How to Configure the HTTP Response Header for Single Sign-on

Configuration Guide › Authentication Options › Single Sign-On (SSO) with CA SiteMinder › How to Configure the HTTP Response Header for Single Sign-on

How to Configure the HTTP Response Header for Single Sign-on

A CA SiteMinder Web Agent intercepts requests from users to the CA GovernanceMinder portal. CA SiteMinder authenticates the user, and a CA SiteMinder response policy returns an HTTP header that identifies the user account in CA GovernanceMinder.

The CA GovernanceMinder server maintains a configuration file of portal user accounts. Configure the CA SiteMinder response policy to return the user information that corresponds to the UserID field in this configuration file:

The UserID field can contain simply the user name, for example:
```
Javier.Torres
```
In this case the CA SiteMinder response policy returns the user name as an HTTP header variable. You can use the standard, predefined sm_user CA SiteMinder WebAgent-HTTP header variable attribute.
The UserID field can contain the domain and username, for example:
```
RCMusersDb\Javier.Torres
```
In this case the CA SiteMinder response policy returns both the domain and the username as HTTP header variables. Define a custom attribute, in one of the following ways:
- Use the standard sm_user attribute for the username, and define a custom attribute for the domain.
- Define a custom attribute that contains the entire domain\username value.

CA GovernanceMinder uses the following system properties to parse the returned HTTP header for returned attributes. These values must match the attribute labels that CA SiteMinder inserts in the HTTP header.

sage.security.siteminder.username.attribute

Defines the label of the attribute in the returned HTTP header that contains the username or the value of the UserID field. The field defined in this property must be present in the HTTP header.

Default: sm_user

Note: This attribute is case-sensitive and requires a reboot of the system if you change the default.

sage.security.siteminder.domain.attribute

Defines the label of the attribute in the returned HTTP header that contains the user domain.

Default: rcm_domain.

Example: Domain and User Name in Separate Attributes

Consider the following UserID field in the CA GovernanceMinder user configuration file:

RCMusersDb\Javier.Torres

The returned HTTP header can specify this user using two attributes, with the following values:

sm_user="Javier.Torres" rcm_domain="RCMusersDb"

sm_user is a standard CA SiteMinder attribute, but you define the rcm_domain attribute for the return policy.

To parse this header, both of the following CA GovernanceMinder system properties must have their default values:

sage.security.CA SiteMinder.username.attribute: sm_user
sage.security.CA SiteMinder.domain.attribute: rcm_domain

Example: Domain and Username in One Attribute

Consider the following UserID field in the CA GovernanceMinder user configuration file:

RCMusersDb\Javier.Torres

The returned HTTP header can specify this user using one attribute, with the following value:

rcm_userIDstring="RCMusersDb"

This attribute is not standard, and you define it for the return policy.

To parse this header, you only set the following CA GovernanceMinder system property:

sage.security.CA SiteMinder.username.attribute: rcm_userIDstring

Note: Not all environments include the domain name in the UserID field, but the username is always present. For this reason, CA GovernanceMinder always uses the .username. system property to parse the HTTP header, but the .domain. system property is optional.