Symantec IGA

  • Private Community
 View Only

  • 1.  How Identity Portal is making TEWS calls to Identity Manager (re-post)

    Posted Sep 25, 2020 09:35 AM
    Hi there,

    I know that Identity Portal is using TEWS calls to invoke admin tasks on Identity Manager.

    I am just trying to understand how it is done when both Identity Portal and Identity Manager are integrated with SiteMinder.

    So, this is how I understand it is done:

    1) To access Identity Portal using SiteMinder, users browse to the SiteMinder protected proxy address: <SM PROXY FQDN>/sigma/

    2) The SiteMinder web agent on the proxy collects user credentials and authenticates the user. Web agent then insert the following SM headers in the HTTP request and forward the HTTP request to Identity Portal:


    sm-user
    sm-userdn
    sm-universalid
    sm-serversessionspec
    sm-transactionid
    sm-realm
    sm-realmoid
    sm-serversessionid
    sm-authtype
    sm-authorized

    3) Identity Portal receives the HTTP request forwarded from the proxy together with the SM headers. The SM headers are then cached in Identity Portal against the user session.
        (Does Identity Portal needs to validate the session information in session headers against SiteMinder policy server here ? With only access to the SM headers, can this be done ?)

    4) When Identity Portal needs to make a TEWS call, it formulates the SOAP message, inserts the SM headers cached for the user as HTTP headers of the HTTP request. In the SOAP message, the <wsdl:admin_id> will NOT be included. A HTTP POST request with the SOAP message is then sent directly to the Identity Manger server (not through the proxy for Identity Manager since Identity Manager is also protected by SiteMinder).

    5) On Identity Manager, it uses the session information provided in the SM headers to establish the user ID who is making the TEWS call and then invoke the admin task in the security context of that user.

    Is my understanding correct ?

    Another question is that when Identity Portal is NOT protected by SiteMinder, how does it authenticates the user when the user logs on to it ? I know the user credentials are checked against Identity Manager, but how ? Is there a TEWS call to do this or is it using IM API?

    Regards,
    JP


  • 2.  RE: How Identity Portal is making TEWS calls to Identity Manager (re-post)

    Broadcom Employee
    Posted Sep 25, 2020 10:25 AM
    JP,
      The short answer to this question is, yes your understanding is correct with one minor change, it is a REST API that the portal uses not the TEWS API.
      The long answer is, you can monitor this via tracing with the proper tools, Enable sm policy server tracing, set your web agent log to debug, set IM and IMS categories to debug in Identity manager, and turn on developer tools in chrome. Start your request look at the network tab in the portal and find the request payload to IM. the webserver with the agent installed checked with SM for authentication and authorization of the protected we resource you will see this in the web agent log interacting with the policy server looking in the SM policy server trace log, then when the webserver plugin continues it passes it to the next plugin which forwards the traffic to the IM application server as you can see in the IM server log.

      for the second question, if SM is not involved we use an API called the servlet filter agent and reply on IM to do the authentication and authorization.

    Bill Patton

    ------------------------------
    And, as always Perhaps there are others in the communities who have experience in doing this and we invite them to comment here also.

    Another option may be to reach out to our partner HCL Technologies to see in what way they can assist further. The Enterprise Studio team of HCL can be reached at enterprisestudio@hcl.com. https://www.hcltech.com/enterprise-studio
    ------------------------------

    Original Message


  • 3.  RE: How Identity Portal is making TEWS calls to Identity Manager (re-post)

    Posted Sep 25, 2020 10:52 AM
    Thanks Bill for your reply. 

    Yeah, I can set up the logs, etc. to see the traffic and interaction between the components and this is what I am going to do after the conceptual questions are answered.

    According to the Identity Portal document, it is using the TEWS API (Soap based web services API) to talk to Identity Manager.

    When the SM headers are passed to Identity Portal, does it need to validate them against SiteMinder policy server ?
    So, it is the SM headers that are passed to the Identity Manager when a TEWS call is made?

    "for the second question, if SM is not involved we use an API called the servlet filter agent and reply on IM to do the authentication and authorization." I am not sure I understand it, could you please elaborate a bit more ?

    Thanks

    Regards,
    Jiangping Li
    Original Message


  • 4.  RE: How Identity Portal is making TEWS calls to Identity Manager (re-post)

    Posted Sep 29, 2020 08:11 AM
    The reason that I am asking these questions is that I am thinking of ways to create a web application that will be protected by the same siteminder that protects Identity Manager.

    So please, could someone provide more insights on those questions ?

    Thanks 
    JP
    Original Message


  • 5.  RE: How Identity Portal is making TEWS calls to Identity Manager (re-post)

    Posted Sep 30, 2020 12:09 AM
    Based on my understanding, if u want to protect Identity Portal with siteminder, the integration is perform at Identity Portal Only(No change on Identity Manager).


    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/identity-portal/14-1/integrating/protecting-ca-identity-portal-with-ca-single-sign-on.html

    When there is no site minder on Identity Portal. user authentication can be based on Userstore(CA Directory - LDAP) or Active Directory server.
    Original Message