BEA ALUI-SiteMinder SSO Integration
The following is an explanation and implementation guide on how to integrate SiteMinder into an ALUI 6.1 Portal infrastructure. The guide is based on actual implementation struggles and solutions we came up with in our environment. A reference doc is here.
ALUI integration with SiteMinder enables the use of SSO between different portal communities, other SiteMinder integrated Applications, and the use of Federation services. BEA documentation on SiteMinder integration can be found here. (pdf here) To really understand this guide, there is a base assumption that you are familiar with the standard methods to deploy ALUI with SiteMinder.
SiteMinder and ALUI will generally share a common ldap store. The users and attributes are sync'd into the ALUI database. On the ALUI side, these are the Auth Source. As in SiteMinder, you can have multiple auth sources. The way SSO works is based on the ALUI SSOServlet getting enough information from the default SiteMinder header values to map the authenticated user with a unique user in the ALUI database. This is done by taking the SM_USER, the DefaultAuthSourcePrefix, and putting those two values together which then map to the user in the ALUI DB.
However, one of the major limitations with the default implementation method (aka SSOVendor=2), is that you must select a single default SiteMinder Domain to store all the policies you would want to use in your portal. This is just fine if your portal implementation is small and used for a single user type like employees. However, if you are building a large scale enterprise implementation for many community types, then you will quickly find that you need to be able to map multiple SiteMinder domains to matching communities.
Our integration design
In our implementation, we had requirements to handle different URLs mapped to different communities each protected by unique SiteMinder domains. We configured ALUI using SSOVendor=50, the basic SSO configuration. By using the basic SSO configuration, you are able to configure the header mapping components used by the SSOServlet. We mapped the values to be the same as when using SSOVendor=2 with one difference. We added a variable to match the ALUI auth source category name. This value is configured as a response header on the SiteMinder policy.
By controlling the PrefixHeader with a variable PT_DOMAIN, we control via SiteMinder policy responses, we can control which auth source the SM_USER is mapped to.
This is how our SiteMinder-ALUI authentication flow is now setup.
The final configuration is done with Experience Definitions. They turn on the SSO process with the communities that are using them. SSO needs to be enabled on the particular experience definition being used to allow for the automatic re-direct to SSOServlet.
is the agent on the same apache server that is hosting your imageserver or is it on a seperate server completely?ReplyDelete
Yes, the agent is on the same apache server that is hosting my imageserver.ReplyDelete
Hey Carlos this is Foster. Awesome blog (I remember when we set this all up :). Which version were you guys running for Siteminder and there was no special addon's were there? Thanks for the help dude.ReplyDelete
Yes! It was good times! That was a bit of a fun challenge.ReplyDelete
We're on Version 12.1 of SiteMinder now. ALUI is at the ALUI 6.5 /WCI version. No new additional features that affect the integration.
I'm really behind on this blog. I have some new tech docs i need to cleanup and post. We've started using JBoss Portal as well and have integrated SiteMinder with it. Also need to update the ASA install with WebSphere 7 as well as some Identity Manager work.
Thanks for stopping by. Hope you are doing well.
Thanks for the document. It was put together nicely. I am new to ALUI and have a question.
Do we need to Setup Siteminder Responses for PT_DOMAIN and SM_PASSWORD ?
If so with what user attributes?
Thank you in Advance
Kris, I will reply to you on Tuesday when i am back at the office and have a chance to see what I setup as my response attributes.ReplyDelete
Thanks a lot for the quick reply.ReplyDelete
Also the link that you mentioned above for the BEA documentation on Siteminder integration seems to be broken. I tried to google it but couldn't find. can you please point me in the right direction.
Thanks for the heads up. I updated the documentation link and included a direct link to the pdf. I referenced older documentation that has more detailed info on the SiteMinder integration. Looks like with the newest version, Oracle mentions you can use SiteMinder, but doesn't explain in detail how anymore.ReplyDelete
For PT_DOMAIN, I use a static variable. PT_DOMAIN should be equal to the Portal AuthSource Category name. The Portal SSOServlet will take the PT_DOMAIN value and combine it with the SM_USER value to match with the correct user in the portal DB.ReplyDelete
So if your Portal AuthSource was named External, my portal ID would be "External\cg". So, by setting the PT_DOMAIN to "External", the SSOServlet will be able to figure out what the users true fully qualified name is within the ALUI DB.
As for SM_Password, I do not set it. Just like SM_User, they are basic header variables that will be passed on by SiteMinder.
Hope that helps clarify.
Thanks for the reply. I have a requirement to integrate Aqualogic with Siteminder R12 in the next couple of weeks. This article will be very helpful for me. Thanks alot for sharing.
I am made all the changes required to integrate with Siteminder. But When I loginto Portal, after loggin into Portal, I am seeing the portal login page. Can you please let me know what kind of changes that we need to do on the experience definitions side to make this work.
I am cleaning up my internal configuration document and will post a link to it when I remove company info from it.ReplyDelete
go here to grab a copy of the integration doc including what changes are needed on the ALUI side.ReplyDelete
Hope it helps clarify.
Thanks for the doc. We completed the integration
successfully. Thanks for all your help.
Great! Glad I was able to assist in any way.ReplyDelete