Installation GuideConfiguring the Server Post InstallationOptional Configuration ProceduresSingle Sign-on (SSO) with CA SiteMinder › How to Implement Single Sign-on (SSO) with CA SiteMinder

Previous Topic: Single Sign-on (SSO) with CA SiteMinder

Next Topic: How to Configure the HTTP Response Header for Single Sign-on
How to Implement Single Sign-on (SSO) with CA SiteMinder

When you implement SSO, a CA SiteMinder Web Agent intercepts user requests submitted to the CA RCM server, and queries a CA SiteMinder Policy Server to authenticate the user. The Policy Server returns user credentials that let the CA RCM server identify the user in its local file of portal users.

Note: For more information about CA SiteMinder implementation and configuration steps, see the Policy Server Configuration Guide, the Web Agent Configuration Guide, and other relevant portions of CA SiteMinder documentation.

To implement SSO for the CA RCM portal, do the following:

  1. Configure an HTTP server or cluster to function in reverse proxy mode.

    Note: On an Apache HTTP server, configure the mod_proxy module. For more information, see the documentation for your HTTP server.

    The HTTP server/cluster passes user communication with the CA RCM portal.

  2. Configure firewalls, IP masks, and other security settings required in your network environment.

    The HTTP server/cluster can communicate with the CA RCM server and the CA SiteMinder Policy Server.

  3. Install and configure a CA SiteMinder Web Agent on the HTTP server or cluster.

    The Web Agent intercepts end-user communication with the CA RCM portal.

  4. On the CA SiteMinder Policy Server, define a domain, realm, and policy for the new Web Agent. Define a response that returns user information as HTTP header variables.

    The values that CA SiteMinder returns identify the user in the CA RCM configuration file of portal users.

  5. Enable SSO on the CA RCM server by setting the following system property to True.
    sage.security.SiteMinder.enabled

    Specifies whether single sign-on using CA SiteMinder is implemented.

    Valid values: True, False

  6. Define the following system parameter:
    logout.landingPageUrl

    Defines the web page to which users are sent when they log out of the CA RCM portal. For a page external to the CA RCM portal, specify the full URL of the page. For a page in the CA RCM portal, specify only the page name, and omit the host, port, and pathname of the portal.

    Default value: loginForm

  7. (Optional) To tune system performance, configure CA RCM system properties that control SSO operation.

    Important! Do not modify these settings yourself. For assistance, contact CA Support at http://ca.com/support.

    sage.security.GUID.expiration.delta.seconds

    CA RCM creates temporary proxy user IDs to support user authentication by CA SiteMinder. This property defines a cutoff time before the proxy ID expires, beyond which no new requests are sent using the ID.

    Default: 60 seconds.

    sage.security.GUID.expiration.minutes

    CA RCM creates temporary proxy user IDs to support user authentication by CA SiteMinder. This property defines the lifetime of a proxy ID, in minutes.

    Default: 360 minutes (6 hours).