CA SiteMinder integration

CA SiteMinder is a centralized web access management system that provides user authentication and single sign-on, policy-based authorization, identity federation, and auditing of access to web applications and portals. This section describes how to configure API Gateway 7.6.2 to authenticate and authorize end users using CA SiteMinder 12.52.

CA SiteMinder authenticates end users and authorizes them to access protected web resources. API Gateway can request SiteMinder to authenticate end users using the user profiles stored in the SiteMinder server. SiteMinder decides whether the user should be authenticated, and API Gateway then enforces this decision. API Gateway can also request SiteMinder to make authorization decisions on behalf of end users that have successfully authenticated to API Gateway.

For more information on CA SiteMinder, go to the CA Technologies website.

Flow description

SiteMinder authentication flow starts when an end user uses browser to attempt to access a resource protected with CA SiteMinder on API Gateway. First, API Gateway checks if the request from the user contains a valid session cookie for SiteMinder. If API Gateway does not find a valid session cookie the flow is as follows:

  1. End user is prompted to provide the login credentials.
  2. API Gateway forwards the credentials to SiteMinder.
  3. SiteMinder decides whether the user is authenticated and authorized for the requested resource. If the authentication is successful, SiteMinder returns a session cookie and a response to API Gateway.
  4. API Gateway stores the session cookie from SiteMinder in the siteminder.session message attribute and creates a custom cookie.
  5. API Gateway returns a message with the cookie and a success response to the end user, and authorizes the user to access the requested resource.

On subsequent requests to access the protected resource, the end user sends the cookie to API Gateway in the request message. API Gateway retrieves the cookie and validates it against SiteMinder. The end user stays authenticated for the entire lifetime of the session cookie. As long as the session cookie is valid, API Gateway does not need to re-authenticate the end user against SiteMinder for every request. This increases throughput and performance considerably.

Prerequisites

Before you start, you must have the following:

  • API Gateway installed
  • CA SiteMinder installed and configured

For more details on the installation and the initial configuration of CA SiteMinder, see the CA SiteMinder documention. It is recommended you familiarize yourself with this documentation before you start integrating API Gateway with CA SiteMinder.

Configuration process

The example policy is build in stages, starting with a simple authentication and authorization policy for SiteMinder that is then refined by adding further filters.

The example policy uses HTTP Basic to authenticate the end user, but you can replace it with another authentication mechanism, if required.

The following steps are required to integrate API Gateway with CA SiteMinder:

  1. Configure API Gateway as the SiteMinder agent.
  2. Configure SiteMinder connection.
  3. Configure SiteMinder authentication policy.
  4. Configure single sign-on.

Related Links