Administration GuideSecurity Zones on SPS › Configure SPS Security Zones

Previous Topic: Parameters for Security Zones

Next Topic: Configuring the Apache Web Server

Configure SPS Security Zones

SSO security zones are intended for situations where SiteMinder administrators want to segment the single sign-on environments within the same cookie domain. For example, consider the CA.COM domain. Under standard SiteMinder SSO functionality, all SiteMinder protected applications in CA.COM would use the cookie SMSESSION to manage single sign-on.

Consider the following scenario in which security zones do not exist:

  1. The user accesses an application (APP1). SiteMinder challenges the user for credentials. The user logs into SiteMinder, and creates an SMSESSION cookie.
  2. The user accesses a second application (APP2), and SiteMinder challenges the user again. (Rules prevent SSO from occurring because the user does not have access to APP2 using the APP1 user credentials.) The user logs in and creates an SMSESSION cookie overwriting the old one with the new logged in session for APP2.
  3. The user returns to APP1 and is challenged again, because the user lost the original APP1 session, and the APP2 session possibly has not been accepted for APP1. Therefore, SSO does not occur between APP1 and APP2.

With SSO security zones, APP1 can be placed in zone Z1 and APP2 can be placed in zone Z2. Now logging into APP1 creates a Z1SESSION cookie and access to APP2 results in a Z2SESSION cookie. With different names, the cookies no longer overwrite each other so there is only one login per application now, not one for each time the user moves between applications.

To configure SPS Security Zones

  1. Install a Secure Proxy Server and configure it with the Policy Server. Consider all resources protected by this SPS as belonging to the same security zone. By default, users is not challenged when accessing multiple resources in this zone in the same session.
  2. In the local agent configuration file for this SPS, add a value to the parameter SSOZoneName
  3. On another Web Agent within the same cookie domain, configure the following two parameters:

Example

Configure SSOZoneName=A in Zone1.

Configure SSOZoneName=B and SSOTrustedZone=A in Zone2.

Users who are authenticated in Zone B and have previously been authenticated in Zone A can continue to access resources in Zone A in the same session without being rechallenged.

Note: For information about configuring security zones beyond this basic use case, see the Web Agent Configuration Guide.