Previous Topic: Configure an ICAS Properties FileNext Topic: Create an Instance of ICAS

Policy Server GuidesPolicy Server Configuration GuideAuthentication SchemesInformation Card Authentication SchemesConfigure a Windows Authentication SchemeHow to Configure the Policy Server for ICASHow to Configure the SiteMinder Key Database for ICAS

How to Configure the SiteMinder Key Database for ICAS

The Relying Party must use SSL to protect the fcc file. The Relying Party must export the SSL certificate associated with the web site to a pfx file. A SiteMinder administrator can then import the SSL certificate from the pfx file into smkeydatabase using smkeytool.

When the certificate is imported into smkeydatabase, it is associated with an alias, which is stored in the fcc file. The certificate's private key is used to decrypt the security token and verify the digital signature.

Configuring the SiteMinder key database is a two-step process:

  1. To export an SSL certificate from an IIS web server to a pfx file on your local machine, you can use the Web Server Certificate Wizard. For more information, see Microsoft's documentation.
  2. To import an SSL certificate from a pfx file into smkeydatabase using smkeytool, execute smkeytool.bat, specifying the options in the following example:

    smkeytool.bat -addPrivKey -alias example -keycertfile c:\Temp\www-example-com.pfx

    -password CAdemo123

    Important! Before running a SiteMinder utility or executable on Windows Server 2008, open the command line window with administrator permissions. Open the command line window this way, even if your account has administrator privileges.

    addPrivKey

    Specifies the action that you want smkeytool to take

    alias

    Specifies a name for the SSL certificate in smkeydatabase

    Note: This is the alias that is specified in the properties file.

    keycertfile

    Specifies the location of the pfx file on your local machine

    password

    Specifies the password that you provided when exporting the SSL certificate to the pfx file

Note: The password you provide when exporting the SSL certificate to the pfx file is used later by SiteMinder when importing the SSL certificate from the pfx file.

Note: If smkeydatabase does not exist, you can create it using the Policy Server Configuration Wizard. For more information, see the Policy Server Installation Guide.

Note: For more information about smkeydatabase and smkeytool, see the Federation Security Services Guide.

Configure a User Directory for ICAS

Authentication of the user depends on finding a match between one of the claims presented to ICAS and a user attribute in the user database. During token disassembly, the specified claim value is used as a lookup value in the user directory. Therefore, the user directory must be configured so that the LDAP lookup string or SQL query scheme specifies the user attribute that corresponds to the specified claim. The following examples show how to configure an LDAP lookup string and SQL query scheme for an email address.

LDAP Example

LDAP User DN Lookup group box

Start

(mail=

End

)

SQL Example

SQL Queries group box

Get User/Group Info

SELECT EmailAddress, 'User' FROM SmUser WHERE EmailAddress = '%s' UNION SELECT Name, 'Group' FROM SmGroup WHERE Name = '%s'

Authenticate User

SELECT EmailAddress FROM SmUser WHERE EmailAddress = '%s' AND Password = '%s'