Symantec Access Management

  • 1.  Share point agent integration with CA siteminder

    Posted Aug 25, 2014 11:59 AM


    Hi ,

    I need to configure share point agent with CA siteminder, Could you please

    guide me the initial setup.

     

    Regards,

    Karthick



  • 2.  Re: Share point agent integration with CA siteminder

    Posted Aug 25, 2014 12:17 PM

    In this case  I'm using Siteminder  12.52 version



  • 3.  Re: Share point agent integration with CA siteminder

    Posted Aug 26, 2014 08:33 AM

    Karthik,

     

    Before leaving CA i worked on some guides for this. they were incorporated into the CA documentation when it comes to local Sharepoint. If you mean O365 (Cloud Sharepoint) then try the Federation RunBook section: cloudminder-security-saas-validation-program-runbook-library.aspx?intcmp=searchresultclick&resultnum=1

    Search for "Microsoft Office 365" or "Microsoft SharePoint"

     

    If you want a local sharepoint, please see the actually usable documentation they have in their guides... i would link you to the main page for the Bookshelf, but one of two things is happening

     

    1: ca has removed the bookshelf

    2: ca's search is not working properly

     

    unfurtunately those are not mutually exclusive.

     

    here's the search i did that seems to bring up some good resources....

     

    http://www.ca.com/us/support/ca-support-online/support-by-product/ca-siteminder.aspx?d=t&language=en&type=Document&q=sha…



  • 4.  Re: Share point agent integration with CA siteminder

    Posted Aug 26, 2014 12:30 PM

    Thanks JPerlmutter,

    Do you have any idea where exactly we give target url after the success full authentication?

     

    Regards,

    Karthick



  • 5.  Re: Share point agent integration with CA siteminder

    Posted Aug 26, 2014 01:45 PM

    The target url should be created by the agent on the redirect. If we're not talking about the same thing then I think you're talking about one of the configuration specific pieces that is best answered by the guides.



  • 6.  Re: Share point agent integration with CA siteminder

    Posted Aug 27, 2014 02:35 AM

    Hi,

     

    Try this Sharepoint run book

     

    SAP Portal Services



  • 7.  Re: Share point agent integration with CA siteminder
    Best Answer

    Posted Sep 09, 2014 11:10 AM

    My recommendation would be to follow the SharePointAgent Guide, if the SharePoint integration is for on-premise.

     

    https://support.ca.com/cadocs/0/CA%20SiteMinder%20Agent%20for%20SharePoint%202010%20and%202013%2012%2052-ENU/Bookshelf_F…

     

     

    The SharePoint run book which is attached here is more tailored to the Cloud deployment usecase. There are key difference in cloud and on-premise deployments.




  • 8.  Re: Share point agent integration with CA siteminder

    Posted Sep 09, 2014 11:21 AM

    Karthik

     

    Here is the SharePointAgent Guide for SharePoint 2010 and SharePoint 2013 for the on-premise (within an enterprise) SharePoint Solution.

     

    OLD PDF FORM

     

    https://support.ca.com/cadocs/0/CA%20SiteMinder%20Agent%20for%20SharePoint%202010%20and%202013%2012%2052-ENU/Bookshelf_F…

     


    NEW CA PRODUCT DOCUMENTATION WIKI

     

    CA SiteMinder Agent for SharePoint - Source Home - CA SiteMinder Agent for SharePoint - 12.52 SP1 - CA Wiki

     

     

    My recommendation is to use latter (i.e. WiKi) as that is updated and further improved. Plus it gives you the opportunity to comment if something is unclear and therefore we (CA) can then tailor it based on the feedback in best suited manner.



  • 9.  Re: Share point agent integration with CA siteminder

    Posted Oct 09, 2014 01:24 AM

    Thankd Hubert, Its very much useful



  • 10.  Re: Share point agent integration with CA siteminder

    Posted Sep 15, 2014 11:51 AM

    Karthik

     

    In addition to the links I shared, which should always be used to follow the detailed integration steps. For your ease and on your request, here's the core steps in a nutshell for an on-premise deployment. This should give you a skeleton approach of what needs to happen. If you are happy with both the response and it helps you to move forward, please close the case. Thank You.

     

     

    1. Install / configure SPAgent on a machine allotted for SPAgent.

    2. Access http://sps.ca.com and your request should get proxied to www.ca.com.

    3. Install SharePoint 2010 on a W2K8 R2 machine with minimum 4GB RAM (recommended is 8GB).

       a. Take a fresh machine.

       b. Open a new browser and access www.google.com (this is just to ensure there is connectivity to Internet).

       c. Run the SharePoint 2010 setup.

       d. Select Install Pre-Requisites.

       e. Post completion of Pre-Requisites, Select Install SharePoint2010.

       f. Post install of SharePoint2010, opt for configure SharePoint when prompted by installer.

       g. During configure select StandaloneMode Configuration for SharePoint.

       h. Configure should complete Successfully.

    4. Access Central Administration UI (StartMenu --> ProgramFiles --> Microsoft SharePoint 2010 Products).

       a. Create a new website in SharePoint 2010 using ClaimBased Authentication (for now select SharePoint NTLM Authentication).

       b. Select to create a NewApplicationPool with NetworkService when you create a NewWebSite.

       c. Once WebSite is created. Create a SiteCollection for the WebSite.

       d. Assign a Template(e.g. Select TeamSite Template) and assign a primary Administrator (e.g. Administrator - Admin User in localAD)..

       e. Make sure you are able to access the website using the SharePoint WebSite URL using https (e.g. http://sp-defaultzone:port).

    6. Now Configure the proxy rules in SPAgent to proxy to SP WebSite.

       a. Access http://sps.ca.com and you'll see now your request is forwarded to http://sp-defaultzone:port.

       b. Sharepoint would throw a basic auth prompt twice, once for the domain sps.ca.com & other for sp-defaultzone.

       c. Once you land on the SharePoint WebSite Homepage you'd see your URL has changed from sps.ca.com to sp-defaultzone.

    7. Configure Alternate Access Mapping in SharePoint to make sure public URL of WebSite points to SPS.

    8. Now access https://sps.ca.com and you should be granted access to SharePoint website after SharePoint Basic Auth Challenge (only Challenged once this time).

    9. If your PS is R6, make sure to install PSOP. In R12 and above PSOP is already installed with PS.

    10. Make sure SmKeyDatabase (R6 / R12) OR CDS (R12.5 / above) is setup correctly.

    11. Create a WSFED Token signing certificate (SelfSigned OR RootCASigned) and add the signing certificate to the SmKeyDatabase.

    12. Login to WAM UI or FSS UI.

        a. Create a Policy Domain to protect the URL https://sps.ca.com/affwebservices/redirectjsp/redirectjsp

        b. Use SPConnectionWizard to Create a Affiliate Domain with ResourcePartner to generate a WS-FED Token

        c. You need a 4xagent to login via SPConnectionWizard.

        d. On completion of SPConnectionWizard an affiliateDomain and a .ps1 script is created.

    13. Copy the script file and public certificate of the Assertion Signing certificate (& rootCA public cert if not selfsigned) to SharePoint Machine.

    14. Edit the script file

        a. Enter certficate paths for rootCA and public cert (only public cert if selfsigned, hash rootCA entries).

        b. Enter a Name for TIP and Description for TIP in the <tags> allotted.

        c. save script.

    15. Execute the script in a SharePoint PowerShell window e.g. .\script.ps1.

        a. A TIP should be created successfully.

        b. use command "Get-SPTrustedIdentityTokenIssuer" in SharePoint Powershell window to see the created TIP.

    16. Open the SharePoint central administration UI and change the Authentication mechanism in WebSite to have Trusted Identity Provider as well.

        a. Now the authentication mechanism has been changed to support NTLM and TIP.

        b. Go to Change Site Collection Administration link in SharePoint Central Administration.

        c. Add the SiteMinder User (e.g. AAAAAA) who you'd be using to login using SM Forms Auth as the Secondary Administrator.

        d. Since the TIP does not have a ClaimsProvider associated, TIP would use the SharePoint Loopback feature and display / resolve the value entered in PeoplePicker.

    17. Open a cmd window and issue a IISReset (e.g. iisreset /noforce).

    18. Now access the SPS URL again

        a. http://sps.ca.com

        b. You'd see the SharePoint Authentication Selection page.

        c. Select "TIP" from drop down.

        d. You'd then be challenged by SM forms authentication.

        e. Post successful login, you should be logged into SharePoint as the SiteMinder User (e.g. AAAAAA).

        f. If in 18.c if you selected NTLM/WindowsAuthentication, you'd be challenged for WindowsAuth using a Basic Auth Challenge (enter Administrator/password & you should be logged in).

     

     

     

     

    Regards

     

     

    Hubert