README.html revision 4fe4e4f798a84a46e567f64ceadd3648eb0582d4
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
http-equiv="content-type">
<title>CA Siteminder Integration</title>
</head>
<body>
<h1><small><span style="font-weight: bold;">OpenSSO
Integration with CA Siteminder</span></small><br>
</h1>
=====================================================================<br>
<br>
This README explains the OpenSSO Server SSO
Integration with Computer Associates (CA) SiteMinder. The README must
be read in the context of OpenSSO Integration Document
where the use cases, possible integrations and configurations are
described in detail.<br>
<br>
This README explains the custom codes for e.g. Authentication
Modules, compilation instructions and the configuration of the
auth modules for OpenSSO context. The OpenSSO custom
authentication enables the SSO integration between legacy Siteminder
(SM) access server and OpenSSO especially when the
deployment contains SM for protecting existing applications.<br>
<br>
1. Pre-requisites :<br>
==========<br>
<br>
1. opensso.zip - This zip file contains all
the integration souce code, configuration files and ofcourse this
README file along with regular opensso.war<br>
2. Siteminder server 6.0 SP4 or higer version - The siteminder
server must be installed and configured. For more details, check
siteminder documentation. For OpenSSO <br>
related configuration, check the OpenSSO
integration
document. There are no trial versions available for Siteminder
libraries or for other siteminder components. This <br>
document assumes that the user has minimal knowledge
on Siteminder components and knows how to get them.<br>
3. Siteminder SDK 6.0 SP4 or higher version - The siteminder SDK
must be installed and configured. The SDK is required to compile and
build Federated<br>
OpenSSO Authentication Modules for
Siteminder. <br>
4. Siteminder Agent installed and configured.<br>
<br>
<br>
2. Brief Description of Contents:<br>
======================<br>
<br>
The opensso/integrations directory contains source and configurations
to compile and build the custom authentication modules and other plugins.
Check the OpenSSO integration document for your use case and
configure accordingly. This document provides instructions on how to
configure authentication modules<br>
<br>
where the source code and configurations are in place..<br>
<br>
Readme.html - This file.<br>
<br>
build.xml - This file is a build script for building <br>
<br>
config - This directory contains auth module configuration files.<br>
SMAuthService.xml - This is siteminder auth
module configuration file that must be imported into OpenSSO<br>
SMAuthModule.xml - This file is used for auth module
call backs and for Siteminder auth module they are empty. However, the
file must be used.<br>
SMAuth.properties - This file is a
properties file that stores i18n keys for siteminder authentication
module configuration lables.<br>
<br>
lib - This directory is by default empty . However, this lib directory
must contain all the necessary libraries to compile the source
libraries. They are:<br>
smjavaagentapi.jar,
SmJavaApi.jar (Siteminder jar files)<br>
openfedlib.jar,
servlet .jar file (If
it's Glassfish, it is javaee.jar)<br>
<br>
source - This directory contains all the source files<br>
<br>
The above java source
files are the custom authentication module classes that would be
plugged into OpenSSO for generating OpenSSO Session by<br>
using Siteminder session.<br>
<br>
com
- This class provides codes for Siteminder AuthScheme Plugin
class for generating<br>
Siteminder
session using OpenSSO session.<br>
SAML2 Plugin Adapter for SAML service providers to do the remote
authentication to<br>
Siteminder using OpenSSO
Session.
Essentially these java files are used for usecase2 in OpenSSO
integration document.<br>
<br>
<br>
3: How to build:<br>
===========<br>
<br>
1. Make sure all the siteminder libraries and OpenSSO libraries
present in lib directory as mentioned above.<br>
<br>
2. Use "ant" script to build the source files. A compatible
ant must be installed and configured in the PATH.<br>
<br>
should build all the source files and generates fam_sm_integration.jar
under<br>
<br>
<br>
4. OpenSSO Installation and Configuration with Siteminder AuthModule:<br>
=================================================<br>
<br>
area and is represented with a marco $WAR_DIR <br>
<br>
2. Copy
<br>
3. Copy Siteminder jar files smjavaagentapi.jar and SmJavaApi.jar to
<br>
<br>
<br>
<br>
7. Deploy opensso.war onto OpenSSO web container. The deployment is self
explanatory. Please check the web container documentation for war<br>
deployment.<br>
<br>
8. Access the deployed opensso directory <br>
<br>
9. Accessing deployed application redirects to opensso configurator.
Choose custom configuration. By default OpenSSO uses embedded directory<br>
server for configuration, however, you could choose to use existing or
a new directory server instance for configuration. <br>
<br>
Note: The OpenSSO can be configured to use various
user repository for validating the user existance, however, you could
also choose to ignore profile. <br>
<br>
10. After successful configuration, the configuration redirects to a
user login and verify your administrator credentials. <br>
<br>
<br>
5. Siteminder Auth module configuration:<br>
===========================<br>
<br>
Now we have to load the Siteminder authentication module service
into Open SSO and configure for the SSO integration. The auth
module service<br>
is loaded from a OpenSSO command line utility called as "ssoadm". For OpenSSO,
the ssoadm utitily is exposed in both console mode and browser based<br>
interfaces. Here we will use use browser based ssoadm for OpenSSO
configuration changes.<br>
<br>
1. Login into OpenSSO using amadmin<br>
<br>
2. Now access the following URL<br>
<br>
3. Choose create-service option. <br>
<br>
4. Copy and paste the xml file from
Submit<br>
This will load the auth module service into OpenSSO configuration.<br>
<br>
5. Register the auth module into the authentication core framework. <br>
<br>
Choose register-auth-module option.<br>
auth module class name.<br>
<br>
6. Now verify that the auth module is registered to the default realm.
http://<host>:<port>/opensso, click on default realm, and
click on<br>
"authentication" tab, create new AuthModule as "SMAuth" and choose
SMAuthModule<br>
<br>
7. Click on SMAuth auth module<br>
<br>
8. Most of the SM Auth params are self explanatory and does not need to
be changed. <br>
<br>
Shared Secret: is a secret password between siteminder SDK and
siteminder policy server. For more information, check the siteminder<br>
documentation. If you have agent installed, you can use agent's shared
secret here which is available from SmHost.Conf<br>
Policy Server IP Address: IP Address of Site minder policy server<br>
HTTPHeaders: If you have configured SMPolicyServer/SMAgent to send
HTTPHeaders to the applications, enter the same<br>
HTTP Header names here so that they could be uploaded to the OpenSSO
session. Also, the same could be sent to SAML Assertion<br>
by using SAML Attribute configuration mapper. For details on SAML
Attribute mapping, check the OpenSSO integration documentation.<br>
<br>
Configure as appropriate and save the configuration. <br>
<br>
If you have configured to use HTTP headers, go to step 9.<br>
<br>
9. Configure POST Authentication SPI plugin.<br>
Go to Configuration->Authentication->Core->Ream
Attributes and under Authentication Post Processing classes add<br>
<br>
<br>
6. Siteminder Auth Module Testing:<br>
=======================<br>
<br>
The testing of site minder assumes that siteminder SDK is already
installed and configured. Please check the siteminder documentation<br>
for siteminder SDK installation.<br>
<br>
<br>
2. Restart the OpenSSO web container with LD_LIBRARY_PATH set and make
sure that container is loaded with these site minder SDK shared libs.<br>
<br>
3. Now access the siteminder protected application and login with
siteminder configured user to establish SMSESSION. The configuration<br>
of siteminder policy and authentication schemes are outside scope of
this documentation and please check siteminder documentation for more <br>
information. <br>
<br>
4. After successful authentication at siteminder server, access the OpenSSO
auth module url as follows:<br>
<br>
<br>
This should provide a valid OpenSSO session.<br>
<br>
Note: Assumption here is that siteminder and OpenSSO are in the same
physical domain. <br>
<br>
By default OpenSSO authentication framework looks for user profile
existance in it's known data repositories. However, you could use
ignoreProfile<br>
option if your integration does not require a user to be searched from
siteminder's user repository. Check the OpenSSO documentation for more info<br>
about ignoreProfile option.<br>
<br>
7. Installation of FAMAuthScheme into Siteminder:<br>
==================================<br>
<br>
This section is for a use case where the siteminder session needs to be
generated upon validating OpenSSO session. The FAMAuthScheme class<br>
implements Siteminder java SPI to configure a custom authentication
module. The integration dcoumentation guide describes in detail how to<br>
configure the custom OpenSSO Authentication Scheme in Siteminder.<br>
</body>
</html>