Article By: Eunice Mushawatu
Symantec Siteminder is one of the most effective methods of better protecting APIs against unauthorized access. Siteminder protects URLs, and APIs endpoints are exactly that – URLs. This guide is designed to detail how to set up and configure the integration with Siteminder and build a policy that uses Siteminder to protect an API endpoint with Layer7 or Broadcom API Gateway.
– SiteMinder must have the Agent, Agent Configuration Object, Domain (along with defined User Directory, Realms, Authentication Scheme, Rule set for the Realm, and authorization Policy) for the API Gateway already configured within the SiteMinder Administrative User Interface (UI). Reference the [link Beginner Guide to Siteminder Integration with Layer7 API Gateway]
– Have the appropriate SiteMinder Policy Server IP address, administrator credentials, Host Configuration Object (HCO) name, and registered hostname prior to initiating the integration.
Task 1 – Configure System Property for CA Single Sign-On
1. Log on to the API Gateway appliance as the user ‘root.’
2. Locate and open the following file /opt/SecureSpan/Gateway/node/default/etc/conf/system.properties
3. Add the following line:
4. Save and exit the file.
5. Restart the Gateway.
Task 2 – Create a CA Single Sign-On Configuration in the Policy Manager
You should create a CA Single Sign-On configuration first before performing any other CA Single Sign-On-related tasks.
1. In the Policy Manager, select Tasks> Users and Authentication > Manage CA Single Sign-On Configurations from the main menu . The Manage CA Single Sign-On Configurations dialog appears.
2. Click Add to open the CA Single Sign-On Configuration Properties.
3. Input a Registration name, click ‘Register’ and complete the CA Single Sign-On Registration Properties.
Note: Only stored passwords may be specified here—you cannot type in a password. To define a stored password, click [Manage Passwords]. For more information, see Manage Stored Passwords.
4. When the registration properties are entered, click OK to register.
5. Once registration has passed, click OK, the Siteminder properties should be automatically populated.
6. Click [Test] to check whether your configuration is valid.
7. Click OK and OK again to close the CA Single Sign-On Configuration Properties menu.
8. The Gateway is now registered as an agent object in Siteminder. Click Close to close the Manage CA Single Sign-On Configurations tab.
Task 3 – Write Policy to Authenticate against Siteminder
In this example we are simply authenticating a user against Siteminder, the siteminder policy server will issue a Siteminder token that the gateway (acting as a Siteminder agent) will save as a cookie named “SMSESSION”. The SMSESSION cookie can then be used to access other Siteminder protected resources without the user submitting their credentials again.
Using the SSO Check protected Resource assertion: Specify the Siteminder configuration created in task 3, the agent and the protected resource being accessed as shown below.
Using the Authenticate against SSO assertion: Check the use last credentials option and select ‘Create SSO Token.’
Using the Authorize against SSO assertion: Check the use SSO Token from Single Sign-On Context as shown below.
Note: The /protectedResource endpoint is now protected by SiteMinder. The rules to access this resource are specified in the SiteMinder administrative console for the application’s policy settings. The API Gateway as a SiteMinder Agent simply enforces this policy and facilitates access.
Summary of Configuring Layer7 API Gateway for Symantec Siteminder Integration
These steps are a basic step-by-step guide to configure the integration between the API Gateway and Symantec SiteMinder, with a straightforward authentication use case against SiteMinder. The purpose is to show how the API Gateway interacts with SiteMinder. In another post, we will discuss more advanced use cases including authenticating a user with an SMSESSION cookie only or using JWT (JSON Web Token) tokens for authentication.
Looking for additional help with Symantec Siteminder integration? ISX Consulting is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Symantec Siteminder and the Broadcom API gateway. Take your interoperability to the next level, and contact an ISX consultant today.