Symantec Access Management

 View Only

Tech Tip : CA Single Sign-On : Use of Secure Proxy Server to implement a Federation flow with SAML 2

  • 1.  Tech Tip : CA Single Sign-On : Use of Secure Proxy Server to implement a Federation flow with SAML 2

    Broadcom Employee
    Posted May 31, 2018 10:02 AM

    Question:

     

    We need to configure an Initiate Single Sign-on from the IdP or SP between the last version of CA Single Sign On (12.7 as IDP) and the our actual infrastructure that use CA SiteMinder 12.52 sp1 (as SP).

    We'd like to know :

     

    1. Is Web Agent Option Pack included in your license for CA SiteMinder
    12.52 ?

     

    2. Is CA Access Gateway (SPS) included in your license for CA
    SiteMinder 12.52 ?

     

    3. If it's mandatory/best practice install the SPS in a dedicated server
    or if it's possible install it on the same server of a Policy
    Server ?


    Answer:

     

    At first glance, you should note that the latest version of CA Single
    Sign-On (SiteMinder) is 12.8.

    Here are the answers to your questions :

     

    1. Quickly, to see if you have the license to download and use the Web
    Agent Option Pack and CA Access Gateway (SPS), you can try to
    download them :

    Web Agent Option Pack 12.52SP1CR08 :

    Solution Document: RS98380
    https://support.ca.com/us/download-center/solution-detail.html?docid=650318&os=ANY&aparno=RS98380&actionID=5

     

    2.

    CA Access Gateway (SPS) 12.52SP1CR08 :

    Solution Document: RS98376
    https://support.ca.com/us/download-center/solution-detail.html?docid=650316&os=ANY&aparno=RS98376&actionID=5

    For 1. and 2., we suggest you to contact also our Custom Care service to verify your license and rights :

    Need help with the new CA Support Portal? Ask us!
    https://communities.ca.com/community/customer-care


    3. According to our documentation, you should run CA Access Gateway
    (SPS) as standalone only, without any other component on it.

    Product Limitations
    https://docops.ca.com/ca-single-sign-on/12-8/en/implementing/implementing-ca-access-gateway/ca-access-gateway-architecture-introduced

    More, having the Policy Server on the same machine of the CA Access
    Gateway might bring security concerns. As per best practice, the
    Policy Server should be isolated from Internet Access as it holds
    the company security data.

    The main advantage of using SPS, you'll have an all in one Federation
    Component. SPS is also available to the latest version 12.8, and in
    included Session Linker, and all the new functionalities of the
    Federation Side as OpenID Connect and others.

     

    Further readings :

     

    Using CA Access Gateway as a Web Agent Replacement
    https://communities.ca.com/message/242035604-using-ca-access-gateway-as-a-web-agent-replacement

    Web Agent Option pack to SPS plans, approches
    https://communities.ca.com/message/242107049-re-web-agent-option-pack-to-sps-plans-approches?commentID=242107049#comment-242107049

     

    KB : KB000097695