Sun OpenSSO Enterprise 8.0 Integration Guide

About CA SiteMinder

CA SiteMinder consists of two core components that are used for access control and single sign-on:

The SiteMinder Policy Server provides policy management, authentication, authorization and accounting. The Policy Server core engine was developed in C/C++ and the core components run like process daemons with predefined TCP/IP ports. The policy user interface is a Java applet-based console. A supported web server configured with a SiteMinder NSAPI plug-in provides the front-end HTTP interface. The policy user interface enables the user to create policies, domains, and realms, as well as to configure authentication schemes. The policy user interface also provides centralized agent configuration. SiteMinder also has a local Java applet-based console utility for managing system configuration such as authentication and authorization settings, port numbers, and so forth.

The SiteMinder Web Agent acts as a filter for protecting enterprise applications. SiteMinder provides various policy agents to access Web applications and content according to predefined security policies:

The SAML Affiliated agent is part of CA Federated Security Services. The Security Services provide single sign-on from a producer site, such as a portal, to a SAML consumer acting as an affiliate in a federated network. The communication between the SAML Affiliated policy agent and SiteMinder at the producer site results in the generation of a SAML Assertion. The TransactionMinder XML Agent is an XML-enabled version of the SiteMinder Web Agent that authenticates and authorizes web services-bound URLs.

Authentication and Authorization

SiteMinder supports several authentication schemes as part of its authentication framework. Authentication schemes provide a way to collect credentials and determine the identity of a user. SiteMinder Credential Collector is an application within the web policy agent that gathers specific information about a user's credentials, and then sends the information to the Policy Server. For form-based authentication, credentials are acquired by the Forms Credential Collector (FCC) process. The default extension for FCC files is .fcc. FCC process files are composed in a simple mark-up language that includes HTML and some custom notation. The following describes a simple authentication scheme flow using a form-based authentication scheme:

  1. A user requests a resource that is protected by a policy agent and contained in a realm. The realm is protected by an HTML form-based authentication scheme.

  2. SiteMinder contacts the Policy Server and determines that the user request must be redirected to the credential collector.

  3. The policy agent redirects to the URL of the Credential Collector file.

  4. The Credential Collector displays the form described in the .fcc file of the user's browser.

  5. The user fills out the custom form and submits it. The Credential Collector processes the credentials by submitting the form to the Policy Server.

  6. If the user is authenticated, Credential Collector creates a session cookie and sends it to the browser. The browser redirects the user to the resource that the user originally requested.

  7. The web policy agent handles user authorization by using the user's session.

User Sessions

SiteMinder supports persistent and non-persistent sessions. The standard SiteMinder sessions are non-persistent and contain user session data but no other user-specific data. For example, a session does not contain attributes unless configured to do so. The SiteMinder user session is created by the SiteMinder server upon successful authentication.

The servers send the user session SiteMinder Web Agent to set in the browser. The policy agent is responsible for validating the cookie and enforcing session timeouts. The cookie named SMSESSION contains the following parameters by default: