Previous Topic: (Optional) Login to CA Identity Governance with SSONext Topic: Support SiteMinder Zones

CA Identity Governance Configuration GuideAuthentication OptionsSingle Sign-On (SSO) with CA SiteMinder®How to Implement Single Sign-on (SSO) with CA SiteMinder®

How to Implement Single Sign-on (SSO) with CA SiteMinder®

When you implement SSO, a CA SiteMinder® Web Agent intercepts user requests submitted to the CA Identity Governance server, and queries a CA SiteMinder® Policy Server to authenticate the user. The Policy Server returns user credentials that let the CA Identity Governance server identify the user in its local file of portal users.

Note: For more information about CA SiteMinder® implementation and configuration steps, see the CA SiteMinder Policy Server Configuration Guide, the CA SiteMinder Web Agent Configuration Guide, and other relevant portions of CA SiteMinder® documentation.

To implement SSO for the CA Identity Governance Portal:

  1. Configure an HTTP server or cluster to function in reverse proxy mode.

    Note: On an Apache HTTP server, configure the mod_proxy module. For more information, see the documentation for your HTTP server.

    The HTTP server/cluster passes user communication with the CA Identity Governance portal.

  2. Configure firewalls, IP masks, and other security settings required in your network environment.

    The HTTP server/cluster communicates with the CA Identity Governance server and the CA SiteMinder® Policy Server.

  3. Install and configure a CA SiteMinder® Web Agent on the HTTP server or cluster.

    The Web Agent intercepts end-user communication with the CA Identity Governance portal.

  4. On the CA SiteMinder® Policy Server, define a domain, realm, and policy for the new Web Agent. Define a response that returns some user information as HTTP header variables.

    The values that CA SiteMinder® returns identify the user in the CA Identity Governance configuration file of portal users.

  5. Enable SSO on the CA Identity Governance server by setting the following system property to True.
    sage.security.siteminder.enabled

    Specifies whether single sign-on using CA SiteMinder® is implemented.

    Valid values: True, False

  6. Define the following system parameter:
    logout.landingPageUrl

    Defines the web page to which users are sent when they log out from the CA Identity Governance portal. For a page external to the CA Identity Governance portal, specify the full URL of the page. For a page in the CA Identity Governance portal, specify only the page name, and omit the host, port, and pathname of the portal.

    Default value: loginForm

  7. (Optional) To tune the system performance, configure CA Identity Governance system properties that control SSO operation.

    Important! We recommend that you are familiar with these settings before you consider changing them.

    sage.security.GUID.expiration.delta.seconds

    CA Identity Governance creates temporary proxy user IDs to support user authentication by CA SiteMinder®. This property defines a cutoff time before the proxy ID expires, beyond which no new requests are sent using the ID.

    Default: 60 seconds.

    sage.security.GUID.expiration.minutes

    CA Identity Governance creates temporary proxy user IDs to support user authentication by CA SiteMinder®. This property defines the lifetime of a proxy ID, in minutes.

    Default: 360 minutes (6 hours).