This section contains the following topics:
SiteMinder and CA SSO Integration Architectural Examples
CA SiteMinder® and CA SSO Integration Prerequisites
Configure Single Sign-On from SiteMinder to CA SSO
Configure Single Sign-On from CA SSO Client to SiteMinder
Configure Single Sign-On from CA SSO to SiteMinder
Configure an smetssocookie Web Agent Active Response Attribute
Configure an smauthetsso Custom Authentication Scheme
CA SiteMinder® provides single sign-on from CA SiteMinder® to the CA SSO environments. Users log in to a CA SiteMinder® or CA SSO environment, and once authenticated by CA SiteMinder®, are authenticated for both environments. Authenticated users can access protected resources in either environment without having to reenter credentials, as long as they are authorized. User authorization is based on the policies in effect within each environment.
When allowing users to access secure resources, CA SiteMinder® and CA SSO each maintain user credentials in their own session stores. They also have their own proprietary session credentials that cannot be read by the other and, thus, user credentials are maintained separately. Since these credentials reside in different stores, to enable single sign-on, the CA SiteMinder® Policy Server and CA SSO Policy Server must be part of the same cookie domain and must share the same user or authentication store.
In this single sign-on configuration, the CA SiteMinder® and CA SSO Policy Servers can be on the same or on different machines. CA SiteMinder® can contain a Web Agent, CA SiteMinder® SPS, or both. You use a Web Agent or CA SiteMinder® SPS based on your own CA SiteMinder® environment. CA SSO uses the eTrust Web Access Control (WAC) Web Agent, and you do not need to modify your current environment to enable single sign-on with CA SiteMinder®.
Note: You must be intimately familiar with CA SiteMinder® and CA SSO before configuring single sign-on between the products. For a list of supported CA SiteMinder®, CA SiteMinder® SPS, CA SSO, and eTrust WAC versions, refer to the 6.0 CA SiteMinder® and Agents Platform Matrix on the Technical Support site.
The following are three examples of single sign-on between CA SiteMinder® and CA SSO environments:
Note: In these examples, the CA SiteMinder® and CA SSO Policy Servers authorization access steps to protected resources are omitted for clarity.
The following example illustrates a user accessing CA SiteMinder®-protected resource before a WAC-protected resource:
The following example illustrates an authenticated CA SSO client user accessing a CA SiteMinder® protected resource:
The following example illustrates a user accessing a WAC-protected resource before CA SiteMinder®.
Note: The example assumes the environment is using a IIS6 WAC Agent. An IIS6 WAC Agent is the only platform that the following example supports.
Before configuring a single sign–on integration between CA SiteMinder® and CA SSO:
Note: When installing the CA SSO Policy Server, gather the following:
Important! The integration fails if both environments are not operating in the same FIPS mode of operation.
CA SiteMinder® provides single sign-on from CA SiteMinder® to CA SSO environments.
To enable single sign-on from CA SiteMinder® to CA SSO using a CA SiteMinder® Web Agent or CA SiteMinder® SPS
Enable the CA SiteMinder® SSO Plug-in installed with the Web Agent or CA SiteMinder® SPS:
Note: Restart the Web server after you modify the WebAgent.conf file so the new configuration settings take effect.
#LoadPlugin=<Path to eTSSOPlugin.dll or libetssoplugin.so>
Note: Restart CA SiteMinder® SPS after you modify the WebAgent.conf file so the new configuration settings take effect.
To enable single sign-on using the WAC Web Agent
DomainCookie=<domain>
where <domain> is the same domain (for example, test.com) for the CA SSO and CA SiteMinder® Web Agents.
The file is installed in the following location on the WAC Web Agent machine:
C:\Program Files\CA\WebAccessControl\WebAgent\webagent.ini
Note: For more information about configuring the WAC Web Agent, see the WAC documentation.
CA SSO Policy Manager Verification Steps
Note: For more information about configuring the Policy Manager, see the CA SSO documentation.
For CA SiteMinder® user store configuration instructions, see the User Directories chapter in this guide.
For the CA SSO authentication store, see the CA SSO documentation.
Note: When creating the rules, append the smetssocookie custom active response to them.
Overall Verification Steps
You should gain access to this resource without being prompted for credentials.
CA SiteMinder® provides single sign-on from the CA SSO Client to CA SiteMinder®.
To enable single sign-on from an CA SSO Client to CA SiteMinder®:
CA SiteMinder® Policy Server Configuration Steps
CA SSO Client Verification Steps
Set the following in the CA SSO Client SsoClnt.ini file:
Note: The SsoClnt.ini file is installed in C:\Program Files\CA\CA SSO\Client on the CA SSO Client machine. More information on configuring the CA SSO Client exists in the CA SSO documentation.
DomainNameServer=<eSSO_WA_FQDN> <SM_WA_FQDN>
(Optional) Specifies the fully qualified domain name for the WAC Web Agent
Specifies the fully qualified name for the CA SiteMinder® Web Agent
Overall Verification Steps
You should be able to access the resource without being rechallenged by CA SiteMinder®.
CA SiteMinder® provides single sign-on from CA SSO to CA SiteMinder®.
To enable single sign-on from CA SSO to CA SiteMinder®
CA SiteMinder® Policy Server Configuration Steps
For more information, see Domains, Grouping Resources in Realms, or Rules.
WAC Web Agent Verification Steps
Note: The value you specify for the domain must be the same for the CA SSO and CA SiteMinder® Web Agents. The file is installed on the WAC Web Agent machine at C:\Program Files\CA\WebAccessControl\WebAgent\webagent.ini
Note: For more information about configuring the WAC Web Agent, see the WAC documentation.
CA SiteMinder® Web Agent or CA SiteMinder® SPS Configuration Steps:
#LoadPlugin=path_to_eTSSOPlugin.dll | path_to_libetssoplugin.so
Note: The WebAgent.conf file is located as follows:
See the Web Agent Configuration Guide.
SPS_install_dir\proxy-engine\conf\defaultagent\
SPS_install_dir
CA SiteMinder® SPS installation directory
Overall Verification Steps
You should be able to access the resource without being rechallenged by CA SiteMinder®.
The smetssocookie Web Agent active response generates and sends an SSO cookie to a Web browser. The SSO cookie lets a CA SiteMinder®-authenticated user access WAC or CA SSO protected content without having to reauthenticate.
To configure an smetssocookie Web Agent response attribute
The Responses page appears.
The Create Response: Select Domain page appears.
The Create Response: Define Response page appears.
The Create Response Attribute page appears.
The Create Response Attribute: Name page appears.
Additional fields appear in Attribute Fields.
Note: The function name is case-sensitive.
<CA_PS_Host_Name>;<SSO_Auth_Host>;<SSO_AuthMethod>;<EncryptionKey>
Specifies the host name of the CA SSO Policy Server.
Specifies the SSO authentication host name in the CA Policy Manager. You can specify this host name by going to Web Access Control Resources, Configuration Resources, Authentication Host.
Required value: SSO_Authhost
Defines the SSO authentication method.
Required value: SSO
Defines the ticket encryption key for the SSO authentication host name in the CA Policy Manager.
The cookie script appears in the Script field.
Note: To improve legibility, you can type a space before and after any token.
The Create Response Attribute task is submitted for processing, and the Create Response: Define Response page re-appears.
The Create Response task is submitted for processing. When the task is complete, the response can be added to an OnAuthAccept rule.
The CA SSO CA SiteMinder® (smauthetsso) authentication scheme lets the CA SiteMinder® Policy Server validate CA SSO authentication credentials so that a user already authenticated in a CA SSO/WAC environment does not need to re-authenticate to CA SiteMinder®. This custom authentication scheme accepts a CA SSO Cookie as a login credential; has it validated by a CA SSO Policy Server; extracts the user name from it; and verifies that the name is present in the CA SiteMinder® user store. You can set this authentication scheme in a cookie, cookieorbasic, or cookieorforms mode.
You can configure one CA SSO Policy Server to failover to another CA SSO Policy Server when it fails for some reason. To configure failover, specify a comma-separated list of CA SSO Policy Servers as parameter field in Scheme Setup on the Authentication Scheme page.
Note: The following procedure assumes that you are creating an object. You can also copy the properties of an existing object to create an object. For more information, see Duplicate Policy Server Objects.
Follow these steps:
The Authentication Schemes page appears.
Verify that the Create a new object of type Authentication Scheme is selected.
The Create Authentication Scheme page appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Scheme-specific fields and controls open.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Mode [; <Target>] ; AdminID ; CAPS_Host ; FIPS_Mode ; Identity_File
Note: Separate tokens with semicolons. You may enter a space before and after each token for improved legibility.
Example: cookie ; SMPS_sso ; myserver.myco.com ; 0 ; /certificates/def_root.pem
Example: cookieorforms ; /siteminderagent/forms/login.fcc ; SMPS_sso ; myserver.myco.com ; 1 ; /certificates/def_root.pem
Specifies the type of credentials the authentication scheme accepts. Accepted values include cookie, cookieorbasic, or cookieorforms.
Specifies that only CA SSO cookies are acceptable.
Specifies that a basic authentication scheme is used to determine the login name and password if a CA SSO cookie is not provided.
Specifies that a forms authentication scheme is used to determine the login name and password if a CA SSO cookie is not provided.
Specifies the pathname of the .fcc file used by the HTML Forms authentication scheme.
Note: This value is only required for the cookieorforms mode.
Specifies the user name of the CA SSO Policy Server administrator for the CA SSO Policy Server. CA SiteMinder® uses the administrator’s user name and password to request validation of CA SSO cookies when authenticating to the CA SSO Policy Server.
Specifies the name of the host where the CA SSO Policy Server resides.
Specifies the FIPS mode of operation in which the Policy Server is operating. Zero (0) specifies non-FIPS mode. One (1) specifies FIPS mode.
Specifies the path to the CA SSO identity file. The Policy Server uses this file to communicate with the CA SSO Policy Server.
The authentication scheme is saved and can be assigned to a realm.
CA User Activity Reporting Module (CA UAR) provides CA SiteMinder® connector guides, which detail how to configure a CA UAR integration with CA SiteMinder®. The guide you use depends on whether CA SiteMinder® is configured to store audit information in a text file (smaccess.log) or an ODBC database.
To locate the CA UAR connector guides
The CA SiteMinder® connector guides are based on the type of logsensor that CA UAR is to use.
Each of these guides is also available from the CA UAR Administrative UI when you create the required connector. To access these guides when creating the connector, click Help.
Copyright © 2013 CA.
All rights reserved.
|
|