Symantec Access Management

 View Only
Expand all | Collapse all

SAML SSO is not working with siteminder

  • 1.  SAML SSO is not working with siteminder

    Posted Dec 11, 2019 11:04 AM

    Hi,

     

    I am trying to enable SAML SSO with siteminder. I am trying to configure siteminder as Identity provider. I have done below settings from Admin UI:

     

    1. Creating local IDP entity
    2. Creating remote SP entity
    3. Configure an Active Directory User Store Connection
    4. Created partnership between IDP ->SP

     

    From application side, I have given SSO URL as IDP URL. But my application is not redirecting to siteminder login screen. Can you please help me in it?

     

    Thanks,

    Ketaki

     



  • 2.  RE: SAML SSO is not working with siteminder

    Broadcom Employee
    Posted Dec 11, 2019 11:11 AM
    Hi Ketaki,

    Check that you have configured the authentication url and have defined it within the federation partnership.

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-7/configuring/partnership-federation/protect-the-authentication-url-to-establish-a-session.html


  • 3.  RE: SAML SSO is not working with siteminder

    Posted Dec 12, 2019 06:28 AM

    Hi,

     

    I went through techdocs.broadcom.com/content/broadcom/techdocs/us/en/... document. As explained in document I installed web agent. To Configure a SiteMinder Web Agent on IIS 7.0 I followed step from link :

    https://ftpdocs.broadcom.com/cadocs//0/CA%20SiteMinder%20r12%20SP2-ENU/Bookshelf_Files/PDF/siteminder_wa_install_enu.pdf. After that, I am unable to find the redirect.jsp file under path  web_agent_home/affwebservices/redirectjsp. Can you please help me here?

     

    Thanks,

    Ketaki

     






  • 4.  RE: SAML SSO is not working with siteminder

    Posted Dec 12, 2019 07:08 AM
    I was able to get redirect.jsp after installing web agent option pack.

    Thanks,
    Ketaki


  • 5.  RE: SAML SSO is not working with siteminder

    Broadcom Employee
    Posted Dec 12, 2019 09:35 AM
    Another option is to use the SiteMinder Access Gateway as the federation endpoint.  It contains the web server,  web agent, app server, and federation web services combined into a single package to manage.


  • 6.  RE: SAML SSO is not working with siteminder

    Posted Dec 12, 2019 11:03 AM

    After installing web agent and web agen option pack, I created a policy to protect the redirect.jsp file and added the authentication URL in partnership. But while redirection it is giving HTTP Error 503. The service is unavailable error. Please help.

     

    Thanks,

    Ketaki

     






  • 7.  RE: SAML SSO is not working with siteminder

    Posted Dec 15, 2019 08:06 AM

    Hi,

     

    We are trying to install SAML SSO in app with sitemider as IdP.

    We have to pass below 3 things to application while enabling SAML SSO :

    1. Certificate – We have exported it from Infrastructure -> X509 Certificate Management from Admin UI
    2. SP connection – Have created Entity and provided entity ID name in application
    3. IdP URL – I have tried using below 2 URLs as IdP URLs :
    1. Authentication URL : http:// FQDN_of_server/affwebservices/redirectjsp/redirect.jsp
    2. SSO Service URL:

    https://FQDN_of_server/affwebservices/public/saml2sso?SPID=Informatica_SP3

     

    But while redirection it is giving HTTP Error 503. The service is unavailable error for both the URLs.

     

    For enabling SAML SSO with ADFS I use this URL : https:// FQDN_of_server /adfs/ls/

    And it works fine.

     

    Can you please let me know if the IdP URL for siteminder I am using is correct or not or if tehre is any other issue that I need to check?

     

    Thanks,

    Ketaki

     






  • 8.  RE: SAML SSO is not working with siteminder

    Broadcom Employee
    Posted Dec 16, 2019 02:50 PM
    The authentication URL shouldn't be accessed directly since it's expecting parameters when accessing the IDP link.  The SSO Service URL (IDP-initiated link) looks good assuming the SPID is the correct entity name.

    I recommend enabling trace logging to find additional detail for the error. 

    On the SiteMinder Policy Server management console use the Profiler and choose the SAMLIDP_trace template.  Modify the web agent ACO to enable agent logging & trace logging.  For federation web services, edit the /affwebservices/WEB-INF/classes/LoggerConfig.properties file to enable federation trace logging.

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-8-03/troubleshooting/partnership-federation-troubleshooting/log-files-that-aid-partnership-federation-troubleshooting.html



  • 9.  RE: SAML SSO is not working with siteminder

    Posted Dec 16, 2019 11:35 PM
    Looks like you are trying to build the SSO setup from scratch. If so please make sure your WAOP (Web Agent Option Pack) is installed and configured correctly before implementing the federation partnership.

    You can check if the WAOP is setup properly by accessing the below URL.

    http://WAOPServer:port/affwebservices/assertionretriever




  • 10.  RE: SAML SSO is not working with siteminder

    Posted Dec 17, 2019 03:22 AM
    This might look like a silly question. But what should be the port number in http://WAOPServer:port/affwebservices/assertionretriever?



  • 11.  RE: SAML SSO is not working with siteminder

    Posted Dec 17, 2019 03:44 PM
    your web server port where WAOP installed and listening.


  • 12.  RE: SAML SSO is not working with siteminder

    Posted Dec 20, 2019 12:51 AM
    I am installing SSO from scratch. I have few doubts about web agent and web agent option pack :
    1. There are two ways to install and configure web agent. One through apache and other one through IIS. When should we select particular option?
    2. We are asked for trusted host name, Host configuration object and ACO. What are these? Should I give enter the host details where my application is running for which I have to enable SSO here?
    3. There is no web agent and web agent option pack installers for 10.8. So, Can I use 12.52 installers? Will it work?

    Thanks,
    Ketaki


  • 13.  RE: SAML SSO is not working with siteminder
    Best Answer

    Broadcom Employee
    Posted Dec 20, 2019 05:40 AM
    Edited by Christopher Hackett Dec 27, 2019 01:49 PM
    Hello Ketaki,

    1) You should choose the Webagent that matches your Webservers.

    2) There is no Webagent Option Pack for the 12.8.X version. The Access Gateway has replaced the WebAgent Option Pack for the 12.8 version. You can either use the 12.52.1.x Webagent/Option Pack with your 12.8 Policy server as a higher Policy server is backward compatible with a lower webagent.

    4.1 Policy Server and Agents Compatibility
    CA Single Sign-On Policy Server 12.8 supports previous versions of Agents and Access Gateways (previously called Secure Proxy Server)
    with the following caveats:

    https://ftpdocs.broadcom.com/phpdocs/7/5262/5262-12-8-platform-support-matrix.pdf


    I think you need some training on Siteminder as these are basic implementation steps already provided in the documentation. You can either get the assistance of HCL services or opt for some Siteminder Administration training which are all paid services.

    Regarding the Admin user to use for the registration, please use the Siteminder supper user account called "siteminder". Again, all the information are provided in the documentation below:

    Admin User Name
    Specifies the name of a user account that has sufficient privileges to create and register trusted host objects on the Policy Server.

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/installing/install-agents/web-agent-for-iis/install-and-configure-an-iis-agent/install-and-configure-an-agent-for-iis.html

    Here is the link with the information on how to create a Host Configuration Object:

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/policy-server-configuration/agents-and-agent-groups/host-configuration-objects-for-trusted-hosts.html

    Also find the link with the information on how to create the Agent Configuration Object:

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/single-sign-on/12-52-01/configuring/policy-server-configuration/agents-and-agent-groups/agent-configuration-object-overview.html

    Note:

    You will have to first create both the Host Configuration Object(HCO) and the Agent Configuration Object in the AdminUI before proceed with the agent registration.

    Thank you