Policy Server Guides › Policy Server Configuration Guide › CA SSO/WAC Integration › Configure Single Sign-On from SiteMinder to CA SSO

Configure Single Sign-On from SiteMinder to CA SSO

SiteMinder provides single sign-on from SiteMinder to CA SSO environments.

To enable single sign-on from SiteMinder to CA SSO using a SiteMinder Web Agent or Secure Proxy Server

Enable the SiteMinder SSO Plug-in installed with the Web Agent or Secure Proxy Server:

• For the r12.0 SP2 IIS 6.0 or Apache 2.0 Web Agent

• Remove the comment (#) character from the following line in the WebAgent.conf file:

  #LoadPlugin=<Path to eTSSOPlugin.dll or libetssoplugin.so>

• To locate the WebAgent.conf for IIS 6.0/Apache 2.0, see the "Modifying the WebAgent.conf File (All Web Agents)" section in the Web Agent Configuration Guide.
• For instructions on enabling/disabling the plug-in, see the "Loading Web Agent Plugins for IIS 6.0 and Apache 2.0" section in the Web Agent Configuration Guide.

Note: Restart the Web server after you modify the WebAgent.conf file so the new configuration settings take effect.

• For the 6.0 Secure Proxy Server

• Remove the comment (#) character from the following line in the WebAgent.conf file, located in <SPS_install_dir>\proxy-engine\conf\defaultagent\WebAgent.conf:

  #LoadPlugin=<Path to eTSSOPlugin.dll or libetssoplugin.so>

Note: Restart the Secure Proxy Server after you modify the WebAgent.conf file so the new configuration settings take effect.

To enable single sign-on using the WAC Web Agent

1. Configure the domain in the WAC Web Agent's webagent.ini file by setting the following parameter:

   DomainCookie=<domain>

   where <domain> is the same domain (for example, test.com) for the CA SSO and SiteMinder Web Agents.

   The file is installed in the following location on the WAC Web Agent machine:

   C:\Program Files\CA\WebAccessControl\WebAgent\webagent.ini

2. Verify the following Web server and the authentication method settings in the webagent.ini file:
   • The "Authentication methods" and "The default authentication method" parameters should be configured as SSO.
   • The WebServerName, PrimaryWebServerName, AgentName, NTLMPath and Secure should point to the machine where CA SSO Web Access Control is installed.
   • The ServerName attribute should point to the IP Address of the machine where the CA SSO Policy Server is installed.

     Note: For more information about configuring the WAC Web Agent, see the WAC documentation.

CA SSO Policy Manager Verification Steps

1. Ensure that the SiteMinder and CA SSO Policy Servers to use the same user or authentication store.
2. Make sure you have the following:
   • An SSO administrator name and password. The SiteMinder Policy Server uses the administrator name and password when authenticating to the CA SSO Policy Server through the smauthetsso authentication scheme.
   • The SSO ticket encryption key, as it is needed by the SiteMinder Policy Server's smetssocookie active response.

     Note: For more information about configuring the Policy Manager, see the CA SSO documentation.

• SiteMinder Policy Server Configuration Steps

1. Create a Web Agent, Agent Configuration Object, and Host Configuration Object using the Administrative UI. For more information, see the Policy Server Installation Guide and the Web Agent Installation Guide.
2. Configure the SiteMinder and CA SSO Policy Servers to use the same user or authentication store.

   For SiteMinder user store configuration instructions, see the User Directories chapter in this guide.

   For the CA SSO authentication store, see the CA SSO documentation.

3. Configure an smetssocookie (certificate) custom active response.
4. Create a domain, realm, and rules using the Administrative UI to protect any resource with the SiteMinder Web Agent.

   Note: When creating the rules, append the smetssocookie custom active response to them.

Overall Verification Steps

1. Configure the user with credentials to access resources protected by the SiteMinder Web Agent and the WAC Web Agent.
2. Restart the SiteMinder Policy Server and Web server hosting the Administrative UI.
3. Access the resource protected by the SiteMinder Web Agent and provide this Web Agent with the appropriate user credentials.
4. After gaining access to this resource, in the same browser session, request a resource protected by the WAC Web Agent.

   You should gain access to this resource without being prompted for credentials.