Web Services Security Guides › CA SiteMinder® Web Services Security Agent Guide for IIS Web Servers › CA SiteMinder® Web Services Security Agent for Web Servers Introduction

CA SiteMinder® Web Services Security Agent for Web Servers Introduction

This section contains the following topics:

Overview

SiteMinder WSS Agent Functions

The SiteMinder WSS Agent and the Policy Server

SiteMinder WSS Agent Support for Web Servers

Overview

The SiteMinder Web Services Security (WSS) Agent for Web Servers is an XML-enabled version of the CA SiteMinder Web Agent that operates with a web server to handle XML messages sent to web service implementations.

When a web consumer (client) application sends an XML message to a URL that is bound to a web service, the SiteMinder WSS Agent intercepts these messages and communicates with the Policy Server to process authentication and authorization requests before the XML message is passed on to the web service. In addition, the Policy Server can provide information that the SiteMinder WSS Agent adds to the XML message, such as a SAML assertion based on the originating client application’s identity.

Note: If you have purchased CA SiteMinder®, you can also use the core Web Agent functionality of the SiteMinder WSS Agent to protect other resources on a Web server. For more information about this functionality, see the CA SiteMinder® documentation—the remainder of this chapter deals specifically with use of the SiteMinder WSS Agent to protect web services.

SiteMinder WSS Agent Functions

The SiteMinder WSS Agent performs the following tasks:

• Intercept posted XML messages to protected Web services and work with the Policy Server to determine whether or not a client application should have access.
• Ensure a client application’s ability to access Web services quickly and securely. The SiteMinder WSS Agent stores contextual information about client application access privileges in a session cache. You can optimize performance by modifying the cache configuration settings.
• Support multistep and chain authentication service models by generating and consuming SAML Session Tickets and WS-Security tokens.

The SiteMinder WSS Agent and the Policy Server

To enforce web service access control, the SiteMinder WSS Agent interacts with the Policy Server, where all authentication and authorization decisions are made.

The SiteMinder WSS Agent intercepts XML messages posted to a web server and checks with the Policy Server to see if the requested resource is protected. If the resource is unprotected, the access request proceeds directly to the web server. If the resource is protected, the following occurs:

• The SiteMinder WSS Agent checks which authentication method is required for this resource. Typical credentials are a name and password, but other credentials, such as a certificate or SAML assertion, may be required.
• The SiteMinder WSS Agent obtains credentials from the transport, header, or body of the XML message.
• The SiteMinder WSS Agent passes the credentials to the Policy Server, which determines if the credentials are sufficient for the authentication method.
• If the posted XML message passes the authentication phase, the Policy Server determines if the message is authorized to access the resource. If a policy uses policy expressions as part of the authorization process, the SiteMinder WSS Agent may need to resolve the variables used in these expressions if the Policy Server cannot resolve them.
• Once the Policy Server grants access, the SiteMinder WSS Agent allows the access request to proceed to the Web service.

The SiteMinder WSS Agent can also receive message-specific attributes, in the form of responses, to be passed on to the Web service. A response is a personalized message or other message-specific information returned to the SiteMinder WSS Agent from the Policy Server after authorizing the message. A response consists of name-value attribute pairs that instruct the SiteMinder WSS Agent to generate SAML Session Tickets and WS-Security tokens.

SiteMinder WSS Agent Support for Web Servers

To protect Web services hosted on a web server, you deploy a SiteMinder WSS Agent on that web server (as shown in the following illustration). You then configure authentication and authorization policies for the web service resources hosted on that web server.

For a list of Web server platforms on which the SiteMinder WSS Agent is supported, see the CA SiteMinder® Web Services Security Platform Support matrix on the Technical Support site at http://ca.com/support.