This siteminder tutorial will show you how SiteMinder system works. This tutorial will give you technical insights of the working principle of SiteMinder system.
There may be situations where users access a web service hosted on a Apache Web server is authenticated by some authentication mechanism, let’s say, LDAP. If the same users want to access a web service on an IIS Web server, they have to be authenticated by another mechanism, let’s say , Windows domain controller. Since there is no way to pass authentication verification between these two systems, users must log in twice.
In such situation, SiteMinder comes into rescue to these multiple login problems by providing a central point (SSO – Single Sing-On) for all authentication mechanisms. Instead of being authenticated by each web service, users are authenticated by SiteMinder system. Once the user has been authenticated, a special encrypted cookie is created and used for subsequent logins to different web-based services and applications. Even though users are automatically authenticated, you can curtail their access rights to specific resources by establishing access control policies through SiteMinder’s security policy management features.
Components of SiteMinder
SiteMinder system mainly consists of:
- Web Agent, ERP Agent, Secure Proxy Agent etc.
- User store, Policy store – DB/LDAP.
- Session and key store – DB/LDAP.
The Web Agent is a component that allows the web server to be managed by SiteMinder. Web Agent is integrated with a standard web server and just a filter that intercepts all requests for resources (URLs) to a web server, then decides whether the specified resource is under SiteMinder’s control or protected. If the resource is protected, the Policy Server is contacted. If the resource is not protected or not under SiteMinder’s control, the request will go directly into web server.
The Policy Server provides authentication to web-based applications. The Policy Server acts as a front end to whatever authentication method is being deployed within an organization.
- Basic authentication (user-name/password)
- Basic authentication over SSL
- Authentication schemes
- ACE/Server (Security Dynamics)
- RADIUS Proxy
- Forms-based authentication
- X.509 certificates
- Custom or third-party schemes
How SiteMinder works
If the resource is not protected then Web Agent allows the Web Site to process and return the page to the user.
If resource is protected and user is not authenticated then Web Site returns an Access Denied error.
If resource is protected and user is not authorized then Web Site returns an Access Denied error.
The below steps explain how Siteminder works if the resource is protected:
- User requests a web page or a resource
- Web Agent intercepts the request
- Web Agent verifies with Policy Server if the request is protected
- Policy Server checks the policy and rules applicable for the incoming request; accordingly protection information and one of the authentication methods is returned
- Policy Server asks Web Agent for user credentials (using form based authentication, token or any other authentication method)
- Web Agent passes supplied authentication information to Policy Server and asks Policy Server if user is authenticated
- Policy Server checks user information on file and verified against the supplied user credentials
- Policy Server also checks policy and rules for authenticating the user
- Policy Server informs Web Agent that user is authorized and passes the response data
- If not authenticated then Web Agent asks for credentials (using form based authentication, token or any other authentication method).
- Web Agent allows Web Site to process user’s request and provides response data
- Once the user is authenticated, an encrypted cookie or user credential is created and passed to the web server
- Web page or resource is processed and returned to user
- When the same user tries to access a URL on Web server, the Web Agent can then grant access according to the user credential it was passed, eliminating the need for a second time login.
Limitations of Siteminder
- When a user logs into a computer and authentication handled by operating system, then we cannot pass user information to SiteMinder because SiteMinder was designed to work in a web server environment, where authentication is triggered upon a URL request.
- Though SiteMinder is a valuable tool for SSO login between disparate web applications, the user is still required to log into the platform from which the web applications will be launched. SiteMinder also requires that an agent be installed on each web server that will participate in the SSO environment.
Thanks for reading.