SiteMinder
When you integrate SiteMinder with MSS, you can leverage SiteMinder’s single sign-on capabilities to authenticate your users. And, you can configure additional authorization in MSS to restrict access to sessions.
MSS uses Microsoft IIS to integrate with SiteMinder.
Note
If the SiteMinder option is disabled in the MSS Administrative Console, the SiteMinder Java Agent library has not been detected in the classpath for the MSS Server.
To resolve: Follow the steps to Enable SiteMinder.
Enable SiteMinder
Before you can configure the SiteMinder settings in MSS, be sure these prerequisites are met.
-
Windows IIS is installed and integrated with MSS.
If you need to enable IIS, see Configure Single Sign-on through IIS in this guide.
-
SiteMinder is integrated with MSS.
Follow the Integrating SiteMinder with MSS steps in the MSS Installation Guide.
Caution
Be sure to add the SiteMinder libraries to MSS (step 4) so that the SiteMinder configuration will be enabled in the MSS Administrative Console.
Refer to the Troubleshooting SiteMinder section in the MSS Installation Guide, as needed. (Scroll to the topic.)
Then, complete the SiteMinder configuration in the MSS Administrative Console.
Complete the SiteMinder Configuration
After you complete the prerequisite steps, enter your SiteMinder settings in the MSS Administrative Console.
-
Agent version
Some configurations vary depending on the version you select.
-
Agent name
The name of the SiteMinder agent that is used by IIS. This is the Name of the agent configured to work with IIS that is integrated with the Management and Security Server.
-
Configuration file (version 5+)
Provide a full path to the SiteMinder host configuration file, typically
SmHost.conf
. This file resides in the config directory in the SiteMinder web agent installation directory. -
Shared secret (version 4)
The secret used by the policy server to verify the agent. The Shared secret was created in the SiteMinder Administration tool under System Configuration > Agents.
-
Policy server host (version 4)
The IP address (preferred) or DNS name of the host on which the SiteMinder policy server is installed.
-
Authentication port (version 4)
The SiteMinder policy server's authentication port. The default for this port is 44442. To check the port number, open the SiteMinder Policy Server Management Console, click the Settings tab, and look for the Authentication port number under Access Control.
If other SiteMinder port numbers were changed from their defaults, you must reset the corresponding port numbers in the MSS
PropertyDS.xml
file, located in the MSSData folder. -
User identity
Determines which SiteMinder user attribute is displayed in the list of sessions and used for LDAP authorization.
-
User identity LDAP search attribute (optional)
When the MSS Administrative Server is configured to use authorization, use this field to specify the LDAP attribute used by the Administrative Server to perform an LDAP search request for the user's distinguished name (DN). During authorization, the Administrative Server issues an LDAP search request to obtain the user's LDAP DN. The LDAP search request's filter uses the attribute specified in this field.
For example, if you enter the value
uid
into this field, then the LDAP search filter will look like:(uid=<SiteMinder username>)
where<SiteMinder username>
is the value of the SiteMinder user's name, obtained from the SiteMinder session token, using the ATTR_USERNAME key. Example:(uid=johns)
Note
When the MSS Administrative Server is not configured for authorization, any value entered in this field is ignored.
-
SiteMinder and 64-bit systems
If you’re using a 64-bit operating system, check to be sure that the PATH variable places the path to the 64-bit libraries before the path to the 32-bit libraries. To confirm the order, open a command window and type:
echo %PATH%
.If the 64-bit libraries are not first in the path, then edit the PATH variable so that the path to the 64-bit libraries comes before the path to the 32-bit libraries.