Integration with CA SSO (SiteMinder) - IBM© 2009 IBM Corporation • With HTTP header response from CA SSO/SiteMinder • Send back to the caller • Forward it to the backend/resource

© 2009 IBM Corporation

IBM DataPower Gateway

Integration with CA SSO (SiteMinder) ShiuFun Poon [email protected]

© 2009 IBM Corporation

© 2009 IBM Corporation

Agent

IIS Apache

SM Agent PolicyServer

1

2 Cookie SM*** http header

3

CA SM Agent PEP

3’ SMSESSION

© 2009 IBM Corporation

Web Service (IDG 7.2.0.x release, CA SSO 12.5)

PolicyServer

1

2 Cookie SM*** http header

3

CA SM Agent PEP

3’ SMSESSION

SM AZ service

© 2009 IBM Corporation

•  Supported Authentication •  Username/Password •  Certificate (SMCLIENTCERT) •  SMSESSION

•  Authorization •  Credentials

• Username/Password • Certificate (SMCLIENTCERT) • SMSESSION

•  Resource

© 2009 IBM Corporation

•  Customized SMSESSION cookie •  Default : SMSESSION •  Extract Identity : Cookie Name

Instead of using cookie with name SMSESSION, use MySMCookieInsteadOfSMSESSION. When communication with CA SSO/SiteMinder, cookie’s name is MySMCookieInsteadOfSMSESSION.

© 2009 IBM Corporation

•  With cookie, allow it to be •  Send back to the caller

•  Set-Cookie •  Cookie Policy {secure, HttpOnly, domain ..}

•  Forward it to the backend/resource •  Cookie

© 2009 IBM Corporation

•  With HTTP header response from CA SSO/SiteMinder •  Send back to the caller •  Forward it to the backend/resource

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/web-agent-configuration/web-application-protection/default-http-headers-used-by-the-product

© 2009 IBM Corporation

•  SMSESSION cookie for the resource/backend •  SMSESSION •  What happens if there are multiple security zones

• SMSSOZONE • CookieName: {$SMSSOZONE}SESSION