SiteMinder Authorization

Contents

Overview
Prerequisites
Configuration

Overview

CA SiteMinder can authenticate end-users and authorize them to access protected Web resources. The API Gateway can interact directly with SiteMinder by asking it to make authorization decisions on behalf of end-users that have successfully authenticated to API Gateway. The API Gateway then enforces the decisions made by SiteMinder.

[Important] Important

A SiteMinder authentication filter must be configured before a SiteMinder authorization filter is created. In other words, end-users must authenticate to SiteMinder before they can be authorized.

Prerequisites

Integration with CA SiteMinder requires CA SiteMinder SDK version 12.0-sp1-cr005 or later. You must add the required third-party binaries to your API Gateway and Policy Studio installations.

API Gateway

To add third-party binaries to the API Gateway, you must perform the following steps:

  1. Add the binary files as follows:

    • Add .jar files to the install-dir/apigateway/ext/lib directory.

    • Add .dll files to the install-dir\apigateway\Win32\lib directory.

    • Add .so files to the install-dir/apigateway/platform/lib directory.

  2. Restart the API Gateway.

Policy Studio

To add third-party binaries to Policy Studio, you must perform the following steps:

  1. Select Windows > Preferences > Runtime Dependencies in the Policy Studio main menu.

  2. Click Add to select a JAR file to add to the list of dependencies.

  3. Click Apply when finished. A copy of the JAR file is added to the plugins directory in your Policy Studio installation.

  4. Click OK.

  5. Restart Policy Studio.

Configuration

Configure the following fields on the SiteMinder Authorization filter:

Name:

Enter an appropriate name for the filter.

Attributes:

If the end-user is successfully authorized, the attributes listed here are returned to the API Gateway and stored in the attribute.lookup.list message attribute. They can then be used by subsequent filters in a policy to make decisions on their values. Alternatively, they can be inserted into a SAML attribute assertion so that the target service can apply some business logic based on their values (for example, if role is CEO, escalate the request, and so on).

Select the Retrieve attributes from CA SiteMinder checkbox, and click the Add button to specify an attribute to fetch from SiteMinder. If you select the Retrieve attributes from CA SiteMinder checkbox, and do not specify attribute names to be retrieved, all attributes returned by SiteMinder are added to the attribute.lookup.list message attribute.

Prev  Up  Next
  Home