Federation Manager Guide › Federation Manager Installation › Federation Manager Deployment in a Network › Federation Manager Deployment with SiteMinder › Deployment with the SiteMinder Connector at the Asserting Party

Deployment with the SiteMinder Connector at the Asserting Party

At the asserting party, Federation Manager configured with the SiteMinder Connector can use SiteMinder for user authentication. After a successful authentication, the user must be redirected back to Federation Manager, which issues an assertion.

At the asserting party, SiteMinder authenticates a user and then issues an SMSESSION cookie. When the user is sent back to Federation Manager, the presence of the SMSESSION cookie triggers the creation of the FEDSESSION cookie. The deployment mode (proxy or standalone) is not relevant in this case.

Note: If Federation Manager is operating in standalone mode, Federation Manager and the SiteMinder Web Agent need to share the same cookie domain.

In a deployment with SiteMinder, the user has to visit SiteMinder first to authenticate. After authentication is successful, the web resource protected by SiteMinder must send the user back to Federation Manager. A deployment with the SiteMinder Connector is not the same as the Federation Manager feature called delegated authentication, which also allows a web access management system like SiteMinder to handle user authentication. What distinguishes delegated authentication from a SiteMinder Connector deployment without delegated authentication is that the user does not have to initiate authentication at SiteMinder.

Delegated authentication lets Federation Manager initiate an authentication request and then redirect the user to SiteMinder, enabling the redirect to occur automatically, assuming the feature is properly configured. To redirect the user back to Federation Manager after a successfully authenticating the user, the resource that SiteMinder protects must be configured with a mechanism to redirect the user back to Federation Manager. The redirect must include all data that the protected resource received. For example, if the SiteMinder-protected resource received several query parameters from the initial authentication request, it must redirect the user back to Federation Manager with these same query parameters.

The following figure shows an architecture using the SiteMinder Connector at the asserting party.

The previous figure shows the following communication flow at the asserting party:

1. A user requests a federated resource, which triggers an authentication request to the SiteMinder Web Agent at the asserting party.
2. The authentication request is forwarded to the SiteMinder Policy Server.
3. The Policy Server authenticates the user and generates a SiteMinder session ticket. The ticket is returned to the SiteMinder Web Agent, which creates an SMSESSION cookie that contains this ticket.
4. The Web Agent passes the SMSESSION cookie to the user's browser along with a redirect response to Federation Manager.
5. The user's browser with the SMSESSION cookie is redirected to Federation Manager.
6. Federation Manager contacts the SiteMinder Policy Server to validate the SMESSION cookie.
7. After successful validation of the SMSESSION cookie, the Federation Manager session gets created. Federation Manager then handles the rest of the federated communication to the relying party where the target resource resides.