Symantec Access Management

 View Only
  • 1.  SiteMinder SSO for NGINX Server

    Posted Aug 27, 2019 02:19 PM
    Gurus,
    We have a NGINX webserver installed on RHEL (Red Hat Enterprise Linux Server release 6.10).  We would like use CA SiteMinder OpenID Connect for SSO solution.   Do anybody has experienced on this setup. Could you share your insights, documentation, steps, pitfall and etc.  Any information would be helpful.  Please let me know if you need more information from myside.

    Thank you so much in helping me out,
    K

    ------------------------------
    Kevin
    ------------------------------


  • 2.  RE: SiteMinder SSO for NGINX Server
    Best Answer

    Broadcom Employee
    Posted Sep 06, 2019 02:47 AM
    Hi Kevin,

    To use OIDC Siteminder with Nginx server, I would advise you to use
    our GD module "Integration for CA Single Sign-On with NGiNX", in front
    of which you will run a Web Agent for authentication.

    As this module documentation states :

    The CA Single Sign-On HTTP Server Agent for NGiNX is a SSO Web Agent
    which provides CA SSO security features for the NGiNX HTTP
    Server. This Agent provides standard SSO Web Agent functionality, such
    as:

    • Single Sign-On
    • URL-Based Authorization
    • Session Management

    NGiNX Web Server provides a pure Java based front-end to its HTTP
    request/response services called Ring Handlers. These Ring Handlers
    can interact with NGiNX's core HTTP engine using the clojure module to
    perform HTTP Services.

    The CA SSO Agent for NGiNX is a Ring Handler, which interacts with the
    NGiNX core HTTP engine via the clojure API as defined in the NGiNX
    Clojure Java Package nginx.clojure.java.NginxJavaRingHandler. The Ring
    Handler API provides a mechanism where a component is inserted into
    the request processing pipeline prior to NGiNX serving the request.

    The CA SSO Agent for NGiNX is configured with NGiNX web server to
    provide security capabilities during HTTP request processing. The
    Agent will intercept HTTP requests and determine protection status,
    user authentication and resource authorization. Because the Agent
    covers the core CA-SSO Agent features, it provides Single Sign-On for
    users logged into other SiteMinder protected applications in the
    enterprise. Important Note: The CA SSO Agent for NGiNX is a Java Ring
    handler, and requires the NGiNX-Closure module. The NGiNX-Clojure
    module allows Java Ring based handlers to be embedded in NGiNX.

    ref.:

    CA Global Delivery Packaged Work Product Download Index

    "Integration for CA Single Sign-On with NGiNX"

    https://techdocs.broadcom.com/us/product-content//recommended-reading/technical-document-index/ca-global-delivery-packaged-work-product-module-index.html?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D?id=%7B3B2E2905-11AF-4479-B309-63F113CA5D57%7D

    I have no experience with that integration, but reading its
    documentation, I don't see any blocking aspect as Web Agent will
    handles in combination of Web Agent Option Pack the Authentication and
    Federation Assertion consumption, and the Agent on NGinx will handle
    the authorization of the session with the security of Nginx.

    I hope this helps,

    Best Regards,
    Patrick


  • 3.  RE: SiteMinder SSO for NGINX Server

    Posted Sep 09, 2019 02:07 PM
    Thanks Patrick for your time and reply.

    The team wants to have agent-less integration using OIDC.  I think it is possible with NGINX Plus (Commercial version of NGINX), but wondering if the same is possible with NGINX with lua-resty-openidc (a third party module build for enabling OIDC Connectivity).

    I have seen document related to lua-resty-openidc work with some other sso solutions, but not with CA SiteMinder.  Wondering if there is a documentation somewhere or product certification or anybody have done it previously.

    Thanks,
    Kevin