Administration GuideIntegrating the SPS with SiteMinderHow the SPS Interacts with SiteMinder › Authentication Scheme Considerations

Previous Topic: How the SPS Interacts with SiteMinder

Next Topic: Proxy-Specific WebAgent.conf Settings

Authentication Scheme Considerations

SiteMinder enforces authentication schemes to protect resources. When users attempt to access protected resources through a SiteMinder Web Agent or the SPS, SiteMinder asks for credentials based on the authentication scheme protecting the resource.

SiteMinder also provides protection levels to each authentication scheme. The protection levels are enforced during single sign-on when the user tries to access resources protected by different authentication schemes. In such scenarios, the users can access resources protected by different authentication schemes without reauthentication if the protection levels for each of the authentication schemes are equal or lower. When moving from a lower protection level to a higher protection level, the user is challenged for authentication. When moving from a higher protection level to a lower protection level, the user is not challenged for reauthentication.

When the SPS is integrated with SiteMinder, the SPS behaves similar to a SiteMinder Web Agent. However, SPS using basics authentication behaves similar to a Web Agent only if the SPS is configured to use default SessionCookieScheme scheme to track user sessions. If the SPS is configured to use any of the other advanced or cookieless session schemes, the user has to reauthenticate. Single sign-on does not work.

For example, a basic authentication scheme with a protection level of 5 protects two resources, resource1 and resource2. The SPS is configured to use a mini-cookie session scheme (or any other cookieless session scheme) to track user sessions. When a user tries to access resource1, the SPS forwards the request to SiteMinder. SiteMinder verifies the authentication scheme for resource1 and challenges the user for credentials.

The SPS collects the credentials from the user and after successful authentication by SiteMinder, allows the user to access resource1. If the user then tries to access resource2, the SPS forwards the request to SiteMinder. SiteMinder verifies the authentication scheme for resource2 and challenges the user for credentials. Because the SPS is configured to use mini-cookie session scheme, the SPS requests the user to reauthenticate. If the SPS is configured to use the default SiteMinder cookie session scheme, then the user need not reauthenticate to access resource2.

Note: For more information about authentication schemes and their protection levels, see the CA SiteMinder Policy Configuration Guide.