Configure Single Sign-On from SiteMinder to CA SSO

Policy Server Guides › Policy Design Guide › CA SSO/WAC Integration › Configure Single Sign-On from SiteMinder to CA SSO

Configure Single Sign-On from SiteMinder to CA SSO

SiteMinder provides single sign-on from SiteMinder to CA SSO environments.

To enable single sign-on from SiteMinder to CA SSO

Web Agent or Secure Proxy Server Configuration Steps

Enable the SiteMinder SSO Plug-in installed with the Web Agent or Secure Proxy Server:

For the 6.x QMR 4 IIS 6.0 or Apache 2.0 Web Agent

Remove the comment (#) character from the following line in the WebAgent.conf file:
#LoadPlugin=<Path to eTSSOPlugin.dll or libetssoplugin.so>
To locate the WebAgent.conf for IIS 6.0/Apache 2.0, see the SiteMinder Web Agent Guide.
For instructions on enabling/disabling the plug-in, see the SiteMinder Web Agent Guide.

Note: After you modify the WebAgent.conf file, restart the Web server if it is running so that the new configuration settings take effect.

For the 6.0 Secure Proxy Server

Remove the comment (#) character from the following line in the WebAgent.conf file, located in <SPS_install_dir>\proxy-engine\conf\defaultagent\WebAgent.conf:
#LoadPlugin=<Path to eTSSOPlugin.dll or libetssoplugin.so>

Note: After you modify the WebAgent.conf file, restart the Secure Proxy Server if it is running so that the new configuration settings take effect.

CA WAC Web Agent Verification Steps

Configure the domain in the CA WAC Web Agent’s webagent.ini file by setting the following parameter:
DomainCookie=<domain>

where <domain> is the same domain (for example, test.com) for the CA SSO and SiteMinder Web Agents.

The file is installed in the following location on the CA WAC Web Agent machine:

C:\Program Files\CA\WebAccessControl\WebAgent\webagent.ini
Verify the following Web server and the authentication method settings in the webagent.ini file:
- The "Authentication methods" and "The default authentication method" parameters should be configured as SSO.
- The WebServerName, PrimaryWebServerName, AgentName, NTLMPath and Secure should point to the machine where CA SSO Web Access Control is installed.
- The ServerName attribute should point to the IP Address of the machine where the CA SSO Policy Server is installed.
  Note: For more information about configuring the CA WAC Web Agent, see the CA WAC documentation.

CA SSO Policy Manager Verification Steps

Ensure that the SiteMinder and CA SSO Policy Servers use the same user or authentication store.
Make sure you have the following:
- An SSO administrator name and password. The SiteMinder Policy Server uses the administrator name and password when authenticating to the CA SSO Policy Server through the smauthetsso authentication scheme.
- The SSO ticket encryption key, as it is needed by the SiteMinder Policy Server's smetssocookie active response.
  Note: For more information about configuring the Policy Manager, see the CA SSO documentation.

Policy Server Configuration Steps

Create a Web Agent, Agent Configuration Object, and Host Configuration Object using the Policy Server User Interface. For more information, see the Policy Server Installation Guide and Web Agent Installation Guide.
Configure the SiteMinder and CA SSO Policy Servers to use the same user or authentication store.
For SiteMinder user store configuration instructions, see this guide.

For the CA SSO authentication store, see the CA SSO documentation.
Configure an smetssocookie (certificate) custom active response.
Create a domain, realm, and rules using the Policy Server User Interface to protect any resource with the SiteMinder Web Agent.
Note: When creating the rules, append the smetssocookie custom active response to them.

Overall Verification Steps

Configure the user with credentials to access resources protected by the SiteMinder Web Agent and the CA WAC Web Agent.
Restart the SiteMinder Policy Server and Web server hosting the Policy Server User Interface.
Access the resource protected by the SiteMinder Web Agent and provide this Web Agent with the appropriate user credentials.
After gaining access to this resource, in the same browser session, request a resource protected by the CA WAC Web Agent.
You should gain access to this resource without being prompted for credentials.

More information:

Configure an smauthetsso Custom Authentication Scheme

Configure an smetssocookie Web Agent Active Response Attribute

Domains

Grouping Resources in Realms

Rules

Configure a Rule for Web Agent Actions

Email CA Technologies about this topic