Symantec Access Management

Expand all | Collapse all

GoogleApps federation with Siteminder 12.52

Jump to Best Answer
  • 1.  GoogleApps federation with Siteminder 12.52

    Posted 07-14-2014 07:56 AM

    Hi all,

     

    I am implementing GoogleApps SP-initiated SSO with SiteMinder 12.52. I have SiteMinder 12.52 setup with Secure Proxy server 12.52 and Sunone Directory as User Store.

     

    To implement SP initiated SSO, i have created Local IDP entity, Remote SP Entity, configured Partnership(SAML 2 IDP -> SP) and protected Authentication URL by creating Application under Polices in Siteminder AdminUI.

    Authentication URL: http://<sps-hostname>/affwebservices/redirectjsp/redirect.jsp


    In GoogleApps side i have given the URL's as below and uploaded the certificate, which was created in SiteMinder side.


    Sign-in URL: https://<sps-hostname>/affwebservices/public/saml2sso

    Sign-out URL: https://<sps-hostname>/affwebservices/public/saml2slo

    Change Password URL: http://www;google.com


    To test, SP initiated SSO,in browser i gave URL as, http://mail.google.com/a/<googleappsdomain>. I am receiving an login page from Google to enter the details, not from SiteMinder Authenticated prompt page. User has to authenticate from IDP side to enter the credentials and it has to redirect to google apps services.


    I am newbie to SiteMinder federation. Please suggest me, what i am missing here to do the federated setup.


    Thanks in advance.



    Regards,

    Karthick



  • 2.  Re: GoogleApps federation with Siteminder 12.52

    Posted 07-14-2014 02:46 PM

    Have you checked the "Run Books"?

    I think this had a "Run Book" made.



  • 3.  Re: GoogleApps federation with Siteminder 12.52

    Posted 07-14-2014 02:48 PM

    found the link....

    PLACEHOLDER - Federation Runbooks - CA Technologies

     

    and there is one for google apps.

     

    maybe that will help?



  • 4.  Re: GoogleApps federation with Siteminder 12.52

    Posted 07-15-2014 12:39 AM

    Hi JPerlmutter,

     

    Thanks for your reply.

     

    I tried to implement the SP initiated SSO using the Google Federation Runbook, which you have mentioned.

    But when I am testing the SP initiated SSO using the http://mail.google.com/a/<googleappsdomain>, Google login page is appearing to get the credentials not from the Siteminder login page(from Sunone Directory).

     

    I think, I have missed something to protect the Googleapps services for federation. What I am missing here?

     

    Please suggest on this.

     

     

    Thanks & Regards,

    Karthick



  • 5.  Re: GoogleApps federation with Siteminder 12.52

    Posted 07-15-2014 08:27 AM

    Karthick,

     

    I have nottried this one yet.

    However, if Google Apps is the IdP, would it not be their login that is expected?

     

    -Josh



  • 6.  Re: GoogleApps federation with Siteminder 12.52

    Posted 07-15-2014 08:39 AM

    Hi Josh,

     

    I am trying to do SP initiated SSO and here Google is an Service provider. For the Runbook I came to know that, only service provider initiated works for GoogleApps.  .

    If Google is an Service provider, I will give the URL as http://mail.google.com/a/<google_domainname> and will get the authentication prompt page from Siteminder Identity provider side to collect the credentials.

     

    I think I am doing a wrong configuration on protecting the Authentication URL and protection of FWS application.

     

    Can you please suggest me on protecting the FWS application?

     

    Thanks & Regards,

    Karthick



  • 7.  Re: GoogleApps federation with Siteminder 12.52

    Posted 07-15-2014 08:42 AM

    Karthick,

     

    I'm pretty new to Federation myself.

    If you're having issues and no one else has a suggestion by thursday, i'd say open a case and get help from the experts



  • 8.  Re: GoogleApps federation with Siteminder 12.52

    Posted 09-17-2014 06:14 PM

    Karthick,

     

    I got googleapps to work. Basically, as you said its SP initiated SSO. So try to go to www.google.com/a/companydomain. Enter your email id that you are using for SSO and click Sign In (do not enter password). Next, you should be protecting your redirect.jsp file with an authentication scheme (form based, try basic first). So Google should kick you to your federation authentication URL and since you are protecting your redirect.jsp file, it will prompt for userid and password. In this form, you enter your company network credentials and that will kick you back to google apps.

     

    Your authentication URL should be something like: https://federationwebserver/affwebservices/redirectjsp/redirect.jsp

    Create a SiteMinder domain, create a realm with the federation web server web agent. In the resource you should have /affwebservices/redirectjsp/redirect.jsp. The rule is simple get + post for *. In the policy, add the rule and add the users you want to give access to.



  • 9.  Re: GoogleApps federation with Siteminder 12.52
    Best Answer

    Posted 09-23-2014 04:53 AM

    Hi pbiwas,

     

    Thanks for our suggestion.

     

    I have protected the /affwebservices/redirectjsp/redirectjsp in Siteminder Identity provider side, which you have mentioned as Authentication URL.

     

    When I test the Federation by providing the URL in browser, http://mail.google.com/a/ idmsimulator.com, I received the below error,


    HTTP Status 403 - Request Forbidden. Transaction ID: 131ef2f5-b753824f-494fa897-cff38006-a0ad0f0a-1e72 failed .

     

    This issue was resolved after applied the patch in JVM for unlimited cyptography with the Java Cryptography Extension (JCE) package. The below files are in the directory <JDK jre_home>\lib\security.


    1. local_policy.jar

    2. US_export_policy.jar.

     

    After JVM is patched i have tested the federation login, it works fine.

     

    Thanks & Regards,

    Karthick Sugumaran



  • 10.  Re: GoogleApps federation with Siteminder 12.52

    Posted 09-23-2014 08:43 AM

    Hi karthick,

     

    Good work. Yes, I faced that 403 error in the past and had to update the JCE package.