Symantec Access Management

Hi, 

We have two application with same domain name but ACO's are different. 

EX URLs:

application 1: https://application1.company.com/bnd/

application 2: https://application2.company.com/advance/home.aspx

Application 1 and application 2 are deployed on different webservers and ACO's are different. Already two applications are configured using SiteMinder for authentication and authorization. 

We would like to perform session sharing between two applications. If user logged into one application 1 the user shouldn't ask for credentials if he hits the application 2 URL in the same browser. 

What steps we need to perform achieve this? Please advise. 

Thanks in advance. 

Hello,

If your 2 application are using the same policy server, are in the same cookie domain (.company.com), in the same cookie zone and using the same protection level, you should have SSO. You should also use the same user directory name in the domain /realm definition.

Depending on your configuration you would have to trust SSO zone, use auth/validation mapping.

Check all your constraints and depending on them, you will be able to design your policies to enable SSO between your applications.

Hope it helps,

Julien.

Hi Julien, 

Thanks for your valuable reply. 

Have few queries on this. Applications are in same domain but policy servers are different. Also application uses different user directories. 

So, Is that not possible to configure SSO between these two applications?

Please advise

Thanks, 

Karthick Sugumaran

Hi Karthick,

Both the policy servers are using same key store?

if the agents are having same set of keys then you can achieve single sing on by implementing Auth-Validation Identity Mapping.

Please refer below link for Validation Identity Mapping.

https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/1796110.html#o1802840

Thanks,

Sharan

Are both policy servers using same keystore and "policy store" OR different i.e. each policy server is pointing to a different keystore-policystore. According the solution differs.

Hi Sharana, 

Policy servers are not using same Key store. So, Is there any possibilities to implement SSO? 

Thanks, 

Karthick Sugumaran

Hello,

If you have disparate key store, you should use the same static agent in both environments.

Regards,

Julien

Hi Karthick,

Multiple Key Store Single Sign–on Requirements
1. Disable dynamic Agent key generation for all Policy Servers.
2. Be sure that a CA SiteMinder administrator has the necessary Administrative UI permissions to specify the same static Agent key and the same session ticket in the both key stores.
3. Be sure that the same static Agent key and the same session ticket are configured in both key stores.

Once both the key stores have same set of keys then implement Auth-Validation Identity Mapping.
Please refer below link for Validation Identity Mapping.
https://support.ca.com/cadocs/0/CA%20SiteMinder%2012%2052%20SP1-ENU/Bookshelf_Files/HTML/idocs/1796110.html#o1802840

Thanks,

Sharan