Policy Server Guides › Policy Server Configuration Guide › CA SSO/WAC Integration

CA SSO/WAC Integration

This section contains the following topics:

Overview

SiteMinder and CA SSO Integration Architectural Examples

SiteMinder and CA SSO Integration Prerequisites

Configure Single Sign-On from SiteMinder to CA SSO

Configure Single Sign-On from CA SSO Client to SiteMinder

Configure Single Sign-On from CA SSO to SiteMinder

Configure an smetssocookie Web Agent Active Response Attribute

Configure an smauthetsso Custom Authentication Scheme

Overview

SiteMinder provides single sign-on from SiteMinder to the CA SSO environments. Users log in to a SiteMinder or CA SSO environment, and once authenticated by SiteMinder, are authenticated for both environments. Authenticated users can access protected resources in either environment without having to reenter credentials, as long as they are authorized. User authorization is based on the policies in effect within each environment.

When allowing users to access secure resources, SiteMinder and CA SSO each maintain user credentials in their own session stores. They also have their own proprietary session credentials that cannot be read by the other and, thus, user credentials are maintained separately. Since these credentials reside in different stores, to enable single sign-on, the SiteMinder Policy Server and CA SSO Policy Server must be part of the same cookie domain and must share the same user or authentication store.

In this single sign-on configuration, the SiteMinder and CA SSO Policy Servers can be on the same or on different machines. SiteMinder can contain a Web Agent, CA SiteMinder SPS, or both. You use a Web Agent or CA SiteMinder SPS based on your own SiteMinder environment. CA SSO uses the eTrust Web Access Control (WAC) Web Agent, and you do not need to modify your current environment to enable single sign-on with SiteMinder.

Note: You must be intimately familiar with SiteMinder and CA SSO before configuring single sign-on between the products. For a list of supported SiteMinder, CA SiteMinder SPS, CA SSO, and eTrust WAC versions, refer to the 6.0 SiteMinder and Agents Platform Matrix on the Technical Support site.

More information:

SiteMinder and CA SSO Integration Architectural Examples

SiteMinder and CA SSO Integration Architectural Examples

The following are three examples of single sign-on between SiteMinder and CA SSO environments:

1. A user authenticates to SiteMinder using a Web browser and then accesses an CA SSO-protected resource (see Example 1: User Accesses SiteMinder-Protected Resource Before CA SSO).
2. A user authenticates to CA SSO through a desktop CA SSO Client and then accesses a SiteMinder-protected resource using a Web browser (see Example 2: Authenticated CA SSO Client User Accesses SiteMinder Resource).
3. A user authenticates to CA SSO using a Web browser and then accesses a SiteMinder-protected resources (see Example 3: User Accesses CA WAC-Protected Resource Before SiteMinder).

Note: In these examples, the SiteMinder and CA SSO Policy Servers authorization access steps to protected resources are omitted for clarity.

More information:

Configure Single Sign-On from CA SSO Client to SiteMinder

User Accesses SiteMinder-Protected Resource Before CA SSO

The following example illustrates a user accessing SiteMinder-protected resource before a WAC-protected resource:

1. The user tries to access a SiteMinder-protected resource and the SiteMinder Web Agent/CA SiteMinder SPS intercepts the request. The user provides the Agent/SPS with authentication credentials.
2. The Web Agent/CA SiteMinder SPS forwards the credentials to the SiteMinder Policy Server for validation.
3. The SiteMinder Policy Server verifies that the user’s credentials are valid in the user store.
4. After successful authentication, the SiteMinder Policy Server requests the CA SSO Policy Server to issue and return an CA SSO cookie for the SiteMinder user.
5. The CA SSO Policy Server validates the user and forwards the user’s CA SSO web authentication credentials to the SiteMinder Policy Server.
6. The SiteMinder Policy Server forwards the CA SSO web authentication credentials to the SiteMinder Web Agent/CA SiteMinder SPS.
7. The SiteMinder Web Agent/CA SiteMinder SPS sets the CA SSO web authentication and SiteMinder cookies in the user’s browser and returns the resource to the user.
8. The user tries to access an CA SSO resource and the eTrust WAC Web Agent intercepts the request.
9. The eTrust WAC Web Agent validates the user’s CA SSO web authentication cookie credentials with the CA SSO Policy Server.
10. The CA SSO Policy Server tells the eTrust WAC Web Agent that the user has valid credentials.
11. The eTrust WAC Web Agent allows the user to access the CA SSO-protected resource.

Authenticated CA SSO Client User Accesses SiteMinder Resource

The following example illustrates an authenticated CA SSO client user accessing a SiteMinder protected resource:

1. An authenticated CA SSO Client user launches a Web browser. While this is happening, the CA SSO Client places an CA SSO Web authentication cookie into the browser.
2. The user tries to access a SiteMinder-protected resource using the Web browser and the request is intercepted by the SiteMinder Web Agent/CA SiteMinder SPS.
3. The SiteMinder Web Agent/CA SiteMinder SPS forwards the CA SSO Web authentication cookie to the SiteMinder Policy Server.
4. The SiteMinder Policy Server forwards the CA SSO Web authentication cookie to the CA SSO Policy Server.
5. The CA SSO Policy Server validates the CA SSO Web authentication cookie and returns the user name to the SiteMinder Policy Server.
6. The SiteMinder Policy Server verifies the returned user name in the SiteMinder user store, then issues a corresponding SiteMinder cookie and returns it to the SiteMinder Web Agent/CA SiteMinder SPS.
7. The SiteMinder Web Agent/CA SiteMinder SPS returns the requested resource to the user, who now has the authentication cookie credentials necessary for SiteMinder and CA SSO environments.

User Accesses eTrust WAC-Protected Resource Before SiteMinder

The following example illustrates a user accessing a WAC-protected resource before SiteMinder.

Note: The example assumes the environment is using a IIS6 WAC Agent. An IIS6 WAC Agent is the only platform that the following example supports.

1. The user tries to access an CA SSO-protected resource and the eTrust WAC Web Agent intercepts the request. The user provides the Agent with authentication credentials.
2. The Web Agent forwards the credentials to the CA SSO Policy Server for validation.
3. The CA SSO Policy Server makes sure that the user’s credentials are valid in the user store.
4. The CA SSO Policy Server forwards the user’s eTrust SSO Web credentials to the eTrust WAC Web Agent.
5. The eTrust WAC Web Agent sets the user’s CA SSO Web authentication cookie in the Web browser.
6. The user tries to access a SiteMinder-protected resource and the SiteMinder Web Agent/CA SiteMinder SPS intercepts the request.
7. The SiteMinder Web Agent/CA SiteMinder SPS forwards the user’s CA SSO Web authentication credentials to the SiteMinder Policy Server.
8. The SiteMinder Policy Server forwards the user’s CA SSO Web authentication credentials to the eTrust SSO Policy Server.
9. The CA SSO Policy Server validates the user’s CA SSO Web authentication credentials and forwards the user name back to the SiteMinder Policy Server.
10. The SiteMinder Policy Server verifies the returned user name in the SiteMinder user store, then issues a corresponding SiteMinder cookie and returns it to the SiteMinder Web Agent/CA SiteMinder SPS.
11. The SiteMinder Web Agent/CA SiteMinder SPS sets the SiteMinder cookies in the user’s browser and allows the user to access the requested resource.

SiteMinder and CA SSO Integration Prerequisites

Before configuring a single sign–on integration between SiteMinder and CA SSO:

1. Install and configure CA SSO.

   Note: When installing the CA SSO Policy Server, gather the following:

   • An SSO administrator name and password. The SiteMinder Policy Server uses the administrator name and password when authenticating to the CA SSO Policy Server through the smauthetsso authentication scheme.
   • The SSO ticket encryption key. The SiteMinder Policy Server smetssocookie active response requires this value.
2. Be sure that the SiteMinder environment and the CA SSO environment are operating in the same FIPS mode (AES encryption) of operation.

   Important! The integration fails if both environments are not operating in the same FIPS mode of operation.

3. Consider the following:
   • If the integration is to operate in FIPS–only mode, SiteMinder Policy Servers must be operating at r12.0 SP1 CR3 or later. If necessary, upgrade the SiteMinder Policy Servers that are to communicate with the CA SSO Policy Server.
   • Be sure that operating systems on which the Policy Servers are installed support the smauthetsso authentication scheme. The integration requires that you configure the smauthetsso authentication scheme. For more information, see the r12.0 SP3 SiteMinder Platform Support Matrix.

Configure Single Sign-On from SiteMinder to CA SSO

SiteMinder provides single sign-on from SiteMinder to CA SSO environments.

To enable single sign-on from SiteMinder to CA SSO using a SiteMinder Web Agent or CA SiteMinder SPS

Enable the SiteMinder SSO Plug-in installed with the Web Agent or CA SiteMinder SPS:

For the r12.0 SP3 IIS 6.0 or Apache 2.0 Web Agent

• Remove the comment (#) character from one of the following lines in the WebAgent.conf file:
  • (Windows operating environments) #LoadPlugin=Path_to_eTSSOPlugin.dll_file
  • (UNIX or Linux operating environments) #LoadPlugin=Path_to_libetssoplugin.so_file

Note: Restart the Web server after you modify the WebAgent.conf file so the new configuration settings take effect.

For the 6.0 CA SiteMinder SPSr

• Remove the comment (#) character from the following line in the WebAgent.conf file, located in <SPS_install_dir>\proxy-engine\conf\defaultagent\WebAgent.conf:

  #LoadPlugin=<Path to eTSSOPlugin.dll or libetssoplugin.so>

Note: Restart CA SiteMinder SPS after you modify the WebAgent.conf file so the new configuration settings take effect.

To enable single sign-on using the WAC Web Agent

1. Configure the domain in the WAC Web Agent’s webagent.ini file by setting the following parameter:

   DomainCookie=<domain>

   where <domain> is the same domain (for example, test.com) for the CA SSO and SiteMinder Web Agents.

   The file is installed in the following location on the WAC Web Agent machine:

   C:\Program Files\CA\WebAccessControl\WebAgent\webagent.ini

2. Verify the following Web server and the authentication method settings in the webagent.ini file:
   • The "Authentication methods" and the "Default authentication method" parameters should be configured as SSO.
   • The WebServerName, PrimaryWebServerName, AgentName, NTLMPath and Secure should point to the machine where CA SSO Web Access Control is installed.
   • The ServerName attribute should point to the IP Address of the machine where the CA SSO Policy Server is installed.

     Note: For more information about configuring the WAC Web Agent, see the WAC documentation.

CA SSO Policy Manager Verification Steps

1. Ensure that the SiteMinder and CA SSO Policy Servers to use the same user or authentication store.
2. Make sure you have the following:
   • An SSO administrator name and password. The SiteMinder Policy Server uses the administrator name and password when authenticating to the CA SSO Policy Server through the smauthetsso authentication scheme.
   • The SSO ticket encryption key, as it is needed by the SiteMinder Policy Server's smetssocookie active response.

     Note: For more information about configuring the Policy Manager, see the CA SSO documentation.

SiteMinder Policy Server Configuration Steps

1. Create a Web Agent, Agent Configuration Object, and Host Configuration Object using the Administrative UI. For more information, see the Policy Server Installation Guide and the Web Agent Installation Guide.
2. Configure the SiteMinder and CA SSO Policy Servers to use the same user or authentication store.

   For SiteMinder user store configuration instructions, see the User Directories chapter in this guide.

   For the CA SSO authentication store, see the CA SSO documentation.

3. Configure an smetssocookie (certificate) custom active response.
4. Create a domain, realm, and rules using the Administrative UI to protect any resource with the SiteMinder Web Agent.

   Note: When creating the rules, append the smetssocookie custom active response to them.

Overall Verification Steps

1. Configure the user with credentials to access resources protected by the SiteMinder Web Agent and the WAC Web Agent.
2. Restart the SiteMinder Policy Server and Web server hosting the Administrative UI.
3. Access the resource protected by the SiteMinder Web Agent and provide this Web Agent with the appropriate user credentials.
4. After gaining access to this resource, in the same browser session, request a resource protected by the WAC Web Agent.

   You should gain access to this resource without being prompted for credentials.

More information:

WebAgent.conf File Locations

Configure an smauthetsso Custom Authentication Scheme

Configure an smetssocookie Web Agent Active Response Attribute

Domains

Realms

Rules

Configure a Rule for Web Agent Actions

Configure Single Sign-On from CA SSO Client to SiteMinder

SiteMinder provides single sign-on from the CA SSO Client to SiteMinder.

To enable single sign-on from an CA SSO Client to SiteMinder:

SiteMinder Policy Server Configuration Steps

1. Configure the smauthetsso custom authentication scheme using the Administrative UI.
2. Create a domain, realm, and rules using the Administrative UI to protect any resource with the SiteMinder Web Agent.
3. Configure the smauthetsso custom authentication scheme to protect a resource.
4. Create a policy that grants access to the protected resource to users who already have access the browser protected by the CA SSO Client.

CA SSO Client Verification Steps

Set the following in the CA SSO Client SsoClnt.ini file:

Note: The SsoClnt.ini file is installed in C:\Program Files\CA\CA SSO\Client on the CA SSO Client machine. More information on configuring the CA SSO Client exists in the CA SSO documentation.

DomainNameServer=<eSSO_WA_FQDN> <SM_WA_FQDN>

eSSO_WA_FQDN

(Optional) Specifies the fully qualified domain name for the WAC Web Agent

SM_WA_FQDN

Specifies the fully qualified name for the SiteMinder Web Agent

Overall Verification Steps

1. Restart the CA SSO Client, SiteMinder Policy Server, and Web server hosting the Administrative UI.
2. Access the protected browser through the SSO Client and enter the URL of the resource protected by the SiteMinder Policy Server.

   You should be able to access the resource without being rechallenged by SiteMinder.

More information:

Configure an smauthetsso Custom Authentication Scheme

Domains

Realms

Rules

Configure Single Sign-On from CA SSO to SiteMinder

SiteMinder provides single sign-on from CA SSO to SiteMinder.

To enable single sign-on from CA SSO to SiteMinder

SiteMinder Policy Server Configuration Steps

1. Configure the smauthetsso custom authentication scheme using the Administrative UI.
2. Create a domain, realm, and rules using the Administrative UI to protect any resource with the SiteMinder Web Agent.

   For more information, see Domains, Grouping Resources in Realms, or Rules.

3. Configure the smauthetsso custom authentication scheme to protect a resource.

WAC Web Agent Verification Steps

1. Configure the domain in the WAC Web Agent’s webagent.ini file by setting DomainCookie=<domain>.

   Note: The value you specify for the domain must be the same for the CA SSO and SiteMinder Web Agents. The file is installed on the WAC Web Agent machine at C:\Program Files\CA\WebAccessControl\WebAgent\webagent.ini

2. Verify the following Web server and the authentication method settings in the webagent.ini file:
   • The "Authentication methods" and "The default authentication method" parameters should be configured as SSO.
   • The WebServerName, PrimaryWebServerName, AgentName, NTLMPath and Secure should point to the machine where SSO Web Access Control is installed.
   • The ServerName attribute should point to the IP Address of the machine where the CA SSO Policy Server is installed.
   • For more information about configuring the WAC Web Agent, see the CA SSO documentation.

   Note: For more information about configuring the WAC Web Agent, see the WAC documentation.

SiteMinder Web Agent or CA SiteMinder SPS Configuration Steps:

1. Enable the SSO plug-in installed with the Web Agent or CA SiteMinder SPS, so that SSO Client cookies can be authenticated, by removing the comment character (#) from the following line in the WebAgent.conf file:

   #LoadPlugin=path_to_eTSSOPlugin.dll | path_to_libetssoplugin.so

   Note: The WebAgent.conf file is located as follows:

   r12.0 SP3 IIS 6.0 or Apache 2.0 Web Agent

   See the Web Agent Configuration Guide.

   6.0 CA SiteMinder SPS

   SPS_install_dir\proxy-engine\conf\defaultagent\

   SPS_install_dir

   CA SiteMinder SPS installation directory

2. Restart the Policy Server.

Overall Verification Steps

1. Restart the WAC Web Agent, SiteMinder Policy Server, and Web server hosting the Administrative UI.
2. Access a resource protected by the WAC Web Agent and provide valid credentials.
3. Access a resource protected by the SiteMinder Web Agent in the same browser.

   You should be able to access the resource without being rechallenged by SiteMinder.

More information:

Configure an smauthetsso Custom Authentication Scheme