Question:
We need to configure an Initiate Single Sign-on from the IdP or SP between the last version of CA Single Sign On (12.7 as IDP) and the our actual infrastructure that use CA SiteMinder 12.52 sp1 (as SP).
We'd like to know :
1. Is Web Agent Option Pack included in your license for CA SiteMinder
12.52 ?
2. Is CA Access Gateway (SPS) included in your license for CA
SiteMinder 12.52 ?
3. If it's mandatory/best practice install the SPS in a dedicated server
or if it's possible install it on the same server of a Policy
Server ?
Answer:
At first glance, you should note that the latest version of CA Single
Sign-On (SiteMinder) is 12.8.
Here are the answers to your questions :
1. Quickly, to see if you have the license to download and use the Web
Agent Option Pack and CA Access Gateway (SPS), you can try to
download them :
Web Agent Option Pack 12.52SP1CR08 :
Solution Document: RS98380
https://support.ca.com/us/download-center/solution-detail.html?docid=650318&os=ANY&aparno=RS98380&actionID=5
2.
CA Access Gateway (SPS) 12.52SP1CR08 :
Solution Document: RS98376
https://support.ca.com/us/download-center/solution-detail.html?docid=650316&os=ANY&aparno=RS98376&actionID=5
For 1. and 2., we suggest you to contact also our Custom Care service to verify your license and rights :
Need help with the new CA Support Portal? Ask us!
3. According to our documentation, you should run CA Access Gateway
(SPS) as standalone only, without any other component on it.
Product Limitations
https://docops.ca.com/ca-single-sign-on/12-8/en/implementing/implementing-ca-access-gateway/ca-access-gateway-architecture-introduced
More, having the Policy Server on the same machine of the CA Access
Gateway might bring security concerns. As per best practice, the
Policy Server should be isolated from Internet Access as it holds
the company security data.
The main advantage of using SPS, you'll have an all in one Federation
Component. SPS is also available to the latest version 12.8, and in
included Session Linker, and all the new functionalities of the
Federation Side as OpenID Connect and others.
Further readings :
Using CA Access Gateway as a Web Agent Replacement
https://communities.ca.com/message/242035604-using-ca-access-gateway-as-a-web-agent-replacement
Web Agent Option pack to SPS plans, approches
KB : KB000097695