SiteMinder Certificate Authentication

Overview

CA SiteMinder can authenticate end-users and authorize them to access protected Web resources. When the API Gateway retrieves an X.509 certificate from a message or during an SSL handshake, it can authenticate to SiteMinder on behalf of the user using the certificate. SiteMinder decides whether the user should be authenticated, and the API Gateway then enforces this decision.

Prerequisites

Integration with CA SiteMinder requires CA SiteMinder SDK version 12.0-sp1-cr005 or later. You must add the required third-party binaries to your API Gateway and Policy Studio installations.

API Gateway

To add third-party binaries to the API Gateway, you must perform the following steps:

  1. Add the binary files as follows:

    • Add .jar files to the install-dir/apigateway/ext/lib directory.

    • Add .dll files to the install-dir\apigateway\Win32\lib directory.

    • Add .so files to the install-dir/apigateway/platform/lib directory.

  2. Restart the API Gateway.

Policy Studio

To add third-party binaries to Policy Studio, you must perform the following steps:

  1. Select Windows > Preferences > Runtime Dependencies in the Policy Studio main menu.

  2. Click Add to select a JAR file to add to the list of dependencies.

  3. Click Apply when finished. A copy of the JAR file is added to the plugins directory in your Policy Studio installation.

  4. Click OK.

  5. Restart Policy Studio.

Configuration

Configure the following fields:

Name:

Enter an appropriate name for the filter.

Agent Name:

Click the button on the right to select a previously configured agent to connect to SiteMinder. This name must correspond with the name of an agent previously configured in the SiteMinder Policy Server. At runtime, the API Gateway connects as this agent to a running instance of SiteMinder.

To add an agent, right-click the SiteMinder/SOA Security Manager Connections tree node, and select Add a SiteMinder Connection. Alternatively, you can add SiteMinder connections under the External Connections node in the Policy Studio tree view. For details on how to configure a SiteMinder connection, see the SiteMinder/SOA Security Manager Connection topic.

Resource:

Enter the name of the protected resource for which the end-user must be authenticated. You can enter a selector representing a message attribute, which is expanded to a value at runtime. Message attribute selectors have the following format:

${message.attribute}

For example, to specify the original path on which the request was received by the API Gateway as the resource, enter the following selector:

${http.request.uri}

Action:

The end-user must be authenticated for a specific action on the protected resource. By default, this action is taken from the HTTP verb used in the incoming request. You can use the following selector to get the HTTP verb:

${http.request.verb}

Alternatively, any user-specified value can be entered. For more details on selectors, see Selecting configuration values at runtime.

Single Sign-On Token:

When a client has been authenticated for a given resource, SiteMinder can generate a single sign-on token and return it to the client. The client can then pass this token with future requests to the API Gateway. When the API Gateway receives such a request, it can validate the token using the SiteMinder Session Validation filter to authenticate the client. In other words, the client is authenticated for the entire lifetime of the token. As long as the token is still valid, the API Gateway does not need to authenticate the client against SiteMinder for every request, which increases throughput considerably.

In this section, you can instruct SiteMinder to generate a single sign-on token. The API Gateway can then store this token in a user-specified message attribute. By default, the token is stored in the siteminder.session message attribute.

Typically, the token is copied to the attribute.lookup.list message attribute using the Copy / Modify Attributes filter, before being inserted into a SAML attribute statement using the Insert SAML Attribute Assertion filter. The attribute statement is then returned to the client for use in subsequent requests.

Select the Create single sign-on token checkbox to instruct SiteMinder to generate the single sign-on token. Enter the name of the message attribute where the token is stored in the field provided.