SiteMinder

SiteMinder is a directory-enabled, standards-based system that can help you work with heterogeneous Web and application servers, operating systems, and application development platforms. Using SiteMinder, you can easily implement security policies that protect Web applications and resources. It enables you to manage authentication and authorization privileges based on a user-centric policy-based model for security. SiteMinder provides single sign-on (SSO) functionality across single and multiple cookie domains, simplifying the use of applications across different Web servers and platforms.

  

SiteMinder components

The major components are:

Policy Server

Agents

User Directory

1    Policy Server:

The SiteMinder Policy Server is the controlling server for protecting sites. It detects URLs, challenges for credentials of protected URLs, communicates with the LDAP user directory for authenticating users, and communicates with the Web agent plug-in. The WebAgent plug-in communicates with SiteMinder to authenticate users. In particular, it provides the following:

1.1          Authentication Services

The Policy Server supports a range of authentication methods, so that the unique needs of each environment can be met. The Policy Server can authenticate users by a large number of different authentication techniques.

1.2          Authorization Services

The Policy Server is responsible for managing and enforcing the access control rules established by the administrator. These rules (detailed in a later section) define the operations that are allowed for each protected resource. The resources that SiteMinder can protect are any named URL that a Web application or user needs to access. In addition, rules may be constrained by time, to prevent access outside specified periods, or by specific IP addresses.

1.3          Auditing Services

The Policy Server also generates logs, which contains auditing information about the events that occurred within the system. This log can be viewed using a standard browser or printed in the form of several predefined reports, or customer-defined report formats, so that security events or anomalies can be analyzed and corrected.

1.4     Agents:

A SiteMinder Agent is a component residing with the Web Server or Application Server hosting the resource to be protected and communicates with the Policy Server in order to enforce policies for user access to generic resources. There are several types of Agents that can be used with SiteMinder:

1.5      Web Agent

For Web servers, the Web Agent is integrated through each Web server’s extension API. It intercepts all requests for resources (URLs), and determines whether SiteMinder protects a resource. If not, the request is passed through to the Web server for regular processing. The Web Agent interacts with the Policy Server to authenticate the user, and to determine if access to the specific resource should be allowed. The Web Agent also passes to the application (through the Web server) a “Response” that allows page content to be personalized to the needs and entitlements of each user. The Web agent also passes any information to the web application and redirects the user to specific web pages with custom error messages.

1.6 Application Server Agent

Application Server Agents provide more fine-grained access control for objects such as Servlets, JSPs and EJBs. SiteMinder Application Server Agents (ASA) is a set of servlets that communicate with the SiteMinder Policy Server via the SiteMinder Agent API. These Agents are designed to protect resources hosted in an application server, such as servlets, JavaServer Pages, and EJB components, by superseding the native application server’s security functionality.

2.2.3          Custom Agents

Custom agents together with the SiteMinder Policy Server can provide access control for a wide range of resources that extend beyond Web resources. The Agent API provided by SiteMinder enables creation of a custom Agent that can implement security for any type of resource.

1.7 Affiliate Agents

A SiteMinder Affiliate Agent provides a seamless connection from a main portal to an affiliate site without requiring a user to re-identify or provide additional information about them. The affiliate site can determine that the user has been registered at the main portal, and optionally, that the user has an active SiteMinder session. Based on policies configured at the portal for the affiliate, information can be passed to the affiliate and set as cookies or header variables for applications at the affiliate Web server.

1.8 User Directory

A user directory in SiteMinder is an object that contains details for connecting to an existing user directory that resides outside of SiteMinder. User directories store user data, including organizational information and credentials such as passwords. The Policy Server user interface allows you to configure connections to existing user directories. The Policy Server uses these connections to verify user identities and retrieve user attributes contained in the directories. The Policy Server supports LDAP, Microsoft SQL Server, Oracle, and custom user directories.

SiteMinder authentication

The following steps occur when a user tries to access a protected resource on a web server configured to use SiteMinder authentication:

1. The user requests a resource through a Web browser.
2. This request is received by the Web server and is intercepted by the SiteMinder Web agent.
3. The Web agent determines whether or not the resource is protected, and if so, gathers the user's credentials and passes them to the Policy Server.
4. The Policy Server authenticates the user against user directories, then verifies whether or not the authenticated user is authorized for the requested resource, based on rules and policies contained in the Policy Store (LDAP).
5. After the user is authenticated and authorized, the Policy Server grants access to protected resources and delivers privilege and entitlement information.