Although all the SiteMinder Agent for IBM WebSphere modules are installed by the Agent installation, you do not need to configure all of them. The following table provides an overview of the SiteMinder Agent modules, their functions and interdependencies.
Agent Component/Function |
Upstream Requirements |
Downstream Requirements |
---|---|---|
SiteMinder TAI (Web container authentication; SiteMinder preauthenticated requests only) |
A trusted issuer of SiteMinder session cookies |
None for authentication-only solution. To support SiteMinder authorization, SiteMinder JACC Provider required; SiteMinder Login Module may be required to assert WebSphere propagation tokens in Subject recreation situations. |
SiteMinder TAI (challenge for credentials) (Web container authentication; all requests) |
SiteMinder Web Agent for nonbasic authentication schemes |
None for authentication-only solution. To support SiteMinder authorization, SiteMinder JACC Provider required; SiteMinder Login Module may be required to assert WebSphere propagation tokens in Subject recreation situations. |
SiteMinder Login Module (EJB container and system login authentication; assertion of WebSphere propagation tokens) |
None |
To support SiteMinder authorization, SiteMinder JACC Provider required; otherwise user mapping must be configured to provide WebSphere principal for use by WebSphere security. |
SiteMinder JACC Provider (Authorization) |
Subject populated with SiteMinder Principal. |
None |
While the previous table shows that a range of different Agent module configurations is possible, two configurations are most likely to provide the solutions to real-life deployment scenarios:
Requirement |
Suggested Configuration |
---|---|
You must establish a trust relationship between the SiteMinder and WebSphere Single Signon (SSO) environments so that HTTP clients authenticated by SiteMinder are not rechallenged by WebSphere when they access web applications hosted by a WebSphere Application Server or the converse. (Or you are upgrading from an existing SiteMinder Application Server Agent for WebSphere solution.) You have existing WebSphere or application-based authorization policies that are sufficient for your needs. |
Configure the SiteMinder TAI in a Web Trust Association environment in which:
In a WebSphere SSO environment, you may require the SiteMinder Login Module to assert WebSphere propagation tokens in situations when WebSphere must reestablish Subjects created by the SiteMinder TAI. |
You must establish a trust relationship between the SiteMinder and WebSphere Single Signon (SSO) environments so that HTTP clients authenticated by SiteMinder are not rechallenged by WebSphere when they access web applications hosted by a WebSphere Application Server or the converse. You want to implement SiteMinder authentication and authorization policies for requests for Web client applications, EJB client applications, or both. |
Configure the complete SiteMinder Agent solution, comprising:
|
Copyright © 2010 CA. All rights reserved. | Email CA Technologies about this topic |