Contents
CA SiteMinder can authenticate end-users and authorize them to access protected Web resources. When the API Gateway has authenticated successfully to SiteMinder on behalf of a user using the SiteMinder Certificate Authentication filter, SiteMinder can issue a single sign-on token and return it to the API Gateway. Typically, the API Gateway inserts this token into a SAML attribute assertion or an HTTP Header, and returns it to the client.
The client then sends the single-sign on token in subsequent requests to
the API Gateway. The API Gateway extracts the single-sign on token from the
message payload or HTTP headers, and stores it in a message attribute, usually
the siteminder.session
attribute.
The API Gateway can then use the SiteMinder Session Validation filter to ensure that the token is still valid, and hence, that the user is still authenticated. This means that the API Gateway does not have to authenticate every request to SiteMinder. By validating the token, the user can be authenticated, and therefore, unnecessary round-trips to SiteMinder can be avoided.
Integration with CA SiteMinder requires CA SiteMinder SDK version 12.0-sp1-cr005 or later. You must add the required third-party binaries to your API Gateway and Policy Studio installations.
API Gateway
To add third-party binaries to the API Gateway, you must perform the following steps:
-
Add the binary files as follows:
-
Add
.jar
files to theinstall-dir/apigateway/ext/lib
directory. -
Add
.dll
files to theinstall-dir\apigateway\Win32\lib
directory. -
Add
.so
files to theinstall-dir/apigateway/platform/lib
directory.
-
-
Restart the API Gateway.
Policy Studio
To add third-party binaries to Policy Studio, you must perform the following steps:
-
Select Windows -> Preferences -> Runtime Dependencies in the Policy Studio main menu.
-
Click Add to select a JAR file to add to the list of dependencies.
-
Click Apply when finished. A copy of the JAR file is added to the
plugins
directory in your Policy Studio installation. -
Click OK.
-
Restart Policy Studio.
Configure the following fields on the SiteMinder Session Validation screen:
Name:
Enter an appropriate name for the filter.
Agent Name:
Click the button on the right to select a previously configured agent to connect to SiteMinder. This name must correspond with the name of an agent previously configured in the SiteMinder Policy Server. At runtime, the API Gateway connects as this agent to a running instance of SiteMinder.
To add an agent, right-click the SiteMinder/SOA Security Manager Connections tree node, and select Add a SiteMinder Connection. Alternatively, you can add SiteMinder connections under the External Connections node in the Policy Studio tree view. For details on how to configure a SiteMinder connection, see the SiteMinder/SOA Security Manager Connection topic.
Resource:
Enter the name of the protected resource for which the end-user must be authenticated. You can enter a selector representing a message attribute, which is expanded to a value a runtime. Message attribute selectors have the following format:
${message.attribute}
For example, to specify the original path on which the request is received by the API Gateway as the resource, enter the following selector:
${http.request.uri}
Action:
The end-user must be authenticated for a specific action on the protected resource. By default, this action is taken from the HTTP verb used in the incoming request. You can use the following selector to get the HTTP verb:
${http.request.verb}
Alternatively, any user-specified value can be entered here. For more details on selectors, see Selecting Configuration Values at Runtime.
Message attribute containing session:
Enter the name of the message attribute that contains the single
sign-on token generated by SiteMinder. By default, the token is stored
in the siteminder.session
message attribute, but can
be stored in any attribute.