Layer 7 Access Management

Transcript CA Single Sign-On Office Hours (Jul 16) 

07-16-2015 11:48 AM

Aaron Berman (CA) :@keshav - our strategic direction is using the WAM UI.  not the FSS UI.  You should be able to use the FSS UI for everything the FSS UI does.  



Aaron Berman (CA) :@kannan - not at this time.



Rishu :How can we configure Siteminder to block replay attack? I see SMSession can be reused (if copied and manually added to the session) even after we have logged it off using logoffURI ACO parameter.



Keshav Dubey :@Rishu - Session store, Device DNA and Session linker (some of the more advanced and recently introduced features).



Keshav Dubey :@Aaron - While I understand the strategic direction, I also want to ask if there are any plans to take away FSS UI. I ask this because it might literally stop some of our operations that we can conveniently do in FSS UI. While WAM UI is good and getting better, I hope CA also understands that more needs to be done there. We heard the partership with Sigma for a better "WAM UI" for SiteMinder and want to check if any progress was made on that end?



Aaron Berman (CA) :@rishu, check out the siteminder session assurance feature - and the session linker feature.



Aaron Berman (CA) :@rishu - siteminder session assurance video -



Keshav Dubey :@Aaron - Also, what do you suggest for the issues where FSS UI shows the SM objects while WAM UI is completely unaware about it. Have you guys noticed this, or does it just warrant a CA case for further review?



Aaron Berman (CA) :@rishu - SiteMinder session Linker



Kannan :can SSO be leveraged to support authN/Z to mobile apps ?



Aaron Berman (CA) :@keshav - it warrants a case.   support should be interested in that issue... typically we ask for a LDAP export of the policy store and an XPS export of the policy store (so we can compare the two) in those situations



Aaron Berman (CA) :@kannan - I have some customers that directly use siteminder, ther is a sample mobile app on the communities site showing a mobile app logging into siteminder - but our strategic direction is to use 2 other solutions integrated with SM



Kannan :Are there any knowledge articles or notes available on how to directly use siteminder for mobile app integrations etc ?



Aaron Berman (CA) :@kannan - either the Mobile Access gateway - which is perfect for consumer facing apps, or apps where you need to secure the mobile client and the API channel - or our Mobile App Security product which allows SSO to multiple types of mobile Apps, provides mobile centric security policieis on an app by app basis, and offers app wrapping functionality to build a mobile app out of a website (siteminder or non siteminder ptrotected(



Keshav Dubey :@Aaron - Any feedback on the direction on Sigma kind of front-end for SM? Also, could some also look at my Question 2, which might be of interest for all customers with IDM and SM integrated environments.



Kannan :Mobile Access Gateway - is that Gateway solution  Layer7 are you referring here?





Sid Mautte (CA) :@Kanan - Yes. Mobile Access Gateway is related to the CA API Gateway (f/k/a Layer 7)



Aaron Berman (CA) :@keshav - it will certainly be looked at, but is not yet on any official roadmap.  we have done some thing  a tools perspective around login..



Kannan :are there any best practice or green book type of materials available for SSO solution ?



Keshav Dubey :Question 3 - We are trying to weigh the pros and cons of an Access Gateway (Secure Proxy Server) governed SM infrastructure against a typical web agent model in a predominant Windows environment. I understand that IWA would be one thing that might be missing (i'm assuming this, not done PoC on it), but was interested to see if you guys have some opinion on the two? We maintain over IIS based agents and would rather look for a more streamlined solution



Keshav Dubey :Question 4 - Related to Q3, but are there any customer that you know of who have integrated their Citrix Netscaler to be the so called "SM gateway" to all backend web server (MS IIS again). Just wondering if there is a better opportunity there rather than using the Access Gateway.



Manjari Gangwar :@Keshav We have IWA support implemented in SPS as well in the latest releases. Please look up the latest 12.52 SP1 bookshelf or CA Wiki for more information.



Aaron Berman (CA) :@keshav - Q4: i have seen integrations of SM and Citrix (see the run book) but if you want to look at SM / Citrix and the gateway, we have a version of the gateway specifically designed to un in the SDX as a virtual machine.  this cna then proxy to any webserver (IIS or otherwise



Keshav Dubey :@Manjari : Thanks. Would definitely look at that. Are there any particular things that a web agent does and Access Gateway cannot? Or vice versa? This would help us in setting speed for taking that leap of faith.



Keshav Dubey :@Aaron: Thanks. I will talk to my server admins and understand more. Any documentation or link that you might have floating around to get more information abou this integration?



Keats :@keshav IMO agent model is simpler, more secure, and more robust than proxy model.  SPS is great for certain things that agent can't do; pre- and post- filters, complex URL rewrites, WS Authentication, WS-Trust STS, etc.



Aaron Berman (CA) :@keshav - the agent functionality is the same.. but the SM access gateway does have a single cache, it does session assuracne built in, federation web agent option pack built in.  and offers alternative session schemes.



Aaron Berman (CA) :@keshav  - some perfer one model, some perfer another.   the Gateway approach also offers the session linker..



Keshav Dubey :@Keats @Aaron - Thanks for your opinion. I was just trying to test the waters and see if the group goes one direction or the other. Will use these opinions in set and explore the direction for our client.



Manjari Gangwar :@Keshav also the SPS/Access Gateway has Office 365 Active Profile support through STS, FEderation Gateway,  Auth/AZ Web Services



Aaron Berman (CA) :@keshav - it is really a case where we offer two models.. what i am seeing in some cases is that people mix.. use agents for some stuff... (higher security or higher volume sites) and then proxies for general purpose stuff



Rob Lindberg (CA) :@keshav - Q2 - For your question about IdM objects exporting using 'XPSExport', this does work, but you need to make sure that you have imported the IdMObjects.xdd into the policy store. Once you do that, the XPSExport tool will export the IdM objects.



Keshav Dubey :@Rob - This is great to know! Unfortunately we painfully did this in our Q&A and Prod environment already. Even CA Support was not aware of this as a case was opened with them to understand the options. Can you please share any documentation you might have around this?



Rob Lindberg (CA) :@keshav - correction on the file name to import. It's 'IdmSmObjects.xdd' in the <install_dir>/xps/dd directory.



Kristen Malzone (CA) :15 minutes left! Get your final questions in now!



Kannan :Any best practice or green book type of materials available for SSO solution ?



Keshav Dubey :Question 5 - Is there a recommended way to migrate SM policies and configurations  DEV -> Q&A -> PROD. We have deviced our own way ( Export Domain and related objects, Create Domain in Next environment manually, update XIDs in export, Import) but was wondering if there was any textbook way to do this? Also, anything on the roadmap to make things easier for this in future CA release?



Herb (CA) :@everyone.  Just wanted to alert you to a message we just published on our intent to take a snapshot of enhancement idea vote totals  teh community site at the start of August.  The intent is to use that information as we generate our plans for next segments of development work for CA SSO



Kannan :Question 5: To make import/export more easier is this support will be available via AdminUI in future release ?



Keats :@keshav Re: #5.  CoreBlox sells a utility to do this.  You could write PERL scripts against the policy management SDK.  It would be great if CA provided a tool for this.



Sid Mautte (CA) :@Keshav - We currently have the ability to offer a tool via CA Services known as Toolbox. This is a packaged work product offering that can deliver that type of interface. You can check with your account manager for more information and mention my name as a point of contact.



Rob Lindberg (CA) :@Kannan - we have this idea in the community that is under review. Add your vote!



Rob Lindberg (CA) :@kannan - this is for the import/export using the UI



Herb (CA) :@everyone.  One other point wanted to let you know, we have recently announced and EOS for a number of older operating systems, repositories, web servers, etc. ....combinations that are no longer supported by the vendors of those items.   That will allow us to focus more development and support resources on newer platforms...FYI.



Rob Lindberg (CA) :@keshav - the IdM XDD import step is described in the Identity Manager documentation wiki in the section describing the SiteMinder integration.



Pete Burant (CA) :@Kannan: Here is the link to the Implementation section of the product docs:  Here is the home page for those docs:, and a link to our runbooks which cover a list of specific 3rd party integrations:



Kannan :Looks like WIKI site is down for maintenance



Kannan :This site is currently undergoing maintenance. We apologize for the inconvenience.



Pete Burant (CA) :Please try again, Kannan.  I checked the links before sending them.  I rechecked one of the wiki links and it did take some time to load, so perhaps the issue is fixed.



Keshav Dubey :@EveryOne - Thanks everyone for your patience in answering my queries.



Kristen Malzone (CA) :That's all the time we have for today!



Kristen Malzone (CA) :Join us next month on August 20 @ 12pm EDT for another session of CA SSO Office Hours.



Kristen Malzone (CA) :We'll post the chat transcript  today's session here:

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.