Previous Topic: Configure Your CA SiteMinder® Policy ServerNext Topic: Create Virtual Attribute Mappings for your User Claim

Agent for SharePoint GuideConfigure Your CA SiteMinder® Policy ServerConfigure your Policy Server

Configure your Policy Server

The Policy Server authenticates and authorizes users who request access to the resources in your SharePoint environment. The Policy Server stores items that you create to define the users in your SharePoint environment and the resources that you want to protect with CA SiteMinder®.

The following illustration describes the configuration process that prepares your Policy Server for use with the CA SiteMinder® Agent for SharePoint:

Flowchart showing the process for configuring your SiteMinder r12.5 Policy Server for use with the SiteMinder Agent for SharePoint

Follow these steps:

  1. Open the CA SiteMinder® Administrative UI.
  2. Create a host configuration object.
  3. (Optional) Configure Policy Server clusters.
  4. Create an Agent Object.
  5. (Optional) Create agent groups for multiple agent objects.
  6. Create a 4.x agent object for the SharePoint Connection wizard.
  7. Create an Agent Configuration Object.
  8. Create a user directory connection.
  9. Create virtual attribute mappings for your user claim.
  10. Create an authentication scheme for the CA SiteMinder® Agent for SharePoint.
  11. Determine your policy model, and then do one of the following steps:
  12. For Active Directory user directories only, enable paging on the system hosting your Policy Server. Use the appropriate procedure for your operating environment:

Change the Policy Server Objects

Change the objects on your Policy Server by opening the Administrative UI.

Follow these steps:

  1. Open the following URL in a browser. 
    https://host_name:8443/iam/siteminder/adminui
    host_name

    Specifies the fully qualified Administrative UI host system name.

  2. Enter your CA SiteMinder® superuser name in the User Name field.
  3. Enter the CA SiteMinder® superuser account password in the Password field.

    Note: If your superuser account password contains dollar‑sign ($) characters, replace each instance of the dollar-sign character with $DOLLAR$. For example, if the CA SiteMinder® superuser account password is $password, enter $DOLLAR$password in the Password field.

  4. Verify that the proper server name or IP address appears in the Server drop-down list.
  5. Select Log In.

Create a Host Configuration Object

You can create (or duplicate) a Host Configuration object.

Follow these steps:

  1. Click Infrastructure, Hosts.
  2. Click Host Configuration Objects.
  3. Click Create Host Configuration.
  4. Do one of the following tasks:
  5. Click OK.
  6. Type the name and a description.
  7. In Configuration Values, specify the Host Configuration settings.
  8. Click Submit.

Configure Clusters

Policy Server clusters are defined as part of a Host Configuration Object. When a CA SiteMinder® agent initializes, the settings from the Host Configuration Object are used to setup communication with Policy Servers.

Note: For more information about Host Configuration Objects, see the Web Agent Configuration Guide and the Policy Server Configuration Guide.

Follow these steps:

  1. Select the Infrastructure, Hosts. Host Configuration Objects.
  2. Click Create Host Configuration.
  3. In the Clusters section, click Add.

    The Cluster Setup section opens.

    Note: You can click Help for a description of fields, controls, and their respective requirements.

  4. Enter the IP address and the port number of the Policy Server in the Host and Port fields respectively.
  5. Click Add to Cluster.

    The Policy Server appears in the servers list in the Current Setup section.

  6. Repeat these steps to add other Policy Servers to the cluster.
  7. Click OK to save your changes.

    Your return to the Host Configuration dialog The Policy Server cluster is listed in a table.

  8. In the Failover Threshold Percent field, enter a percentage of the number of Policy Servers that must be active and click Apply.

    If the percentage of active servers in the cluster falls below the percentage you specify, the cluster fails over to the next available cluster in the list of clusters. This setting applies to all clusters that use the Host Configuration Object.

    Important! The Policy Server specified in the Configuration Values section is overwritten by the Policy Servers specified in a cluster. This Policy Server is no longer used because a cluster is configured. For the value of the Policy Server parameter in the Configuration Values section to apply, do not specify any Policy Servers in a cluster. If clusters are configured, and you decide to remove the clusters in favor of a simple failover configuration delete all Policy Server information from the cluster.

  9. Click Submit to save your changes.

Create an Agent Object

Agent act as policy-enforcement points (PEPs), by intercepting user requests for SharePoint resources and communicating with the Policy Server. Agent objects associate the protected resources on your SharePoint servers with the CA SiteMinder® policies that protect those resources.

Follow these steps:

  1. Click Infrastructure, Agent, Agents.
  2. Click Create Agent.

    The Create Agent screen appears.

  3. Click OK.

    The Create Agent: screen appears.

  4. Enter a distinctive name and description.
  5. Verify that the CA SiteMinder® option button is selected and that Web Agent appears in the Agent Type drop-down list.
  6. Click Submit.

    The agent object is created and a confirmation screen appears.

(Optional) Create an Agent Group for Multiple Agent Objects

If you have multiple Agent Objects in your CA SiteMinder® environment, you can place them in agent groups. Agent groups make managing large numbers of agent objects easier.

Follow these steps:

Note: If you are an experienced CA SiteMinder® user, you can add your agent objects to an existing agent group instead of creating a group.

  1. Click Infrastructure, Agent.
  2. Click Agent Groups.

    The Agent Groups page appears.

  3. Click Create an agent group.

    The Create agent group screen appears.

  4. Click Create a new object of type Agent Group, and then click OK.

    The Create Agent Group: screen appears.

  5. Enter a distinctive name and description.
  6. Verify that the CA SiteMinder® option button is selected and that Web Agent appears in the Agent Type drop-down list.
  7. Click Add/Remove.

    The Agent Group members screen appears.

  8. Click the arrows to move the agent objects you want into the selected members column, and then click OK.

    The Create Agent Group screen reappears. The agent objects in the group appear in the Group Members list.

  9. Click Submit.

    The agent group is created and a confirmation screen appears.

Create a 4.x Agent Object for the SharePoint Connection Wizard

The SharePoint connection wizard requires an Agent Object that supports CA SiteMinder® 4.x functionality. Define this agent object on your Policy Servers.

Important: Do not add the 4.x agent object to any agent group, realm, or policy. This agent object exists only to support the internal operations of the Agent for SharePoint.

Follow these steps:

  1. Click Infrastructure, Agent, Agents.
  2. Click Create Agent.

    The Create Agent screen appears.

  3. Click OK.

    The Create Agent: screen appears.

  4. Enter a distinctive name and description.
  5. Verify that the CA SiteMinder® option button is selected and that Web Agent appears in the Agent Type drop-down list.
  6. Click the Supports 4.x agents check box.

    The trust settings fields appear.

  7. Complete the following fields:
    IP Address

    Specifies the IP Address of the Policy Server.

    Shared Secret

    Specifies a password that is associated with the 4.x Agent object. The SharePoint Connection Wizard also requires this password.

    Confirm Secret

    Confirms a password that is associated with the 4.x Agent object. The SharePoint Connection Wizard also requires confirmation of this password.

  8. Click Submit.

    The agent object is created and a confirmation screen appears.

Create an Agent Configuration Object

An embedded Apache web server is part of the CA SiteMinder® Agent for SharePoint. An Agent Configuration Object (ACO) on the Policy Server contains configuration parameters that control the behavior of the agent running on the embedded web server.

Agents need values in certain parameters to start. For example, all agents need one value in either of the following parameters:

Other parameters control optional functions that you can set anytime. For example, if you decide to store agent logs on your web server, you can set those parameters later. Agents do not need values in logging parameters to start.

Follow these steps:

  1. Click Infrastructure, Agent Configuration, Create Agent Configuration.

    The Create Agent Configuration: Search pane opens.

  2. Click the following buttons:

    Important! Only copy the SharePoint2010DefaultSettings ACO object. Do not copy any other object in the list.

  3. Click OK.
  4. Type the name and a description for the agent configuration object.
  5. If you have multiple virtual hosts and plan to assign different Agent identities to each virtual host, use the AgentName parameter. Use the DefaultAgentName parameter, if different Agent identities for virtual hosts are not required. Remove any # character in front of the parameter name, and then change the value of one of the following parameters (not both):
    AgentName

    Defines the identity of the web agent. This identity links the name and the IP address or FQDN of each web server instance hosting an Agent.

    The value of the DefaultAgentName is used instead of the AgentName parameter if any of the following events occur:

    • The AgentName parameter is disabled.
    • The value of AgentName parameter is empty.
    • The values of the AgentName parameter do not match any existing agent object.

    Note: This parameter can have more than one value. Use the multivalue option when setting this parameter in an Agent Configuration Object. For local configuration files, add each value to a separate line in the file.

    Default: No default

    Limit: Multiple values are allowed.

    Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.

    Example: myagent1,192.168.0.0 (IPV4)

    Example: myagent2, 2001:DB8::/32 (IPV6)

    Example: myagent,www.example.com

    DefaultAgentName

    Defines a name that the agent uses to process requests. The value for DefaultAgentName is used for requests on an IP address or interface when no agent name value exists in the AgentName parameter.

    If you are using virtual servers, you can set up your CA SiteMinder® environment quickly by using a DefaultAgentName. Using DefaultAgentName means that you do not need to define a separate agent for each virtual server.

    Important! If you do not specify a value for the DefaultAgentName parameter, then the value of the AgentName parameter requires every agent identity in its list. Otherwise, the Policy Server cannot tie policies to the agent.

    Default: No default.

    Limit: Multiple values are allowed.

    Limits: Must contain 7-bit ASCII characters in the range of 32-127, and include one or more printable characters. Cannot contain the ampersand (&) and asterisk (*) characters. The value is not case-sensitive. For example, the names MyAgent and myagent are treated the same.

  6. Change the value of the following parameter:
    LogOffUri

    Enables full log‑out and displays a confirmation page after users are successfully logged off. Configure this page so that it cannot be stored in a browser cache. If a cached page is used, session hijacking by unauthorized users is possible.

    When the SharePoint users click the Sign out link, the following URI is used:

    • /_layouts/SignOut.aspx

    When the SharePoint users click the Sign in as another user link, the following URI is used:

    • /_layouts/accessdenied.aspx?loginasanotheruser=true

    If you have multiple SharePoint web sites below a top-level SharePoint website, add the URIs of the lower-level sites to the LogOffURI parameter.

    Note: When the CookiePath parameter is set, the value of the LogOffUri parameter must point to the same cookie path. For example, if the value of your CookiePath parameter is set to example.com, then your LogOffUri must point to example.com/logoff.html

    Default: /_layouts/SignOut.aspx, /_layouts/accessdenied.aspx?loginasanotheruser=true

    Limits: Multiple URI values permitted. Do not use a fully qualified URL. Use a relative URI.

    Example: (for a parent site of www.example.com with two lower-level sites named finance and hr respectively) /finance/_layouts/SignOut.aspx, finance/_layouts/accessdenied.aspx?loginasanotheruser=true /hr/_layouts/SignOut.aspx, /hr/_layouts/accessdenied.aspx?loginasanotheruser=true

  7. Click OK.

    The new values appear next to the parameters in the list.

  8. Click Submit.

    The Create Agent Configuration Task is submitted for processing and the confirmation message appears.

Create A User Directory Connection

The Policy Server communicates with a user directory to authenticate users. The user directory needs a connection defined in the CA SiteMinder® Administrative UI. Create a connection for your directory that contains users who require access to SharePoint resources.

Note: Only the directory vendors that CA SiteMinder® supports operate with the CA SiteMinder® Agent for SharePoint. For more information, see the Platform Support Matrix at www.support.ca.com.

Follow these steps:

  1. Click Infrastructure, Directory, User Directory, Create User Directory.

    The Create User Directory pane appears.

  2. Enter the Name and an optional description.
  3. Select the Directory type from the Namespace list and complete the required connection information under the Directory Setup.
  4. If your directory server requires credentials for searches, do the following steps:
    1. Click the Require Credentials check box.
    2. Type the user name and password of an authorized account.

    Note: The Require Credentials setting is required for LDAP directories which support anonymous search. This setting supports queries that the CA SiteMinder® Claims Provider makes to the user directory to support the SharePoint People Picker. For more information about these credentials, see the administrator of your directory server.

  5. (Optional) In the User Attributes fields, specify the user directory profile attributes that are reserved for CA SiteMinder®.
  6. Click Submit.

    The Create User Directory task is submitted for processing, and the confirmation message appears.

More information:

Configure Multiple User Directories