Symantec Access Management

Hi All,
Please guide me if I am at the wrong place with this question.
One of our client will be using SiteMinder as Single Sign On solution for its web application. Our company provides BioMetric solutions. The customer wants that an employee should use his finger print to log in into company's web portal.
I read that we can customize WebAgent to provide custom authentication. Please guide me on where should I start.

Thank you,
Pradeep

Hi Pradeep,

We recently solved this problem using Bio-key technology. You basically treat the problem a bit like SAML 2 artifact binding. The website or credential collector forwards you to the specialized website that IDs via the fingerprint service which stores the the userID in a record associated with a random string, a random string is forwarded back in an fcc as if it was the userID, then a custom auth scheme is on the url. This custom auth scheme is some java code that uses a back-channel to talk to the fingerprint service and retrieves the actual userID to disambiguate against the LDAP in SiteMinder.

Hope that made some sense, because it didn't to me the first time.

Cheers,

Ryan

Hi Ryan,
Thanks for your reply. This indeed is difficult for me to understand. I have started reading on SAML. Can you guide me to some start up links ? Do you have your solution in pictorial form ? some kind of diagram or flowchart.
This is what we already do: We have a desktop application built in C++ that takes user fingerprints(fp) and stores this fp template in a container on Microsoft Active Directory LDAP using ADSI APIs. Here the client is in domain environment and every workstation is within the domain. During authentication same ADSI APIs read fp template from AD LDAP. Now in the new scenario: Client is not in domain environment they will access the web page using internet. And their log in would be controlled by siteminder. My question is how can I talk to siteminder's LDAP (in this case it is on LINUX) from client end. Let me know if you have any suggestions.

Thank you,
Pradeep

If you don't know SAML then my reference to it is not going to help very much.

The usual reason you'll use SiteMinder is that you want to act as both a filter protecting your web traffic, and a security token service for single sign-on. So the idea is that SiteMinder authenticates the user and then issues a security token.

The thing you want to do I think is avoid letting the user ever directly connect to your LDAP. Create an activex that collects the fingerprint and posts it back to a webserver.

Then either -

1) post it to a siteminder-protected website, and then create a custom auth scheme that levereges your existing API to look up the fp and disambiguate the user
2) use a non-siteminder-protected website that can disambiguate the user and issues a temporary token that is passed back to a regular siteminder credential collector which then verifies the token with the fingerprint website.

Not sure if this image will work, but this is our basic solution to (2) above.

Thanks Ryan, the image does not show up. Can you please send it to pradeeprpathak@gmail.com ?

Thank you,
Pradeep