Symantec Access Management

  • 1.  SiteMinder TAI agent for WebSphere app server flow?

    Posted May 18, 2017 05:50 PM

    Hello,

     

    Can someone please explain how SiteMinder TAI agent for WebSphere app server works? I have configured SAP agents in the past and have very good understanding of it in case you want to use it as quick reference. 

     

    I wanted to know when user clicks on the link that is configured with SSO using SiteMinder + TAI agent, how the request flows? Realms, Policies and Responses to be created? TAI agent configuration steps? Any configurations needed at WebSphere app server level?

     

    Thank you. 



  • 2.  Re: SiteMinder TAI agent for WebSphere app server flow?
    Best Answer

    Posted May 19, 2017 02:27 AM

    Hello,

     

    A good start would be to check for the documentation

     

    https://support.ca.com/cadocs/0/CA%20SiteMinder%20Agent%20for%20WebSphere%20r12%20SP2-ENU/Bookshelf_Files/HTML/index.htm?toc.htm?WSA_r12_0_SP2--Agent_Guide.htm

     

    Let us know if you have further questions,

    Julien.



  • 3.  RE: Re: SiteMinder TAI agent for WebSphere app server flow?

    Posted Oct 30, 2019 11:18 AM
    The link in the previous message is broken.  Can anyone advise where to find the documentation?  Is it now hosted by IBM rather than Broadcom?


  • 4.  RE: Re: SiteMinder TAI agent for WebSphere app server flow?

    Broadcom Employee
    Posted Oct 30, 2019 08:47 PM
    Hello,

    I found the new location of the document was here:

    https://ftpdocs.broadcom.com/cadocs//0/CA%20SiteMinder%20Agent%20for%20WebSphere%20r12%20SP2-ENU/Bookshelf_Files/PDF/SMWebSphereAgent_conf_enu.pdf

    Best regards,
    Seiji


  • 5.  RE: Re: SiteMinder TAI agent for WebSphere app server flow?

    Posted Jan 15, 2020 10:23 AM
    Hi all involved.
    I wonder if there is a valid URL where application server agents related documentation is now published. The above link opens the PDF document but where is now actually located?

    regards,
    Irina


  • 6.  RE: SiteMinder TAI agent for WebSphere app server flow?

    Broadcom Employee
    Posted Jan 15, 2020 12:04 PM
    Hi Krshravan,

    The flow of a WebSphere Application Server request with the SiteMinder TAI installed in WebSphere will leave the Browser, and most likely hit your WebSphere Proxy Server, which you should have a Standard SiteMinder Web Agent installed on. This Agent on the Proxy is used to keep the SiteMinder SMSESSION cookie updated, since the TAI on the WebSphere Server will only receive a request from WebSphere if the incoming request does not contain a WebSphere user; LTPAToken and JSESSIONID. If WebSphere "knows" who the User is, there is no reason for WebSphere to invoke the SiteiInder TAI.

    Then (most likely) IBM HTTPD Proxy with the Standard SiteMinder Agent then forwards the request to the WebSphere Application Server. As stated above, if the request does not contain a valid WebSphere User, then WebSphere will "ask" any configured TAI if it can provide the Authenticated User to WebSphere via the Trust Association for this request or not; IsTargetInterceptor().

    The SiteMinder TAI will check the incoming request for an SMSESSION, and if found, will reply with TRUE to the IsTargetInterceptor() call, if there is no SMSESSION in the request the SiteMinder TAI will return FALSE, and SiteMinder will Not Process the request. This behavior is configurable with the "ChallengeForCredentials="Yes"" ACO parameter. If a request does not contain a SiteMinder Session on the IsTargetInterceptor(), the "ChallengeForCredentials" parameter is set to "Yes", and there is a REALM created for the Application in SiteMinder protected by the TAI Agent, then the SiteMinder TAI will present a "BASIC" Prompt for credentials, and the User will be Authenticated based on these Credentials from the SiteMinder User Directory associated with the SiteMinder TAI's Domain/Realm. If you wish to utilize Advanced Authentication instead of the BASIC Authentication that the SiteMinder TAI can perform, you would simply craft the Authentcation Scheme to send the User to a Standard SiteMinder Agent in the same Domain, like the Agent sitting on the WebSphere Proxy, which can serve the Advanced Authentication Schemes.

    If you do not have ChallengeForCredentials set to Yes, the SiteMinder TAI will use the value specified in the AssertionAuthResouce ACO parameter as the URL of the requested resource regardless of the URI the customer is accessing. The TAI's only job is to provide the Authenticated User to WebSphere, so it does not matter the resource requested. The value specified in this parameter is the Resource Filter for the SiteMinder TAI's Realm in the Policy Store, so SiteMinder will reply that the resource is Protected, and will validate the User's Credentials against the User Directory for this Domain, and once validated, the TAI will then attempt, using the IBM API's to locate the UniqueUserID from Websphere's configured User Registry to locate this SiteMinder Authenticated User. If SiteMinder and WebSphere are configured to utilize the same User Directory, then the SMUSER value from SiteMinder will locate the User in the WebSphere User Registry, and the Authenticated User is then passed to WebSphere, and WebSphere will then create its user Session for the Authenticated User, generating the LTPAToken and JSESSIONID for the user.

    If you have the ChallengeForCredentials set to Yes, and you have REALMS configured with the Resource Filter for the requested Application, then SiteMinder Authentication will take place based on the Authentication Scheme configured for the REALM, and the Authenticated User will be passed to the TAI to locate the matching User from the WebSphere User Registry, and then passed to Websphere to again create the WebSphere User Session.

    Subsequent requests that contain the LTPAToken and JSESSIONID do not require authentication, so WebSphere will not invoke the SiteMinder TAI on these requests. This is again why it is important to have a Standard SiteMinder Web Agent on the Proxy to WebSphere, where the Agent WILL get every request, and be able to update the SMSESSION cookie to prevent t form inadvertently idling out.The SiteMinder TAI's only job is to map and provide the Authenticated Identity to WebSphere. After Authentication, WebSphere will pass the request on for Authorization by the configured Authorization providers in WebSphere.

    As far as configuring the required Realms and configuring the TAI in WebSphere, please read the documentation at the link already provided.



  • 7.  RE: SiteMinder TAI agent for WebSphere app server flow?

    Broadcom Employee
    Posted Jan 15, 2020 12:07 PM
    Following is the link for the Bookshelf where you can locate the older versions of documentation;

    https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-miscellaneous/legacy_bookshelves_and_pdfs.html


  • 8.  RE: SiteMinder TAI agent for WebSphere app server flow?

    Posted Jan 16, 2020 11:00 AM
    Thank you very much Rick. Is this the official link that will stay and will not change? Can this be used as a reference?