Symantec Access Management

  • 1.  parallel SSO?

    Posted Jun 29, 2016 05:29 AM

    Hi, at one of my customer we have an old Siteminder infrastrutcure composed by a CA Secure proxy server, a Policy Server, and a Policy Store on Ca Directory. The user store is an enterprise LDAP and is the same for both environments. All the application are accessed behind the SPS

    We have installed a fresh infrastructure, with a new SPS, a new Policy Server and a new Policy Store, all the components are on new servers.The User store is the same of the old environment.

    The new policy store has been cloned from the old one. It means that we phisically copied the data folder from dxserver in the old environment, and of course we used the same encryption key both for the old and the new policy server.

    The two environments are working perfectly fine, but what surprised me is that we have SSO between them, even if they do NOT share keystore and policy store, they only have same cookie domain (dcc.it)

    Once the user is authenticated and autorized to an application in the old environment (https://app1.old.dcc.it)it can move to the the new one environment (https://app1.new.dcc.it)  without  entering credentials (the new Policy Server just log a ValidateAccept) , so it is able to validate the session in some way.

    Same if the user access first to the new environment and then move to the old.

    This is the expected behaviour or is it due to policy store cloned between the two environment?



  • 2.  Re: parallel SSO?
    Best Answer

    Broadcom Employee
    Posted Jun 29, 2016 07:49 AM

    Your setup is not uncommon for customer who want disparate environments
    with SSO

     

    In building your second environment you satisfied ALL SSO
    requirements, keystore is part of your policy store so the keys would be the
    same

     

    Required for SSO:

    1. SESSION
           keys (agent) – must be the same (NOTE: customers have come up with
           different approaches – replicating keys with smobjexport)
    2. SESSION
           Ticket – must be the same
    3. User
           Directory Requirements:
      1. Name
              of the UserDir Object in Admin UI must be defined with the same name in
              both policy stores; also the authenticated user DN must also be the same

    \OR

      1. AuthValidation
              functionality can be used if (a) is not possible

    .



  • 3.  Re: parallel SSO?

    Posted Jun 29, 2016 02:00 PM

    Hi Stephen, thank you for your reply.

    So if i correctly understood the keystore content is static. Otherwise after initial cloning of the keystore (embedded with old policy store) content should be different in the two environments and SSO should not be possible anymore. Is it right?



  • 4.  Re: parallel SSO?

    Broadcom Employee
    Posted Jun 29, 2016 02:05 PM

    If you cloned the keys and session ticket are the same  = SSO until a rollover occurs in one of the environments.  If you select dynamic rollover the first time keys roll SSO will be lost.  For customer that want disparate stores with SSO they either share the same keystore OR uses static keys