Previous Topic: (Optional) Login to CA GovernanceMinder with SSONext Topic: Support SiteMinder Zones

Configuration GuideAuthentication OptionsSingle Sign-On (SSO) with CA SiteMinderHow to Implement Single Sign-on (SSO) with CA SiteMinder

How to Implement Single Sign-on (SSO) with CA SiteMinder

When you implement SSO, a CA SiteMinder Web Agent intercepts user requests submitted to the CA GovernanceMinder server, and queries a CA SiteMinder Policy Server to authenticate the user. The Policy Server returns user credentials that let the CA GovernanceMinder server identify the user in its local file of portal users.

Note: For more information about CA SiteMinder implementation and configuration steps, see the CA SiteMinder Policy Server Configuration Guide, the CA SiteMinder Web Agent Configuration Guide, and other relevant portions of CA SiteMinder documentation.

To implement SSO for the CA GovernanceMinder Portal:

  1. Configure an HTTP server or cluster to function in reverse proxy mode.

    Note: On an Apache HTTP server, configure the mod_proxy module. For more information, see the documentation for your HTTP server.

    The HTTP server/cluster passes user communication with the CA GovernanceMinder portal.

  2. Configure firewalls, IP masks, and other security settings required in your network environment.

    The HTTP server/cluster communicates with the CA GovernanceMinder server and the CA SiteMinder Policy Server.

  3. Install and configure a CA SiteMinder Web Agent on the HTTP server or cluster.

    The Web Agent intercepts end-user communication with the CA GovernanceMinder portal.

  4. On the CA SiteMinder Policy Server, define a domain, realm, and policy for the new Web Agent. Define a response that returns some user information as HTTP header variables.

    The values that CA SiteMinder returns identify the user in the CA GovernanceMinder configuration file of portal users.

  5. Enable SSO on the CA GovernanceMinder server by setting the following system property to True.
    sage.security.siteminder.enabled

    Specifies whether single sign-on using CA SiteMinder is implemented.

    Valid values: True, False

  6. Define the following system parameter:
    logout.landingPageUrl

    Defines the web page to which users are sent when they log out from the CA GovernanceMinder portal. For a page external to the CA GovernanceMinder portal, specify the full URL of the page. For a page in the CA GovernanceMinder portal, specify only the page name, and omit the host, port, and pathname of the portal.

    Default value: loginForm

  7. (Optional) To tune the system performance, configure CA GovernanceMinder system properties that control SSO operation.

    Important! We recommend that you are familiar with these settings before you consider changing them.

    sage.security.GUID.expiration.delta.seconds

    CA GovernanceMinder creates temporary proxy user IDs to support user authentication by CA SiteMinder. This property defines a cutoff time before the proxy ID expires, beyond which no new requests are sent using the ID.

    Default: 60 seconds.

    sage.security.GUID.expiration.minutes

    CA GovernanceMinder creates temporary proxy user IDs to support user authentication by CA SiteMinder. This property defines the lifetime of a proxy ID, in minutes.

    Default: 360 minutes (6 hours).