The following are the principal components in this use case:
OpenSSO Enterprise in the Identity Provider container
SiteMinder Web Agent
SiteMinder custom authentication module
OpenSSO Enterprise in the Service Provider container
The Identity Provider and Service Provider should be in installed in different domains. If this is not possible, they should minimally use different cookie names or cookie domains.
You can defer the installation of OpenSSO Enterprise policy agent for protecting the OpenSSO Enterprise Service Provider until the end of the installation procedures. This gives you the opportunity to verify that the SAML2 setup is working before you proceed.
Before proceeding, be sure to read the general instructions in Installing SiteMinder and in Configuring SiteMinder After Installation. The following steps provide additional installation information specific only to this use case.
Install and configure OpenSSO Enterprise in the same container in which the Identity Provider is installed.
For detailed installation instructions, see the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
Be sure that the Identity Provider container supports SiteMinder Web Agent installation.
Configure OpenSSO Enterprise to use the same user repository as the SiteMinder user repository. This enables both OpenSSO Enterprise and SiteMinder to provide a single session for the same user.
Install and configure the SiteMinder Web Agent on the OpenSSO Enterprise container.
For now, configure the SiteMinder Web Agent to protect an arbitrary URL on the container. In this example, the protected URL is /validation/index.html.
As in the previous section, create a context root /validation, or create a directory named validation under the docroot.
Be sure that the SiteMinder form authentication scheme is working for the protected URL.
Install the SiteMinder custom authentication module in OpenSSO Enterprise.
After you unzip the OpenSSO Enterprise binary, the SiteMinder custom authentication module is located under the directory unzip-directory/integrations/siteminder/. The README.html provides steps for building a custom authentication module. The following parameters must be set to enable the SiteMinder SDK to connect to the SiteMinder Policy Server:
SiteMinder cookie name. The default name is SMSESSION.
Unique policy agent configuration obtained from SiteMinder, and used by OpenSSO Enterprise to point to the SiteMinder SDK .
Indicates where the SiteMinder Policy Server is located.
This attribute should be enabled when the SiteMinder Web Agent is installed on the same host as OpenSSO Enterprise. The SiteMinder Web Agent performs session validation. When this attribute is enabled, the rest of the configuration is not needed.
Name of the SiteMinder SDK host name.
One of 3 TCP ports used by the SiteMinder Server to connect to the SiteMinder SDK.
One of 3 TCP ports used by the SiteMinder Server to connect to the SiteMinder SDK.
One of 3 TCP ports used by the SiteMinder Server to connect to the SiteMinder SDK.
In a connection pool implementation, the maximum number of concurrent connections that a can be opened.
In a connection pool implementation, the minimum number of concurrent connections that a can be opened.
In a connection pool implementation, the number of concurrent connections that can be opened.
Maximum time that the SiteMinder SDKwaits before it connects to SiteMinder Policy Server.
When configured, the SiteMinder Web Agent sets a header name for the remote user after successful authentication. This parameter is used only when the checkRemoteHeaderOnly flag is set. The SMAuth module uses this parameter to create an OpenSSO Enterprise session.
The following diagram shows an example of SiteMinder custom authentication module configuration.
Install and configure OpenSSO Enterprise in the container in which the Service Provider is installed.
For detailed installation instructions, see the OpenSSO Enterprise Installation and Configuration Guide.
Install the SiteMinder Web Agent in the OpenSSO Enterprise container.
See the SiteMinder product documentation.