Symantec Access Management

 View Only
  • 1.  Has anyone here integrated SiteMinder (Single Sign-On) with a Certificate Path Discovery and Validation Product?

    Posted Jun 03, 2015 11:48 AM

    Has anyone here integrated SiteMinder (Single Sign-On) with a Certificate Path Discovery and Validation Product?



  • 2.  Re: Has anyone here integrated SiteMinder (Single Sign-On) with a Certificate Path Discovery and Validation Product?

    Posted Jun 04, 2015 03:14 PM

    Any particular product in mind? Have used IIS native to do the path validation for cert based auth. If it doesn't pass IIS, it won't pass through to SiteMinder.



  • 3.  Re: Has anyone here integrated SiteMinder (Single Sign-On) with a Certificate Path Discovery and Validation Product?

    Posted Jun 04, 2015 03:58 PM

    You are right, IIS can perform the validation part of the transaction, but it doesn't check the OIDs to ensure proper key usage, and it doesn't check for cross certification with Federal PKI CAs.

     

    We haven't narrowed the list of vendors/products down yet, but one example would be Axway Validation Authority.



  • 4.  Re: Has anyone here integrated SiteMinder (Single Sign-On) with a Certificate Path Discovery and Validation Product?

    Posted Jun 04, 2015 04:25 PM

    Yup, unfortunately that is true.

     

    Another problem presented with putting in a product at the front-end Web Server level is that only covers one case. If you're using some web services etc that gets lost and have to be back on relying on CA product for everything which is fairly useless for proper cert auth.



  • 5.  Re: Has anyone here integrated SiteMinder (Single Sign-On) with a Certificate Path Discovery and Validation Product?

    Posted Jun 09, 2015 10:14 AM

    keatsk  On another post you had mentioned a custom auth scheme. Would you be able to help here or maybe have any pointers for folks on doing that (useful documentation, highlights, whatever you're wiling to share ) ?



  • 6.  Re: Has anyone here integrated SiteMinder (Single Sign-On) with a Certificate Path Discovery and Validation Product?

    Posted Jun 09, 2015 05:29 PM

    Yes we use a custom X509 auth scheme to do extended certificate validation.  You can get the cert from the UserCredentialsContext which in turn comes from the SmAuthenticationContext in the authenticate() method.  Once you have the cert you can do whatever validation you want.  We check the policy OIDs, extended key usage, etc.  The path validation we delegate to the Web tier, but you could do it here as well.



  • 7.  Re: Has anyone here integrated SiteMinder (Single Sign-On) with a Certificate Path Discovery and Validation Product?

    Posted Jun 10, 2015 02:09 PM

    AxWay Server Validator (WebServer plug-in) will provide this functionality.

     

    Validation Authority Suite | Axway

     

     

     

    The path validation piece is not SiteMinder specific, since that part happens before the SiteMinder WebAgent is invoked, so any Path Validation tool would work, though there are not many solutions available that support SCVP.  AxWay Server Validator can either talk to a remote SCVP Validation Authority, or it can be configured to do OID checking internally and use various mechanisms to validate the signing chain (OSCP, CRLDP, etc...)