Hello Ketaki,
1) You should choose the Webagent that matches your Webservers.
2) There is no Webagent Option Pack for the 12.8.X version. The Access Gateway has replaced the WebAgent Option Pack for the 12.8 version. You can either use the 12.52.1.x Webagent/Option Pack with your 12.8 Policy server as a higher Policy server is backward compatible with a lower webagent.
4.1 Policy Server and Agents Compatibility
CA Single Sign-On Policy Server 12.8 supports previous versions of Agents and Access Gateways (previously called Secure Proxy Server)
with the following caveats:
https://ftpdocs.broadcom.com/phpdocs/7/5262/5262-12-8-platform-support-matrix.pdfI think you need some training on Siteminder as these are basic implementation steps already provided in the documentation. You can either get the assistance of HCL services or opt for some Siteminder Administration training which are all paid services.
Regarding the Admin user to use for the registration, please use the Siteminder supper user account called "siteminder". Again, all the information are provided in the documentation below:
Admin User Name
Specifies the name of a user account that has sufficient privileges to create and register trusted host objects on the Policy Server.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/installing/install-agents/web-agent-for-iis/install-and-configure-an-iis-agent/install-and-configure-an-agent-for-iis.htmlHere is the link with the information on how to create a Host Configuration Object:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/policy-server-configuration/agents-and-agent-groups/host-configuration-objects-for-trusted-hosts.htmlAlso find the link with the information on how to create the Agent Configuration Object:
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/policy-server-configuration/agents-and-agent-groups/agent-configuration-object-overview.htmlNote:
You will have to first create both the Host Configuration Object(HCO) and the Agent Configuration Object in the AdminUI before proceed with the agent registration.
Thank you
Original Message:
Sent: 12-20-2019 12:51 AM
From: Ketaki K
Subject: SAML SSO is not working with siteminder
I am installing SSO from scratch. I have few doubts about web agent and web agent option pack :
1. There are two ways to install and configure web agent. One through apache and other one through IIS. When should we select particular option?
2. We are asked for trusted host name, Host configuration object and ACO. What are these? Should I give enter the host details where my application is running for which I have to enable SSO here?
3. There is no web agent and web agent option pack installers for 10.8. So, Can I use 12.52 installers? Will it work?
Thanks,
Ketaki
Original Message:
Sent: 12-17-2019 03:43 PM
From: Sasikumar Chenniyappan
Subject: SAML SSO is not working with siteminder
your web server port where WAOP installed and listening.
Original Message:
Sent: 12-17-2019 03:21 AM
From: Ketaki K
Subject: SAML SSO is not working with siteminder
This might look like a silly question. But what should be the port number in http://WAOPServer:port/affwebservices/assertionretriever?
Original Message:
Sent: 12-16-2019 11:34 PM
From: Gopi ReddyIrala
Subject: SAML SSO is not working with siteminder
Looks like you are trying to build the SSO setup from scratch. If so please make sure your WAOP (Web Agent Option Pack) is installed and configured correctly before implementing the federation partnership.
You can check if the WAOP is setup properly by accessing the below URL.
http://WAOPServer:port/affwebservices/assertionretriever
Original Message:
Sent: 12-16-2019 02:49 PM
From: Warren Barrow
Subject: SAML SSO is not working with siteminder
The authentication URL shouldn't be accessed directly since it's expecting parameters when accessing the IDP link. The SSO Service URL (IDP-initiated link) looks good assuming the SPID is the correct entity name.
I recommend enabling trace logging to find additional detail for the error.
On the SiteMinder Policy Server management console use the Profiler and choose the SAMLIDP_trace template. Modify the web agent ACO to enable agent logging & trace logging. For federation web services, edit the /affwebservices/WEB-INF/classes/LoggerConfig.properties file to enable federation trace logging.
https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/troubleshooting/partnership-federation-troubleshooting/log-files-that-aid-partnership-federation-troubleshooting.html
Original Message:
Sent: 12-15-2019 08:05 AM
From: Ketaki K
Subject: SAML SSO is not working with siteminder
Hi,
We are trying to install SAML SSO in app with sitemider as IdP.
We have to pass below 3 things to application while enabling SAML SSO :
- Certificate – We have exported it from Infrastructure -> X509 Certificate Management from Admin UI
- SP connection – Have created Entity and provided entity ID name in application
- IdP URL – I have tried using below 2 URLs as IdP URLs :
- Authentication URL : http:// FQDN_of_server/affwebservices/redirectjsp/redirect.jsp
- SSO Service URL:
https://FQDN_of_server/affwebservices/public/saml2sso?SPID=Informatica_SP3
But while redirection it is giving HTTP Error 503. The service is unavailable error for both the URLs.
For enabling SAML SSO with ADFS I use this URL : https:// FQDN_of_server /adfs/ls/
And it works fine.
Can you please let me know if the IdP URL for siteminder I am using is correct or not or if tehre is any other issue that I need to check?
Thanks,
Ketaki
Original Message------
After installing web agent and web agen option pack, I created a policy to protect the redirect.jsp file and added the authentication URL in partnership. But while redirection it is giving HTTP Error 503. The service is unavailable error. Please help.
Thanks,
Ketaki