Enabling single sign-on for SiteMinder
Configure HCL Connections™ to use Computer Associates' SiteMinder to implement user authentication and single sign-on (SSO).
Before you begin
Complete the following prerequisite conditions:
- Ensure that you can access Connections applications from a web browser.
- Complete the installation and configuration of TAI/ASA. The instructions are included with SiteMinder.
- Verify that TAI/ASA is registered with WebSphere® Application Server.
Each href attribute in the LotusConnections-config.xml file is case-sensitive and must specify a fully-qualified domain name.
- The connectionsAdmin J2C alias that you specified during installation must correspond to a valid account that can authenticate with SiteMinder. It may map to a back-end administrative user account. This account must be capable of authenticating for single sign-on against SiteMinder. If you need to update the user ID or credentials for this alias, see the Changing references to administrative credentials topic.
- For more information about the SiteMinder Policy Server and Web Agent configuration, go to the CA SiteMinder BookShelf.
- For more information about the SiteMinder Agent for WebSphere®, see the CA SiteMinder Agent for WebSphere guide (PDF) and the CA eTrust SiteMinder Agent for IBM WebSphere Release Notes (PDF). The latest Application Server Agent (ASA) at the moment is version 12. CA support confirms that it can be used with SM 12.51.
About this task
You need to create SiteMinder Agent and Domain objects with realms, rules, and a policy that is related to HTTP Server and WebSphere® Application Server.
When a user requests a page that is protected by SiteMinder, the Web Agent on the HTTP server intercepts the request and prompts the user for authentication. If the user provides valid credentials, the user is authenticated and an SMSESSION cookie is added to the request which is then passed on to the WebSphere® Application Server. The SiteMinder Trust Association Interceptor (TAI) on the server verifies the information in the cookie and sets the User Principal that Connections requires to identify the user.
This task describes a configuration that uses SiteMinder Policy Server 6.0 SP5, SiteMinder ASA 6.0 Agent for WebSphere® Application Server (with CR00010 hotfix), and SiteMinder Web Agent v6qmr5-cr035.
To set up SSO using SiteMinder, complete the following steps:
Procedure
- Download and apply
the Unrestricted JCE policy files:
- Go to the J2SE 5 SDK Security information web page.
- Authenticate with your universal HCL user ID and password.
- Download the Unrestricted JCE Policy files for SDK for all newer versions package.
- Extract the files from the downloaded package.
- Back up your existing copies (if any) of the US_export_policy.jar and local_policy.jar files, located in the app_server_root/java/jre/lib/security directory.
- Copy the new jar files from the extracted package to the same directory, overwriting any existing files.
-
Create agents on the SiteMinder Policy Server, including a Web Agent for HTTP Server and an
Application Server Agent for WebSphere® Application
Server.
- Open the SiteMinder Administration console.
- Right-click Agents and select Create Agent.
- Enter details of the Name and Description of the Web Agent for HTTP Server.
- Repeat these steps for the Application Server Agent.
- Create Agent Configuration Objects on the SiteMinder Policy
Server. In the SiteMinder Administration Console, open the Agent Conf
Objects pane and complete the following steps:
Notes:
- When activated, the LogOffUri parameter clears the SMSESSION cookie and ensures that the user is logged out of all Connections browser sessions.
- To add parameters, edit the Agent Configuration Object on the SiteMinder Policy Server. Alternatively, you can edit the LocalConfig.conf file on the HTTP server if the Web Agent is configured to use it.
- If you are editing the SiteMinder configuration file directly, you must surround the values of SiteMinder configuration parameters with quotation marks ("); for example: BadCSSChars="<,>". If you are changing these parameters within the SiteMinder Policy Server, do not use quotation marks.
- Specify your SiteMinder
Authentication Scheme configuration:
- Open the SiteMinder Administration Console and navigate to the Authentication Scheme Properties dialog box.
- From the Authentication Scheme type list, select HTML Form template.
- Clear the Use Relative Target check box.
- Enter the URL of your Connections HTTP server in the web Server Name field.
- On the SiteMinder Policy Server, create a domain for the HTTP Server web agent.
-
Create protected realms under the HTTP Server Web Agent domain:
- Create
Delete and Head actions for the Web Agent. By default, the Web Agent
has only the Get, Post, and Put actions available. To add the Delete
and Head actions, complete the following steps:
- In the SiteMinder Administration Console, click View and select Agent Types.
- Select Agent Types in the Systems pane.
- Double-click Web Agent in the Agent Type list.
- In the Agent Type Properties dialog box, click Create.
- Enter Delete in the New Agent Action dialog box and click OK.
- Enter Head in the New Agent Action dialog box and click OK.
- Click OK again to save the new action.
- Create
the following rules for each realm:
Table 3. Rules for the HTTP Server realms GetPostPutDelHead rule OnAuthAccept rule Realm: CurrentRealm Realm: CurrentRealm Resource: * (not /*) Resource: * (not /*) Action: Web Agent actions -> Get,Post,Put,Delete,Head Action: Authentication events -> OnAuthAccept When this Rule fires: Allow Access When this Rule fires: Allow Access Enable or Disable this Rule: Enabled Enable or Disable this Rule: Enabled - Create a policy and add the users who will be able to access the server to the policy. You can allow all users in the LDAP directory or a subset of users; for example: an LDAP branch, individual users, or groups of users.
- Add the new rules to the new policy.
- Specify
realms that are not protected by SiteMinder.
Note: You must configure notification templates and some Atom feeds as unprotected URLs. The Blogs footer page must also be unprotected because Blogs uses the Velocity template to extract footer pages.
Table 4. Realms that do not require authentication This table shows all Connections applications with unprotected URL resources
Application Unprotected URL resource Activities /activities_content /activities/auth /activities/images /activities/oauth /activities/service/html/images /activities/service/html/mainpage /activities/service/html/styles /activities/service/html/themes /activities/service/html/servermetrics /activities/service/html/serverstats /activities/serviceconfigs /activities/static/ App Registry /appreg /appregistry Blogs /blogs/oauth /blogs/serviceconfigs /blogs/static/ Bookmarks /dogear/oauth /dogear/peoplelike /dogear/serviceconfigs /dogear/static/ Common resources /connections/bookmarklet/tools/blet.js /connections/bookmarklet/tools/discussThis.js /connections/bookmarklet/tools/rlet.js /connections/core/oauth /connections/oauth /connections/resources/ic /connections/resources/socmail-client /connections/resources/socpim /connections/resources/web /connections/rte /nav/common Communities /communities/calendar/Calendar.xml /communities/calendar/oauth /communities/comm.widget /communities/images /communities/nav /communities/recomm/oauth /communities/recomm/Recomm.xml /communities/resourceStrings.do /communities/service/atom/oauth /communities/service/html/communityview /communities/service/html/community/autoCompleteMembers.do /communities/service/html/singleas /communities/service/json/oauth/ /communities/service/opensocial/oauth /communities/serviceconfigs /communities/static/ /communities/stylesheet /communities/tools/embedAS.html /communities/widgets Content Manager /wsi /acce /dm Files /files/app /files/basic/anonymous/api /files/basic/anonymous/cmis /files/basic/anonymous/opensocial /downloadfiles /files_content /files/form/anonymous/api /files/form/anonymous/cmis /files/form/anonymous/opensocial /files/oauth /files/serviceconfigs /files/static Forums /forums/oauth /forums/serviceconfigs /forums/static/ Home page /homepage/oauth /homepage/search /homepage/serviceconfigs /homepage/static/ /homepage/web/updates/ Libraries /library_content_cache Mobile /mobile_content Moderation /moderation/app /moderation/oauth /moderation/static News /help /news/common/sand/static/ /news/follow/oauth /news/microblogging/isPermitted.action /news/oauth /news/serviceconfigs /news/sharebox/config.action /news/static/ OAuth Provider /oauth2 Orient Me /community-suggestions Profiles /profiles/atom/forms/connections.do /profiles/images /profiles/oauth /profiles/serviceconfigs /profiles/static/ /profiles/widget-catalog Search /search/atom/search /search/oauth /search/static/ URL Preview /connections/opengraph/form/anonymous/api/oembed /connections/opengraph/basic/anonymous/api/oembed /connections/opengraph/oauth/anonymous/api/oembed /connections/thumbnail/api/imageProxy Widget container /connections/opensocial/anonymous/rest /connections/opensocial/common /connections/opensocial/gadgets /connections/opensocial/ic /connections/opensocial/oauth /connections/opensocial/rpc /connections/opensocial/social /connections/opensocial/xrds /connections/opensocial/xpc Wikis /wikis/basic/anonymous/api /wikis_content /wikis/form/anonymous/api /wikis/home /wikis/js /wikis/oauth /wikis/static/ -
Map the Reader role in the Activities and Wikis applications
All Authenticated in Application's Realm.
See Roles.
- On the SiteMinder Policy Server, create a domain for the Application Server Agent.
- Add the
following realm to the new WebSphere® Application
Server domain:
Table 5. SiteMinder realms for WebSphere® Application Server Realm name Protected resource SM TAI Validation /siteminderassertion Note: You must configure the Protected Resource of this realm to match the AssertionAuthResource parameter that you configured earlier for the Application Server Agent.Note: Make sure that SM TAI honors SM session-based cookies and the triggered LTPA cookies to be generated by WAS. - Set the timeout
value of the session for each realm.
Note: The maximum timeout and the idle timeout must be longer than the LTPA token timeout, which is defined in WebSphere® Application Server. The LTPA token timeout is set to 120 minutes by default.
-
Install the Web Agent on HTTP Server:
- Download the latest version of the Web Agent from the CA website.
- Install the Web Agent. For instructions, go to the SiteMinder BookShelf.
- When you are prompted for the Agent Configuration details, specify the Agent Configuration Object that you created earlier.
- Install the Application Server Agent on your WebSphere® nodes:
- Download the latest version of the Application Server Agent from the CA website.
- Install the Application Server Agent on each node in your Connections deployment. For instructions, see the SiteMinder Agent for WebSphere® Agent Guide.
- When you are prompted for the Agent Configuration details, specify the Agent Configuration Object that you created earlier.
- Copy the smagent.properties file from the ASA installation conf folder to the WebSphere® Application Server profile properties folder; for example: C:\program files\IBM\websphere\appserver\profiles\appsvr01\properties.
- Configure
Trust Association Interceptor on WebSphere® Application
Server.
-
Create rewrite rules that redirect URLs when users log out of Connections. Add the following
rules to the httpd.conf file:
RewriteEngine On
RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*)
RewriteCond %{QUERY_STRING} !=logoutExitPage=your_logout_url
RewriteRule /(.*)/ibm_security_logout(.*)
LogOffUri?logoutExitPage=your_logout_url [noescape,L,R]
where LogOffUri is the URL that you uncommented earlier. After logging out of Connections, the user's browser is directed to your_logout_url. This URL could be your corporate home page or the SiteMinder login page.
Note: You must add these rules to both the HTTP and HTTPS entries.The following example illustrates a typical portion of the httpd.conf file after you have implemented this step:
RewriteEngine on RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) RewriteCond %{QUERY_STRING} !=logoutExitPage=http://corphome.example.com RewriteRule /(.*)/ibm_security_logout(.*) /homepage/web/ibm_security_logout?logoutExitPage=http://corphome.example.com [noescape,L,R] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/blogs/atom(.*) /blogs/roller-ui/rendering/feed/$1/blogs/atom/ [R,L] #Connections Config for SSL LoadModule ibm_ssl_module modules/mod_ibm_ssl.so <IfModule mod_ibm_ssl.c> Listen 0.0.0.0:443 <VirtualHost *:443> ServerName connections.example.com SSLEnable RewriteEngine on RewriteCond %{REQUEST_URI} /(.*)/ibm_security_logout(.*) RewriteCond %{QUERY_STRING} !=logoutExitPage=http://corphome.example.com RewriteRule /(.*)/ibm_security_logout(.*) /homepage/web/ibm_security_logout?logoutExitPage=http://corphome.example.com [noescape,L,R] RewriteCond %{REQUEST_URI} !^/blogs/roller-ui/rendering/(.*) RewriteRule ^/blogs/(.*)/feed/blogs/atom(.*) /blogs/roller-ui/rendering/feed/$1/blogs/atom/ [R,L] </VirtualHost> </IfModule> SSLDisable
Note: Uncomment theLoadModule rewrite_module modules/mod_rewrite.so
line in the httpd.conf file. This line is commented out by default. When the line is commented out, the web server will not start. - Save and close the httpd.conf file, restart the HTTP server, and then make sure the SiteMinder page displays when users access the http server.
-
Add a SiteMinder authenticator property to the Connections configuration by editing the
LotusConnections-config.xml file.
-
Restart your Connections deployment.
- Stop Connections servers, node agents, and deployment manager.
- Start the deployment manager and nodes.
- Allow time for the nodes to synchronize, and for the updated LotusConnections-config.xml file to be copied to each node.
- Start Connections.