Layer7 Access Management

Expand all | Collapse all

Office Hours for CA SiteMinder on Thursday, December 12 @ 11 AM ET

  • 1.  Office Hours for CA SiteMinder on Thursday, December 12 @ 11 AM ET

    Posted 12-03-2013 11:42 AM

    Have a question about CA SiteMinder? Connect with CA Technologies technical experts to get answers via Office Hours for SiteMinder. Our team is here to help you get more out of your technology. Join us for one hour on Thursday, December 12th @ 11 AM ET. 

    Some sample topics: 
    • Your pain points
    • Product documentation 
    • Questions on functionality

    Please DO NOT discuss support cases – You will need to open a ticket instead. Also, this is not a forum to discuss support of customizations.

    Click HERE to register, add to calendar and join the day of.

    *Please note that there is no audio. This is for you to submit your questions only and our experts will respond using webex.  Also all participants should consider the implications of any answer provided.  Many products are highly configurable and can be tailored to different use cases.  An answer for one implementation could be a problem for another.



  • 2.  RE: Office Hours for CA SiteMinder on Thursday, December 12 @ 11 AM ET

    Posted 12-11-2013 02:24 PM
      |   view attached
    Chris_Hackett:

    Have a question about CA SiteMinder? Connect with CA Technologies technical experts to get answers via Office Hours for SiteMinder. Our team is here to help you get more out of your technology. Join us for one hour on Thursday, December 12th @ 11 AM ET. 

    Some sample topics: 
    • Your pain points
    • Product documentation 
    • Questions on functionality

    Please DO NOT discuss support cases – You will need to open a ticket instead. Also, this is not a forum to discuss support of customizations.

    Click HERE to register, add to calendar and join the day of.

    *Please note that there is no audio. This is for you to submit your questions only and our experts will respond using webex.  Also all participants should consider the implications of any answer provided.  Many products are highly configurable and can be tailored to different use cases.  An answer for one implementation could be a problem for another.


    Hi All,

    Just a reminder here to try and attend this exciting offering tomorrow!  I have attached the PDF that will be used for the event so you can see how it works.

    See you all there!

    Chris

    Attachment(s)



  • 3.  RE: Office Hours for CA SiteMinder on Thursday, December 12 @ 11 AM ET

    Posted 12-17-2013 03:35 PM
    Chris_Hackett:

    Have a question about CA SiteMinder? Connect with CA Technologies technical experts to get answers via Office Hours for SiteMinder. Our team is here to help you get more out of your technology. Join us for one hour on Thursday, December 12th @ 11 AM ET. 

    Some sample topics: 
    • Your pain points
    • Product documentation 
    • Questions on functionality

    Please DO NOT discuss support cases – You will need to open a ticket instead. Also, this is not a forum to discuss support of customizations.

    Click HERE to register, add to calendar and join the day of.

    *Please note that there is no audio. This is for you to submit your questions only and our experts will respond using webex.  Also all participants should consider the implications of any answer provided.  Many products are highly configurable and can be tailored to different use cases.  An answer for one implementation could be a problem for another.


    For those who may have missed the Office Hours I have included the Chat Log below!  If you missed this one please join us in January for the next one!

    shawn sprague(CA) to Everyone:             Are there questions about the next release of SiteMinder?

    shawn sprague(CA) to Everyone:             Are there questions about the next release of SiteMinder?

    Marat Sklyarov to Everyone:       I have a use case for Siteminder.  The set up is simple. We have multiple realms protected by the same webagent and auth scheme (AD) with the same protection level. The login screen has user name and password fields validated against AD, and two additional fields that are crucial for authz logic in downstream aps, but are not associated with AD. We need to capture the values of these two fields at the login time and be able to share that data between requests coming to different realms as long as SMSESSION is valid and pass it to downstream as HTTP Header. The requirement is to not implement a custom auth scheme. Please advise. Thanks

                    Praveen Pala to Everyone:           @Marat - Where are the two parameters stored for User that you need to send as Http Header

                    Marat Sklyarov to Everyone:       They are stored in a separate data store and represent the a geographical area into which he user logs in into. E.g. the user's profile is associated with 4 regions. Upon login the user specifies what region he/she loggs in to. Based on that value the users profile for that region is retrieved by downstream system

                    George Jojo to Everyone:            @Marat Have you looked in to Session store option?

                    Marat Sklyarov to Everyone:       No, we are not allowed to make any modifications at AD, and the current Oracle database profile table structure is not trivial. So we need to run code based on those two elements to retrieve the right information. No matter what we need to get those elements across and store in session somehow.

                    George Jojo to Everyone:            @Marat if you have a session store, you might be able to store these values for the user session and pass it along.

                    Marat Sklyarov to Everyone:       @George Jojo. The operations have disabled persistant session, can it somehow be stored in in-memory session

                    George Jojo to Everyone:            @Marat, you don't have to make it a persistant session. You can use some custom code to write these values to the session store

                    Sid Mautte (CA) to Everyone:     @Merat - SiteMinder OOTB cannot achieve what you are looking to do. You have the choices of a tailored authentication scheme (which you indicated as undesirable) or you may setup a virtual directory in front of AD and Oracle so that it presents the data as a single user directory to SiteMinder. The virtual directory would enable you to leverage SiteMinder responses.

    Marat Sklyarov to Everyone:       @George Jojo. How would I accomplish something like that on the Siteminder side. We are no allowed to implement a custom auth scheme. Also, how to capture these values from the login screen to Siteminder PS?

                    George Jojo to Everyone:            @Marat, hard code the target in the login page to a intermediate page, where you put in the code to write these in to the session store and once that is done, redirect to the original target

                    Marat Sklyarov to Everyone:       @ George Jojo. Do you mean HTTP Session or Siteminder Session

                    George Jojo to Everyone:            @Marat write the additional values you wanted to pass to the  realms in the session store.

                    George Jojo to Everyone:            @Marat but also keep in mind that the solution i am giving is a not an OOTB functionality. you will have to use custom code in both policy server and intermediate page to accomplish this.

                    Marat Sklyarov to Everyone:       @George Jojo. I understand. It may actualy work. I'll give it a try

                    CrissyKruegerStone (CA) to Everyone:   @MARAT - It may be possible that you can create a Web Agent Response Attribute "WebAgent-OnAuthAccept-Session-AuthContext".  This response Specifies an AuthContext response attribute for an authentication scheme. The value of this response attribute is added to the SESSION TICKET as the value of the SM_AUTHENTICATIONCONTEXT user attribute. The value is not returned to the client as a user response. 

                    CrissyKruegerStone (CA) to Everyone:   @MARAT - Then you can defined an active expression which uses the AuthContext variable. That might work to get the values form the auth scheme to be available later for use with your application.

     

     

    Tony Pham to Everyone:              @CA team.   an improvement for CA support is to read through the issue the customer open, and then to give your customer an introduction call.   this will create a better human interaction.   during the conversation, you can clarify, obtain more information about the issue.   what i hate to see is a typical scripts ... can you give me smaccess log, ps log, OS version, SM version, webagent log and in some cases, an export of your policy store.    i always scratch my head in disbelief (and i don't have a lot of hair left  :) ) is when your support people asking for smps log or smaccess log when the question is at the web agent level.   or to ask for smps.log when the reported issue is at the web layer.    for me in particular, i welcome a call from CA support to get more clarification on the case that i open.   it helps both of us.

                    Adam K to Everyone:     @CATeam I second Tony's comments - This can also be a big time waster for pertinent issues

                    Challa Ramakanth (CA) to Everyone:       @Tony. At CA Support we always effort towards knowing more about the actual issue at hand as sometimes we get support tickets opened where the end objective is different than the actual issue being reported. However, most customers are well aware of our products and know well where the issue is being reported. So, point well taken. We will try to emphasize on asking specific questions and logs. We always encourage our support engineers to engage on a phone conversation for the first contact so we know what the issue is first hand and we shall continue to do so. The ideal thing we want to do is to get the issue first hand explained by the customers and ask for relevant questions. If we needed more logs out of the scope then an explanation would be warranted on why those logs are needed. Hope this addresses the question. Welcome to provide any more feedback like this.

                    Tony Pham to Everyone:              @CA team.  i also note that over the year, your offshore support team has come a long way.  there are improvement in term of knowledge, skill set, however, the team is not there yet, so please continue to invest in them.  if you can send some of your resident experts over there for long term (1 year? ) to train, mentor, provide guidance, to get the team better, that would be great.  there is always a chance someone will leave, but that's the risk you need to take (and i hope that's not one of the main reason for you to not invest in the offshore team)

                    vijay to Everyone:            @Tony thank you for your input, we understand your concerns and we, Support, continuously strive to improve our Support Delivery

     

    Karen to Everyone:         One of our applications has a "remember me" feature for logging into it.   We were wondering if there is any configuration in Siteminder that can do something similar. 

                    Manjari Gangwar(CA) to Everyone:         @Karen, we have an OOTB feature and .fcc page that can be used for Remember Me

                    Manjari Gangwar(CA) to Everyone:         @Karen sending you the bookshelf link for this

                    from Karen to Everyone:              @Manjari   Thanks!

                    Manjari Gangwar(CA) to Everyone:         @Karen In the WA installation forms directory, there is a sample fcc file, "savecreds.fcc"

     

     

    Alfredo Villagomez to Everyone:               I am planing the decouple of the key store from the policy store. The policy store is a ODBC database and the upgrade documentation istruct you to run the Set-Up policy server to created a separate r6.x key store instance. Can you clarify if the set-up policy server needs to be run on the policy server? If so, in Windows is an exe and you need to run it? Thanks

                    William Brant to Everyone:          Is decopuling the key store from the policy store recommended for 12.5?

                    Alfredo Villagomez to Everyone:               yes. since we doing the parallel upgrade using multiple policy serves with a common share keys

                    Bob  Maiello to Everyone:            @everyone;  sorry I joined really late;      i see the late question was on multiple policy servers and common keys..

                    Hongxu Liu to Everyone:               @Alfredo Villagomez, if you plan to SSO between version 6 and R12 at the same time, then yes, create separate key store from policy store, and duplicate the data in it, points both policy server to the same key store.

                    Alfredo Villagomez to Everyone:               @Hongxu. Yes. that is the plan to continue using SSO and therefore we need to create the new key store

                    Hongxu Liu to Everyone:               @ Alfredo Villagomez What are the two versions of policy servers? v6 and ?

                    Alfredo Villagomez to Everyone:               @Hongxu. We have r6.x and we planing to upgrade to the new r12.52 as soon as is available. but we want to test it with the r12.51 right now

                    Bob  Maiello to Everyone:            @alfredo;   Yeah we've been testing with 12.51 and plan to roll that out if possible..we really can't wait for 12.52..our testing takes to long.

                    Alfredo Villagomez to Everyone:               @Bob. De you have to de-couple the key store from the policy store? if so, what is your experience on doing that?

                    Hongxu Liu to Everyone:               @Alfredo, check out this section: Installation and Upgrade Guides › SiteMinder Upgrade Guide › Upgrading from r6.x › How a Parallel Upgrade Works, what is second part of your question?

                    Bob  Maiello to Everyone:            @alfredo;   we're not decoupling the keystore from the pstore..  we're going to be trying some steps from CA to point all the servers at a common policystore.   Its a long story.     The decopled common keystore per the docs seems the better/best approach but we like things complicated.

                    Tony Pham to Everyone:              @Alfredo, along w/ what Hongxu said about common keystore, separate pstore, you would also want to have the user directory to have the same name, or else no SSO.  the user directory is defined in the SM Admin UI

                    Alfredo Villagomez to Everyone:               @Hongxu. I did and on page #71 the first line which step 2 has the instructions to use the set-up policy server. Why we need to run the policy server to create the key store. Don't we have to use the sql scripts at the ODBC database?

                    Alfredo Villagomez to Everyone:               @Bod. That shows that you may be doing the Inline or migration options. We will like the parallel option since there is a lot depencies to move apps to new environment not to mentions the extra cost for support.

                    Bob  Maiello to Everyone:            @alfredo,hongxu:  I think..  The keystore can be created with policy servers commands  or if your dba or ldapamdmin is clever they could possibly create it without a policy server...  the policyserver method being the CA supported method.

                    Bob  Maiello to Everyone:            @alfredo;  yeah...the paralle method is the most straight forward... the problem we have is keeping policy changes in sync between v6 and R12..   I do not believe we could do it for an extended period of time. 

                    Hongxu Liu to Everyone:               @alfredo; key store schema is part of policy store schema. The sql srcipt creating the schema (if I remember correctly) can not be easily seperated. So may as well run for the same, no harm.

                    Bob  Maiello to Everyone:            @aflredo...ie..   we add a federation auth scheme to v6,  we need to add it to R12..   for federating users...which one did they certify...

                    Alfredo Villagomez to Everyone:               @Hongxu. Suppost that we use the setup on the policy server. We are running Windows server and the set-up is just the executable. Is this mean that we need to run it and instead of doing the install we just created the key store?

                    Hongxu Liu to Everyone:               @aflredo, when using DB as store, you can manually set it up by running SQL scripts against Database, not installer required.

                    Bob  Maiello to Everyone:            @hongxu;  yeah for prod we would create a common keystore with the commands.. for the lab my ldap guru was able to create it independent of the policy server.   Its not something we would do for prod.

                    Tony Pham to Everyone:              @Alfredo, in your 6.x do you have a separeate kstore, pstore, or they are in the same store?   the attributes to hold keystore information are small.   there is a pretty good documment from CA that explain the encryption key, let me dig to see if i can give you a reference #.   but anyway, 6.x, 12.51 can leverage the same keystore .      the pstore is a different animal.    if in 6.x you have a single dbase, or ldap contain both kstore/pstore, then with your 12.5x install, you would point your SM 12.5x to use the 6.x keystore info (in the registry, or via smconsole), and your SM 12.5x to use the 12.5x pstore

                    Alfredo Villagomez to Everyone:               @Tony. the r6.x is currently a single policy server. and the plan is to separate and point the new r12.x to the r6.x key store to maintain sso.

                    Alfredo Villagomez to Everyone:               @Tony. In addition, we have a single database replicated on all 4 locations

     

     

     

    Adam K to Everyone:     @CATeam - Is there any way to diff SiteMinder environments easily? I would assume most companies would have multiple environments and it would be beneficial to have a tool that would do that.

                    Challa Ramakanth (CA) to Everyone:       @Adam K. Can you clarify what do you mean by diff SiteMinder environments? Can you explain further? Are you talking about differentiating the policy stores?

                    Adam K to Everyone:     @CATeam "compare different SiteMinder environments"... assuming we have a test and production environment policy store, it would be nice to be able to compare applications or domains between both environments.

                    Challa Ramakanth (CA) to Everyone:       @Adam K. Do you want to check if they exist in one or the other or if you want to check subtle things like how is a particular setting configured in one environment Vs other?

                    Challa Ramakanth (CA) to Everyone:       @Adam K. Go to the following community page: https://communities.ca.com/web/ca-identity-and-access-mgmt-distributed-global-user-community/message-board/-/message_boards/message/100331001?&#p_19

                    Challa Ramakanth (CA) to Everyone:       @Adam, it has a tool where you can compare/diff two different policy stores. The following are the features offered in that tool:

                    Adam K to Everyone:     @CATeam - It would be very beneficial to compare the entire application or domain.

                    Adam K to Everyone:     Perfect - thank you!

                    Challa Ramakanth (CA) to Everyone:       @Adam K. Siteminder Policy Reader

    Attached is a java Siteminder Policy Reader tool, that has been developed internally by CA Support engineers for use within CA Siteminder Support. Given that CA Siteminder customers, face similar issues with viewing exported XPS & SMDIF policy stores, it was felt that this was a good candidate tool, even though it is at a fairly early stage of development, for release on the CA community website.

    Here is a quick list of features :

    Ability to Read XPS export files

    Ability to read SMDIF export files

    Similar in look to the older Siteminder Applet

    View History and history navigation (prev and next toolbar, as well as history menu)

    Find function

    Ability to display objects in detached window (see screenshot below).

    Tab that displays Object Properties

    Tab that displays all References to an Object.

    Screen that displays All Policy Store Objects; with filter, select and browse options - (see screenshot below)

    Basic Policy Store Stats

                    Adam K to Everyone:     @CATeam - that is great, thank you

                    Challa Ramakanth (CA) to Everyone:       @Adam K. Abiltiy to compare two policy stores, and give visual display of differences.

    Compare can be done via Xid or via Name.

    You are welcome. Glad we can help.

                    Bob  Maiello to Everyone:            @everyone;  the policy compare tool ..yes have seen.. very cool.

                    Bob  Maiello to Everyone:            @everyone;  but the policy compare tool is for comparing..  I think what we all need is really easy tool for importing say an entire domain with all policies and rules from one environment to another.

                    Challa Ramakanth (CA) to Everyone:       @Bob. What version of SiteMinder you would be using? The command line options are different for different versions of SiteMinder for XPSExport which can do this is to export the specific objects to let you import them. Open one thread in the message board and we will respond to that based on your version of SiteMinder.

                    Bob  Maiello to Everyone:            @challa;  in the past with v6 we had some in-house scripts for a domain that used smobjexport but had a lot of caveats..   For  the new R12.51  I see XPSexport/import have some add/overlay options  ...but with those get all policys/realms/rules in a domain?   Or will they become angry over the system objects in the domain (agent group etc).. ?

                    Challa Ramakanth (CA) to Everyone:       @Bob, I do not want to lose your question so please open a thread in the message board and we shall continue our discussions there on this topic. This chat may be closed anytime.

                    Customer Programs5 to Everyone:          @Bob - Here's the link:  https://communities.ca.com/web/ca-identity-and-access-mgmt-distributed-global-user-community/message-board/-/message_boards/category/2253364?&#p_19

                    Bob  Maiello to Everyone:            @challa;  sure  thanks..... a very interesting topic.       This chat was  pretty cool too.

     

    Tony Pham to Everyone:              @Challa on the XPSExport/Import.   the tool will get all teh objects defined in the policy.   

    Tony Pham to Everyone:              @Challa, for realm, you can not pick and choose b/c realms are part of the policy domain

    Tony Pham to Everyone:              @challa   i called "fine grain" .  basically, for policy objects, some you can pick and chose, such as aco, wa, auth scheme, other like realms, you will have to pick the whole policy domain to have realm(s) included

    Tony Pham to Everyone:              @challa,  then if you don't want that realm you will need to remove them manually via WAM UI

    Tony Pham to Everyone:              there is a chapter in the user guide for this tool, read it, it's not that bad

    Tony Pham to Everyone:              @challa, it even has pix so you can follow

     

    Bob  Maiello to Everyone:            @CA ; OK..   I joined late  but really liked the chat  ..even the several threads going on at once.