1. Configure an agent to operate with a reverse proxy server.

    Certain types of web servers, such as Apache, that support CA SiteMinder® Web agents can also function as reverse proxy servers. See the support matrix for the supported servers.

    Note: Update the configuration file of Apache web server to make the Apache web server function as a reverse proxy server. For more information about configuring a reverse proxy server and updating the configuration file, see information about configuring the Web Agent configuration material.

    Important! The URL used in the rules that are set for the proxy server must be the same URL used to register the CSP console initially.

    Example:

    If the CSP console was initially registered with the following URL, specify the same URL in the proxy server rules.

    http://host_name:8080/iam/siteminder/adminui

  2. In your agent configuration object (ACO), set the value of the LogOffUri parameter as shown in the following example: 
    /iam/siteminder/logout.jsp
  3. Configure an external administrator store.

    Note: The application server restarts automatically after you configure the external administrator store. The CSP console is protected with CA SiteMinder® only after the restart.

More information:

How to Configure an External Administrator Store

Change the Authentication Scheme

The default CA SiteMinder® authentication scheme used to protect the CSP console is basic user name and password. You can change the default authentication scheme to any CA SiteMinder® supported authentication scheme, except SAML and WS-Fed authentication.

Follow these steps:

  1. Click Policies, Domain.
  2. Click Realms.
  3. Search for the following realm and click the name to open it:

    SiteMinder_ims_realm

    Note: This realm is associated with a domain named SiteMinderDomain.

  4. Click Modify to enable the settings.
  5. Select the authentication scheme you want from the Authentication Scheme list .
  6. Enter additional settings, if required.
  7. Click Submit.

    The CSP console is protected using the selected authentication scheme.

More information:

Authentication Schemes

Disable SiteMinder Authentication for the Administrative UI

If you do not want to protect the CSP console with CA SiteMinder®, you can disable CA SiteMinder® authentication. You can access the CSP console through the reverse proxy server only even after you remove CA SiteMinder® protection for the CSP console.

To access the CSP console directly on an application server, delete the data directory and reregister the CSP console with the Policy Server.

Follow these steps:

  1. Log in to the CSP console.
  2. Run the Administrative Authentication wizard to specify that you no longer want to protect the CSP console using CA SiteMinder® authentication.

    Note: Leave the existing directory server or database connection information to continue using the external administrator store.

  3. Log in to the CSP console host system.
  4. Delete the CSP console data directory. The type of application server to which you deployed the CSP console determines where the data directory is located:
  5. Log in to the Policy Server host system and reset the CSP console registration window using the XPSRegClient utility.
  6. Register the CSP console with the Policy Server.