integration with ca sso (siteminder) - ibm© 2009 ibm corporation • with http header response from...
TRANSCRIPT
© 2009 IBM Corporation
IBM DataPower Gateway
Integration with CA SSO (SiteMinder) ShiuFun Poon [email protected]
© 2009 IBM Corporation
© 2009 IBM Corporation
Agent
IIS Apache
SM Agent PolicyServer
1
2 Cookie SM*** http header
3
CA SM Agent PEP
3’ SMSESSION
© 2009 IBM Corporation
Web Service (IDG 7.2.0.x release, CA SSO 12.5)
PolicyServer
1
2 Cookie SM*** http header
3
CA SM Agent PEP
3’ SMSESSION
SM AZ service
© 2009 IBM Corporation
• Supported Authentication • Username/Password • Certificate (SMCLIENTCERT) • SMSESSION
• Authorization • Credentials
• Username/Password • Certificate (SMCLIENTCERT) • SMSESSION
• Resource
© 2009 IBM Corporation
• Customized SMSESSION cookie • Default : SMSESSION • Extract Identity : Cookie Name
Instead of using cookie with name SMSESSION, use MySMCookieInsteadOfSMSESSION. When communication with CA SSO/SiteMinder, cookie’s name is MySMCookieInsteadOfSMSESSION.
© 2009 IBM Corporation
• With cookie, allow it to be • Send back to the caller
• Set-Cookie • Cookie Policy {secure, HttpOnly, domain ..}
• Forward it to the backend/resource • Cookie
© 2009 IBM Corporation
• With HTTP header response from CA SSO/SiteMinder • Send back to the caller • Forward it to the backend/resource
https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product
© 2009 IBM Corporation
• SMSESSION cookie for the resource/backend • SMSESSION • What happens if there are multiple security zones
• SMSSOZONE • CookieName: {$SMSSOZONE}SESSION