Hi there,
I know that Identity Portal is using TEWS calls to invoke admin tasks on Identity Manager.
I am just trying to understand how it is done when
both Identity Portal and Identity Manager are integrated with SiteMinder.
So, this is how I understand it is done:
1) To access Identity Portal using SiteMinder, users browse to the SiteMinder protected proxy address: <SM PROXY FQDN>/sigma/
2) The SiteMinder web agent on the proxy collects user credentials and authenticates the user. Web agent then insert the following SM headers in the HTTP request and forward the HTTP request to Identity Portal:
sm-user
sm-userdn
sm-universalid
sm-serversessionspec
sm-transactionid
sm-realm
sm-realmoid
sm-serversessionid
sm-authtype
sm-authorized
3) Identity Portal receives the HTTP request forwarded from the proxy together with the SM headers. The SM headers are then cached in Identity Portal against the user session.
(Does Identity Portal needs to validate the session information in session headers against SiteMinder policy server here ? With only access to the SM headers, can this be done ?)
4) When Identity Portal needs to make a TEWS call, it formulates the SOAP message, inserts the SM headers cached for the user as HTTP headers of the HTTP request. In the SOAP message, the <wsdl:admin_id> will NOT be included. A HTTP POST request with the SOAP message is then sent directly to the Identity Manger server (not through the proxy for Identity Manager since Identity Manager is also protected by SiteMinder).
5) On Identity Manager, it uses the session information provided in the SM headers to establish the user ID who is making the TEWS call and then invoke the admin task in the security context of that user.
Is my understanding correct ?
Another question is that when
Identity Portal is NOT protected by SiteMinder, how does it authenticates the user when the user logs on to it ? I know the user credentials are checked against Identity Manager, but how ? Is there a TEWS call to do this or is it using IM API?
Regards,
JP