This section contains the following topics:
SiteMinder WSS Agent Functions
The SiteMinder WSS Agent and the Policy Server
SiteMinder WSS Agent Support for Web Servers
The SiteMinder Web Services Security (WSS) Agent for Web Servers is an XML-enabled version of the CA SiteMinder Web Agent that operates with a web server to handle XML messages sent to web service implementations.
When a web consumer (client) application sends an XML message to a URL that is bound to a web service, the SiteMinder WSS Agent intercepts these messages and communicates with the Policy Server to process authentication and authorization requests before the XML message is passed on to the web service. In addition, the Policy Server can provide information that the SiteMinder WSS Agent adds to the XML message, such as a SAML assertion based on the originating client application’s identity.
Note: If you have purchased CA SiteMinder®, you can also use the core Web Agent functionality of the SiteMinder WSS Agent to protect other resources on a Web server. For more information about this functionality, see the CA SiteMinder® documentation—the remainder of this chapter deals specifically with use of the SiteMinder WSS Agent to protect web services.
The SiteMinder WSS Agent performs the following tasks:
To enforce web service access control, the SiteMinder WSS Agent interacts with the Policy Server, where all authentication and authorization decisions are made.
The SiteMinder WSS Agent intercepts XML messages posted to a web server and checks with the Policy Server to see if the requested resource is protected. If the resource is unprotected, the access request proceeds directly to the web server. If the resource is protected, the following occurs:
The SiteMinder WSS Agent can also receive message-specific attributes, in the form of responses, to be passed on to the Web service. A response is a personalized message or other message-specific information returned to the SiteMinder WSS Agent from the Policy Server after authorizing the message. A response consists of name-value attribute pairs that instruct the SiteMinder WSS Agent to generate SAML Session Tickets and WS-Security tokens.
To protect Web services hosted on a web server, you deploy a SiteMinder WSS Agent on that web server (as shown in the following illustration). You then configure authentication and authorization policies for the web service resources hosted on that web server.
For a list of Web server platforms on which the SiteMinder WSS Agent is supported, see the CA SiteMinder WSS Platform Support matrix on the Technical Support site at http://ca.com/support.
While the SiteMinder WSS Agent works with the standard features of CA SiteMinder WSS, you can extend Agent functionality by creating a custom SiteMinder WSS Agent. You create a custom SiteMinder WSS Agent using the Agent APIs provided by the CA SiteMinder® SDK and the CA SiteMinder WSS SDK and then configure it by using the Policy Server User Interface.
custom agents work with the CA SiteMinder® Policy Server to control access to a wide range of resources beyond web resources. For example, custom agents could control access to a software architecture method, an application, or a task performed by an application.
Together with the Policy Server, the SiteMinder WSS Agent protects web resources that can be identified by a URL. Because the Policy Server is a general-purpose rules engine, it can protect:
Consequently, a custom agent, working with the Policy Server as the core engine, can extend the types of resources that CA SiteMinder® and CA SiteMinder WSS can protect.
Using the CA SiteMinder® and CA SiteMinder WSS Agent APIs, you can create a custom SiteMinder WSS Agent to implement security for any type of resource. API functionality for creating a custom SiteMinder WSS Agent includes:
For detailed information about creating a custom SiteMinder WSS Agent, see the following guides:
Copyright © 2015 CA Technologies.
All rights reserved.
|
|