Layer7 Access Management

Expand all | Collapse all

Integration - SM + SOI + EEM

  • 1.  Integration - SM + SOI + EEM

    Posted 11-10-2013 05:42 PM
      |   view attached

    Hi, I have a write up for SiteMinder + SOI + EEM integration.

    I am attaching it to  this post.

    Feel free to ask questions. If you find any error, let me know as well.

     

    Attachment(s)



  • 2.  RE: Integration - SM + SOI + EEM

    Posted 11-11-2013 02:52 PM
    sunghoon_kim:

    Hi, I have a write up for SiteMinder + SOI + EEM integration.

    I am attaching it to  this post.

    Feel free to ask questions. If you find any error, let me know as well.

     

     

    Thanks for sharing this with the Commmunity!
     



  • 3.  RE: Integration - SM + SOI + EEM

    Posted 11-30-2013 03:40 AM

    Hi sunghoon

    In the case you use the Basic Auth.

    Does EEM/SOI can support NTLM Auth. ?

    Thanks.

    Regards,

    Brian

     



  • 4.  RE: Integration - SM + SOI + EEM

    Posted 12-30-2013 07:35 AM
    yuhung:

    Hi sunghoon

    In the case you use the Basic Auth.

    Does EEM/SOI can support NTLM Auth. ?

    Thanks.

    Regards,

    Brian

     


    Hi, Brian.

    I think I know why you are asking this, perhaps you have already tried and failed to SSO.

    When you use Windows Authentication Scheme, the userID that SiteMinder picks up is "Domain\UserID".

    As such, trying to sso to the SOI/EEM can fail because it may fail to find such user in its user directory.

    Best solution, which also cose money, would be to use SmOverrideAuth which is a solution module.

    Or, perhaps you can develop a custom authentication using Windows authentication but storing only the userID as username.

     



  • 5.  Re: Integration - SM + SOI + EEM

    Posted 11-22-2017 05:23 AM

    Hello Sunghoon,

     

    I was wondering. Is this still the only option?

    I had integrated with forms before and all of my connections are made with SAML. Within SAML I can easily overwrite the attribute with the Attribute Mapping List of the User Directories. Is there a way to do this for the Spectrum - Single-Sign on configuration as well?



  • 6.  RE: Re: Integration - SM + SOI + EEM

    Posted 06-05-2019 07:09 AM
    Hello,

    I know this is a very old thread but I'm facing now with this integration.
    Customer want to protect the access to SOI pages using Siteminder, and we have tried to follow the document attached to this thread.

    So we have configured SOI integration with EEM, and configured EEM to have a user store of type Siteminder.

    We have also an Apache configured as requested in the document.

    Our problem is that after the first authentication challenge from SM webagent, the Apache redirect to SOI pages but we have another authentication challenge from SOI.
    After a first auth challenge from webagent, we expect to directly login to SOI, having the Siteminder cookies in the session, but this is not happening.

    Have we missed something?

    Thanks and Regards
    Antonello

    ------------------------------
    IT Senior Consultant
    Management & Consulting
    ------------------------------



  • 7.  RE: Re: Integration - SM + SOI + EEM

    Posted 06-05-2019 10:02 PM
    Apache reverse proxy (web agent enabled) forwards the requests to the backend SOI with SMSESSION cookie and the  SOI should honour that session.
    As mentioned in this old document, the apache is a reverse proxy with following settings.

    http://soi.kim.net.my/ is the reverse proxy with web agent
    http://soi.kim.net.my:7070/ is the SOI

    ----------8<---------
    ProxyRequests off
    ProxyPreserveHost on

    <Location /sam>
                    ProxyPass http://soi.kim.net.my:7070/sam
                    ProxyPassReverse http://soi.kim.net.my:7070/sam
    </Location>
     
    <Location /sam/admin>
                    ProxyPass http://soi.kim.net.my:7090/sam/admin
                    ProxyPassReverse http://soi.kim.net.my:7090/sam/admin
    </Location>
     
    <Location /sam/debug>
                    ProxyPass http://soi.kim.net.my:7090/sam/debug
                    ProxyPassReverse http://soi.kim.net.my:7090/sam/debug
    </Location>
    ----------8<---------

    And SiteMinder is configured to protect the http://soi.kim.net.my/sam/ui

    So if everything is setup correctly, apache will forward all requests coming in with /sam
    And if the request goes to /sam/ui then the web agent will challenge the client.

    If the client returns with SMSESSION, the apache will be forwarding SMSESSION cookie to the backend, which is SOI.
    SOI should honour the SMSESSION.

    If you are getting rechallenged, probably SMSESSION is not honoured, then see if you protected only the /sam/ui
    If you protect /sam then you can get re-challenged.

    Also, there was a known issue then where the SOI did not correctly recognize SMSESSION so it is possible the issue is recurring.

    ------------------------------
    Support Engineer
    Broadcom
    ------------------------------



  • 8.  RE: Re: Integration - SM + SOI + EEM

    Posted 06-06-2019 10:26 AM
    Hi SungHoon

    Our requirements is to protect also the context root /mobile because this will be published.

    In the mean time I have tested /sam/ui and for this the integration works,but /mobile not.

    For your information we have protected /mobile path with the webagent.

    Do you have a suggestion?

    Thanks and Regards
    Antonello


    ------------------------------
    IT Senior Consultant
    Management & Consulting
    ------------------------------