SiteMinder Session Validation

Contents

Overview

CA SiteMinder can authenticate end-users and authorize them to access protected Web resources. When the Enterprise Gateway has authenticated successfully to SiteMinder on behalf of a user using the SiteMinder Certificate Authentication filter, SiteMinder can issue a single sign-on token and return it to the Enterprise Gateway. Typically, the Enterprise Gateway inserts this token into a SAML attribute assertion or an HTTP Header, and returns it to the client.

The client then sends the single-sign on token in subsequent requests to the Enterprise Gateway. The Enterprise Gateway extracts the single-sign on token from the message payload or HTTP headers, and stores it in a message attribute, usually the siteminder.session attribute.

The Enterprise Gateway can then use the SiteMinder Session Validation filter to ensure that the token is still valid, and hence, that the user is still authenticated. This means that the Enterprise Gateway does not have to authenticate every request to SiteMinder. By validating the token, the user can be authenticated, and therefore, unnecessary round-trips to SiteMinder can be avoided.

Prerequisites

CA SiteMinder integration requires CA SiteMinder SDK version 12.0-sp1-cr005 or later.

Enterprise Gateway
When adding third-party binaries to the Enterprise Gateway, you must perform the following steps:

  1. Add the binary files as follows:
    • Add .jar files to the InstallDir/ext/lib directory.
    • Add .dll files to the InstallDir\win32\lib directory.
    • Add .so files to the InstallDir/platform/lib directory.
  2. Restart the Enterprise Gateway.

Policy Studio
When adding third-party binaries to the Policy Studio, you must perform the following steps:

  1. Add .jar files to the InstallDir/plugins/thirdparty.runtime.dependencies_6.0.3 directory.
  2. Restart the Policy Studio.

Configuration

Configure the following fields on the SiteMinder Session Validation screen:

Name:
Enter an appropriate name for the filter.

Agent Name:
Select the name of the agent to connect to SiteMinder in the Agent Name field. This name must correspond to the name of an agent previously configured in the SiteMinder Policy Server.

At runtime, the Enterprise Gateway connects as this agent to a running instance of SiteMinder. For details on how to configure a SiteMinder connection, see the SiteMinder/SOA Security Manager Connection topic.

Resource:
Enter the name of the protected resource for which the end-user must be authenticated. You can enter a property representing a message attribute, which is expanded to a value a runtime. Properties have the following format: 

${message.attribute}

For example, to specify the original path on which the request is received by the Enterprise Gateway as the resource, enter the following property: 

${http.request.uri}

Action:
The end-user must be authenticated for a specific action on the protected resource. By default, this action is taken from the HTTP verb used in the incoming request. You can use the following property to get the HTTP verb: 

${http.request.verb}

Alternatively, any user-specified value can be entered here.

Message attribute containing session:
Enter the name of the message attribute that contains the single sign-on token generated by SiteMinder. By default, the token is stored in the siteminder.session message attribute, but can be stored in any attribute.