52046770 Siteminder Concepts Guide

��

��

�

��

Netegrity, Inc.52 Second Avenue

Waltham, MA 02451Phone: (781) 890-1700Fax: (781) 487-0515

http://www.netegrity.com

Copyright © 1997-2001 Netegrity, Inc. All rights reserved.

SiteMinder products and associated documentation are protected by copyright and are dis-tributed under a licensing agreement. Netegrity Inc. has prepared this document for use by Netegrity Inc. personnel, licensees, and customers. The information contained herein is pro-tected by copyright. No part of this document may be reproduced, translated, or transmitted in any form or by any means, electronic, mechanical, photocopying, optical magnetic, or otherwise, without prior written permission from Netegrity Inc. Netegrity Inc. reserves the right to, without notice, modify or revise all or part of this document and/or change product features or specifications.

This product contains encryption technology. Exporting these encryption algorithms to cer-tain countries may be prohibited or restricted by the laws of the United States.

Some portions of the code are licensed from RSA Data Security, Inc.

SiteMinder products are protected by copyright and are distributed under a licensing agree-ment. No part of the SiteMinder product or related documentation may be reproduced with-out expressed written permission from Netegrity, Inc.

SiteMinder and Netegrity are registered trademarks, and the SiteMinder and Netegrity logos are trademarks of Netegrity, Inc.

All other trademarks or registered trademarks mentioned in this document are the property of their respective owners.

NETEGRITY, INC. SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR OMISSIONS CONTAINED HEREIN; NOR FOR INCIDENTAL OR CONSEQUENTIAL DAM-AGES RESULTING FROM THE PERFORMANCE OR USE OF THIS MATERIAL.

6LWH0LQGHU�&RQFHSWV�*XLGH

��

�� SiteMinder® Print Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7SiteMinder Online Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8

Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Online Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8SiteMinder Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

About this Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Who Should Read This Book? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10How this Book is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11Recommended Reading List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

�� !!��"�� #Portals Increase the Need for Secure Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13

Enterprise Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14Consumer Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

Issues Facing Internet Businesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

�� $��"� �� SiteMinder Solutions for E-Commerce Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Privilege Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Centralized Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Easy Platform and Environment Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

SiteMinder Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22SiteMinder Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24SiteMinder Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

SiteMinder Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29What is a Policy Domain? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30What is a Resource? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31What is a Realm? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32What is a Rule? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33What is a Response? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34

��&RQWHQWV


SiteMinder Authorization Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Authorizing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36Structuring Authorization Privileges with Nested Realms . . . . . . . . . . . . . . . . . . . . . 37Denying Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Extending Authorization Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

�� #�� %�� Single Sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

SSO in a Single Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41SSO Across Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Authentication Scheme Protection Levels for SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Affiliate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Registration Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Delegated Management Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

DMS Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Anonymous User Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

LDAP Directory Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49NT Domain Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51ODBC Database Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Mainframe Database Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Directory Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Personalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56Password Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

User-Initiated Password Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Public Key Infrastructure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

User Disablement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61Full Logoff Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Agent Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Scalability and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Load Balancing and Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63Replicating the Policy Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63SiteMinder Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

SiteMinder Developer Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65SiteMinder Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

&RQWHQWV��


"��&� ��#

��&RQWHQWV



��

�� '�� (��!��

The following SiteMinder documentation is available in print form:

�� "�� ))� ��

Describes the processes for installing all SiteMinder components.

��

Refer to About this Book on page 10 of this document.

�� (��)��!��

Provides practical information and guidelines about issues that should be considered before deploying SiteMinder and procedural information about setting up a Web site or portal.

�� )��*��+��

Reference guide for all SiteMinder Policy Server related information.

�� ,�� +��

Provides conceptual information and procedures for configuring SiteMinder Agents.

�� (�*�)��-��,�"��

Describes and provides examples for the set of Application Program Interfaces (APIs).

�� ,��)�� *��,��

Provides information for installing and configuring Application Server Agents on IBM WebSphere and BEA WebLogic application servers.

��3UHIDFH


�� +�)��(��!��

SiteMinder provides the following types of online documentation:

+�)��.�)�

The following HTML online help systems are available:

n SiteMinder Policy Server User Interface—Invoke the help system by selecting 6LWH0LQGHU�+HOS�from the +HOS menu or clicking the +HOS button in any of the dialog boxes. This help system provides policy management and configuration management information.

n SiteMinder Policy Server Management Console—Invoke the help file by clicking the +HOS button.

n SiteMinder IIS Web Agent Management Console—Invoke the help file by clicking the +HOS button.

+�)��(��!��

SiteMinder provides different types of online documentation. The document set varies with the installation.

n SiteMinder Policy Server Installation

PDF versions of all SiteMinder printed manuals are placed in the siteminder/admin/manual directory of the SiteMinder installation directory. This directory also contains the following online guides for the DMS product:

n Customizing Delegated Management Services (DMS)n Netegrity Template Language (NetTL) Description

The DMS guides are not distributed in printed form. However, you can print the PDF file if you wish.

To access any of these documents from the SiteMinder Policy Server User Interface, select 2QOLQH�0DQXDOV from the +HOS menu.

The SiteMinder Software Developer Kit (SDK) is installed with the Policy Server. The SDK includes Javadoc HTML pages to describe the Java Agent API. Access the Javadoc pages through the file:siteminder/sdk/samples/smjavaagentapi/index.html.

3UHIDFH��


n SiteMinder Web Agent Installation

PDF versions of the following printed manuals are installed in the Docs subdirectory of the Agent installation directory:

n SiteMinder Agent Operations Guiden SiteMinder Installation Guide

The same directory contains the following online guides for the DMS product:

n Netegrity Template Language (NetTL) Descriptionn Customizing Delegated Management Services (DMS)

The DMS guides are not distributed in printed form. However, you can print the PDF file if you wish.

n SiteMinder Application Server Agent Installation

PDF versions of the following printed manuals are installed with the SiteMinder Application Server Agent:

n SiteMinder Application Server Agent Guiden SiteMinder Installation Guide

The installation location varies depending on the platform:

WebSphere/NT - Netegrity/Documentation subdirectory of the Application Server Agent installation directory.

WebLogic/NT - Documentation subdirectory of the Application Server Agent installation directory.

WebSphere and WebLogic/Solaris - directory where you untar the installation file.

�� /�)��

The SiteMinder Release Notes are in ASCII text format. They provide information about new features and known issues for a release. They are displayed during SiteMinder installation and, on NT platforms, are available from the 6WDUW menu. In addition, they are installed at the root of the SiteMinder installation directory.

��3UHIDFH


,0�� 1��2

This guide provides information about the features, functionality, and components that comprise SiteMinder.

3��)��/��4��1��25

This guide is intended for anyone who wants to become familiar with SiteMinder concepts and features.

��*��

SiteMinder documentation uses the following conventions:

&RQYHQWLRQ 5HSUHVHQWHG�E\ ([DPSOH

Text that you enter courier bold Enter YES or NO.

Text that the system displays

courier The system displays the following message:Process Complete

Button, menus, menu items

WDKRPD�EROG Click 2. to continue.

Field names and check boxes

WDKRPD�EROG Select the (QDEOH�:HE�$JHQW�

checkbox.

File names courier Open the WebAgent.conf file.

Path names and file locations

courier Navigate to c:\SiteMinder\Bin.

Keys times new roman uppercase

Press ENTER.

Place holders and variables

WDKRPD�LWDOLF Enter �LQVWDOOBURRW!/bin, where �LQVWDOOBURRW! is the location of SiteMinder.

3UHIDFH��


.�6� ��1��2��+��7��

This book consists of the following chapters:

�� !!��"��

Describes portals as a new business model and the issues that face portals, extranets, and intranets.

�� $�"� ��

Describes the SiteMinder Policy Server, Agents, policy components, and the SiteMinder authorization process. In addition, this chapter discusses how SiteMinder can help solve e-business issues.

�� #�� %��

Provides an overview of SiteMinder features.

4��)��

Before contacting Customer Support, please have the following information:

n The type of computer you are using.n The operating system version number.n The product name and version number.n The license number for your software.n Type of network devices attached to your computer.n A description of your problem.

Notify Netegrity Customer Support using any of the following options:

n (�PDLO��[email protected]

n 7ROO�IUHH�3KRQH�1XPEHU��8�6��DQG�&DQDGD�RQO\��1-877-748-3646(877-SITEMINDER)�

,QWHUQDWLRQDO�3KRQH�1XPEHU� (781) 890-1700

n )D[� (781) 487-7791

��3UHIDFH


/��!!��/��8��

To learn about Web security and other related topics, refer to the following resources:

��

Ford, Warwick, and Michael S. Baum. Secure Electronic Commerce: Building the Infrastructure for Digital Signatures and Encryption. New York: Prentice Hall, 1997.

Garfinkel, Simson, and Gene Spafford. Web Security & Commerce (Nutshell Handbook). Chicago: O’Reilly & Associates, 1997.

Ghosh, Aunup P. E Commerce Security: Weak Links, Best Defenses. New York: Wiley, John, and Sons, 1998.

Kaufman, Charlie, Radia Perlman, and Mike Speciner. Network Security: Prive Communication in a Public World. New York: DIANE: Publishing Company, 1999.

Stallings, William. Cryptography and Network Security, 2nd Edition. New York: Prentice Hall, 1998.

��

Feghhi, Jalal, Peter Williams, and Jalil Feghhi. Digital Certificates: Applied Internet Security. Boston: Addison Wesley Longman, Inc., 1998.

Grant, Gail. Understanding Digital Signatures: Establishing Trust over the Internet and Other Networks. New York: McGraw Hill, 1997.

8(,��

Howes, Timothy A., Mark S. Smith, and Gordon S. Good. Understanding and Deploying LDAP Directory Services. San Francisco: Macmillan Technical Publishing, 1998.

Howes, Timothy A. and Mark S. Smith. LDAP: Programming Directory-Enabled Applications with Light Weight Directory Access Protocol. San Francisco: Macmillan Technical Publishing, 1997.

Johner, Heinz et. al. Understanding LDAP. IBM RedBook.

Wilcox, Mark. Implementing LDAP. Birmingham, UK: Wrox Press Ltd., 1999.


�� !!��"��

With the introduction of the World Wide Web (WWW), the use of the Internet, extranets, and intranets for conducting business has increased dramatically. As more companies enter the e-business arena, attracting and retaining customers, suppliers, partners, and other users are the challenges that businesses face. The way to meet these challenges is to customize services and applications for each user, thereby making each user’s experience unique and their transactions secure.

SiteMinder’s out-of-the-box solution can help solve some of the problems that face Web business environments.

�� )��"�� /�)� ��As the Web has shifted from static content to dynamic e-business applications and services, the portal has emerged as the new e-commerce model.

6LWH0LQGHU�FDQ�

SURYLGH�D�VLQJOH�

FXVWRPL]HG�YLHZ�RI�

DQ\�SRUWDO�WR�D�

YDULHW\�RI�XVHUV

Portals are virtual gateways through which users pass to access Web-based applications and sensitive business resources. Portals also serve as the single access point for any user, that is, an anonymous user, a customer, an employee, or a business partner.

Portals secure access to resources, help to categorize information, and provide utilities for information searches. They integrate data and applications to satisfy demands for security, performance, applications, and development tools.

Portals can be divided into two main categories:

n Enterprise (corporate) portals

n Consumer portals

��0DQDJLQJ�(�&RPPHUFH�,QIUDVWUXFWXUH


�� )�

An enterprise portal is one that aggregates business applications and information to match specific needs of its user population. An enterprise portal can be internally focused if the users are employees, or externally focused if the users are primarily partners and customers. An example of an enterprise portal that is externally focused is Compaq.com, whose site includes information about the company’s products and services.

An enterprise portal’s main purpose is to address the needs of the business, its customers, and its partners. This type of site focuses on the extranet and internet user, who may be registered or anonymous. Personalization, user registration, and anonymous user support are just some of the features that make a portal capable of handling a variety of users with a wide range of business needs.

(QWHUSULVH�SRUWDOV�

IRFXV�RQ�D�VSHFLILF�

FRPSDQ\

The enterprise portal can also provide access to intranet users, making a variety of internal resources available. For example, a company’s employees can access corporate information appropriate to internal personnel only. Enterprise portals also offer links to partner sites and related industry sites, also referred to as affiliate sites, that extend the usefulness of a portal. Even the functions of enterprise portals are expanding as the integration of data and applications increase.

��!�� )�

The consumer portal, also called Internet portals, addresses the needs of an even wider user base than the enterprise portal. Consumer portals can be divided into two types: vertical and horizontal.

&RQVXPHU�SRUWDOV

FDQ�EH�GLYLGHG�LQWR

YHUWLFDO�DQG

KRUL]RQWDO�SRUWDOV

Vertical portals are sites that focus on a subset of the Internet market. These are portals that cater to users with a common interest, for example, a portal for users interested in travel. Though the user base is large, the site’s focus and content is limited.

Horizontal portals, often called mega portals, are large-scale sites that bring together a wide range of unrelated information. Many of these sites provide their own applications as well as links to other sites. Yahoo.com is an example of a horizontal portal. The horizontal portal has similar technology and infrastructure requirements as a vertical portal. It is only distinguished from the vertical portal by the size of the user base and the scope of content.

0DQDJLQJ�(�&RPPHUFH�,QIUDVWUXFWXUH��


"��%��"� �� 1��

Portals, extranets, and intranets need to address the expanding and diverse user base and the ways these users access information. To do this, portals need to consider the following issues when implementing e-commerce infrastructure:

n Securing content

To increase business, sites need to allow users access without exposing themselves to security risks. Secure authentication and authorization must be available, which includes the ability to apply more strict security measures to sensitive resources.

n Managing users, entitlements, and granular access control reliably and cost effectively

Access must be based on entitlements, permitting different levels of access to different users; keeping the administration of user profiles efficient for entitlement-based access control is critical.

n Customizing the user experience

Users across the Internet economy want a positive experience when accessing information or engaging in a transaction. In addition to feeling that transactions are secure, users want to traverse different areas of a site without having to re-enter credentials each time, to visit sites related to their original destination, and to view content relevant to their needs. A successful e-business site must address these needs and find ways to distinguish themselves from their competition to retain user loyalty.

n Scaling for large and small numbers of users and handling data traffic

Providing comprehensive capabilities to respond quickly to user requests even during high-peak traffic is important. If response is slow, users will go to other sites where they can get their information more quickly. In addition, a site needs to integrate legacy and new applications together.

n Integrating existing systems together with new Web-based methods of doing business

Being able to deploy e-business across heterogeneous hardware and software environments is necessary. Existing user directories may also need to be integrated.

��0DQDJLQJ�(�&RPPHUFH�,QIUDVWUXFWXUH


n Providing a seamless integration between portal and affiliate sites

Visitors to a portal site should be able to link easily to related businesses. Establishing relationships should result in increased visibility and revenues for both the portal and the affiliate.

SiteMinder addresses all of these issues.


�� $��"� ��

SiteMinder is a platform for secure portal, extranet, and intranet management. It meets key authentication, authorization, and personalization requirements for building and managing secure Web sites.

Using SiteMinder, administrators can easily implement security policies that protect Web applications and resources. It enables administrators to manage authentication and authorization privileges based on a user-centric policy based model for security. SiteMinder can also help developers deliver secure Web applications on time and on budget by managing all of the complex security and management requirements.

�� )� �� !!��"��

SiteMinder is a directory-enabled, standards-based system that can work with heterogeneous Web and application servers, operating systems, and application development platforms.

SiteMinder can do the following:

n Operate across multiple server platforms:

- Microsoft IIS (NT and Windows 2000)

- iPlanet Enterprise Server (NT, Windows 2000, Solaris, HP-UX, AIX)

- Netscape Enterprise Server, (NT, Windows 2000, Solaris, AIX, HP-UX)

- Apache (Solaris)

- Lotus Domino Application Server (NT, Windows 2000, Solaris)

- BEA WebLogic Server (NT and Solaris)

- IBM WebSphere Application Server Advanced Edition (NT and Solaris)

n Centralize control of user access privileges

��,QWURGXFLQJ�6LWH0LQGHU


n Leverage existing directory servers

SiteMinder provides native integration with industry-standard LDAP directory servers, NT domains, ODBC databases, and mainframe databases for authentication and access management.

In addition, SiteMinder can authenticate users against one directory server and authorize users against another directory. This is useful if authentication information is stored at a centralized user directory but authorization privileges reside in different distributed directories.

n Deliver an improved user experience

Using personalization, user registration services, anonymous user support, and single sign-on, SiteMinder improves Web site usability for each user.

n Provide delegated administration

SiteMinder offers a flexible administrative model that allows the management of SiteMinder objects and tasks to be delegated to any administrator.

n Scale for large or small sites

SiteMinder can support very large portals, with millions of users and thousands of applications as well as extranets and intranets with a smaller user base.

n Integrate applications and improve workflow

SiteMinder can integrate directories and external databases in its policies. This means that when a SiteMinder event occurs, for example, an authentication or authorization, SiteMinder can call external applications or libraries, and extract the necessary information from these sources. As a result, a company’s dynamic business data can be used directly to make user entitlement decisions.

n Allow easier Web application development

Web site developers can use SiteMinder to deliver secure personalized Web applications on time and within a budget by managing all of the complex security and entitlement requirements for those applications.

,QWURGXFLQJ�6LWH0LQGHU��


��*�)��!��

The issue of privilege management is one of the most critical aspects for business. Users require access to information, but each user must be authenticated and then authorized based on their privileges before gaining access.

SiteMinder can meet the requirements for building and managing secure user-based Web sites and portals.

The privilege management model for Web resources often varies across Web servers, Web application servers, operating systems, and development tools. Consequently, the administration of one server can differ from the administration of another, and the privilege management capabilities offered by these various servers and tools can differ. These differences can lead to administrative problems as well as an inconsistent security framework.

The privilege management model for multi-tier applications can delegate user privileges differently for each tier. This implementation would allow users of one client to perform tasks that users of other clients could not.

SiteMinder’s ability to deliver user privilege information to Web applications makes it an excellent access control solution for applications based on a three- or four-tier Web-based distributed architecture.

�� )�7�� !��

As user populations for portals, extranets, and intranets increase, delivering and securing content in heterogeneous environments can be done many different ways, depending on the platforms, operating systems, Web servers, and applications in use. Administering these more complex environments is often more costly and time consuming than administering single-platform environments. As a result, the quality of Web site security is sometimes lower in heterogeneous environments.

SiteMinder security management features let administrators make business processes and sensitive information available to users outside the company, giving partners and suppliers access to sales and marketing information, production schedules, and certain applications. The advantage of making this information available from an enterprise portal is that it improves time to market and business planning.

6LWH0LQGHU�LV�D�XVHU�

FHQWULF��SROLF\�EDVHG�

VHFXULW\�PRGHO

Administrators can use SiteMinder to implement a security policy to protect Web applications and Web site content. By providing a user-centric, policy-based model for Web and portal site security, SiteMinder enables



administrators to assign authentication schemes and define and manage authorization privileges to specific resources. Access permissions are specified by a set of rules that are bound to users or groups to form policies, not only on the basis of resources.

Basic authentication schemes (schemes that rely on username and password) often become targets for hackers. As a result, many of today’s users do not feel comfortable sending their personal information electronically with such minimal protection. Along with Basic authentication, SiteMinder supports other authentication methods including X.509 certificates and SSL connections, which eases many of the security fears of both users and administrators.

��)�� 0�� )��9��,��

SiteMinder provides a single, browser-based, administrative system that extends across all intranet and extranet applications. Using a consistent security policy, multiple Web applications can be centrally managed.

A centralized approach to security management provides the following advantages:

n Applying the same security policy to each Web application eliminates the need to write complex code to manage security in each application.

n The time and cost to develop and maintain multiple security systems is reduced, making it comparable with developing and maintaining only one security system.

n Customers, business partners, and employees accessing the network all have their security privileges managed through SiteMinder whether they access the corporate network locally or remotely through the Internet or a private network.

SiteMinder’s user-centric approach to security policy management enables administrators to define rules to control the actions performed on a specific resource, and bind the rules to user groups defined in a directory service. Rules can be re-used within realms, to minimize the administration required to manage access control for a large environment.

SiteMinder does not require a client-side component. This makes installation, configuration, and ongoing management simple.



��)� ��!��*��!�� "� ��

SiteMinder easily integrates and scales with your existing technologies and environment.

In particular, SiteMinder integrates with the following:

n Web browsers

n Web and application servers

n User directory services

n Development tools and scripting environments

n Authentication mechanisms

n Public key infrastructures

n RADIUS devices

The following graphic shows SiteMinder’s support for a wide variety of technologies.

Web Agents: - Microsoft IIS - Netscape (AIX, NT, HPUX, Solaris) - Apache - Domino (NT, Solaris)Application ServerAgents: - WebSphere - WebLogicPolicy Servers: - NT - UNIX

ISOCOR (InJoin)IBM SecureWayMicrosoft Active DirectoryNetscape Directory ServerNT DomainsNovell Directory ServicesOracle Internet DirectoryPeerLogic i500SQL DatabaseMainframe directories

All CGI scriptingenvironments, including: - Allaire ColdFusion - Bluestone - Oracle Application Server - PERL, C, and ASP - Sun NetDynamics

AnonymousCustom methodsCombined methodsFormsNTLMPasswordsRADIUSTokensX.509 Certificates - Cert. Revocation List checking

Communication ServersFirewallsProxy servers

RADIUSNetwork

Access DevicesPlatforms

UserDirectories

DevelopmentEnvironments

AuthenticationMethods



�� !��

A SiteMinder installation consists of two main components: the SiteMinder Policy Server and the SiteMinder Agent.

The SiteMinder Policy Server is an NT or UNIX-based server that provides the following services:

n Policy-based user managementn Secure portal managementn Authentication servicesn Authorization servicesn User registration servicesn Password servicesn Session managementn Auditing services

The SiteMinder Agent integrates with Web servers, Web application servers, or custom applications to enforce security and user management functions based on pre-defined policies. For RADIUS environments, the Agent is a Network Access Devices (NAS) device.

SiteMinder supports the following types of Agents:

n Web Agentsn Application Server Agentsn Affiliate Agentsn Custom Agentsn RADIUS devices

The following diagrams illustrate different SiteMinder installations.



�� "�� ))� ��6� ��,��)�� :�3�0:��,��)�� *��,��

AccountingLogs

Au

tho

riza

tion

Au

then

tica

tion

Ad

min

istr

atio

n

Acc

ou

ntin

g

UserDirectories

ProtectedResources

Affiliate Site

Portal Site

Policy Server

PolicyStore

Affiliate Site

Internet

Internet

Internet

Web Server

AffiliateAgent

Web Server

WebAgent

ApplicationServerAgent

ApplicationServer

Internet

ProtectedResources



�� /,("9��"�� ))� ��

�� )��*��

The Policy Server manages the access control policies established by an administrator. These policies define which resources are protected and which users or user groups are allowed access to resources. Using policies, you can set time constraints on resource availability and IP address constraints on the client attempting access.

The Policy Server runs on an NT or UNIX system and performs key security and portal management operations. To meet the security needs of each environment, the Policy Server supports a range of authentication methods and uses existing directory services to authenticate users. By supporting a wide range of authentication methods, the Policy Server provides flexibility and security for a diverse set of users.

To define policies, administrators use the SiteMinder Policy Server User Interface. This Web-based application enables you to create policies that protect any resource, and lets you configure responses that supply data for Web applications. Policies can be updated by administrators as the user population or the security requirements change.

The Policy Server generates audit logs that contain information about user activity relevant to SiteMinder. These logs can be printed in the form of pre-defined reports so that you can analyze security breaches or anomalies and correct them. You can also log auditing information to a console window.

PolicyStore

UserDirectories

Wide AreaNetwork

RADIUS Server

NAS

RADIUS Network

Aut

ho

riza

tion

Au

then

ticat

ion

Ad

min

istr

atio

n

Acc

ou

ntin

g

AccountingLogs



�� ,��

A SiteMinder Agent integrates with a Web server, a Web application server, or a custom application to enforce access control based on pre-defined policies. For RADIUS environments, a NAS serves as a RADIUS Agent.

SiteMinder supports a variety of Agents, as described in the following sections.

� For information about configuring Agents, refer to the SiteMinder Agent Operations Guide.

3�0�,��

SiteMinder Web Agents work with the SiteMinder Policy Server to authenticate and authorize users for access to resources on a Web server.

The SiteMinder Web Agent is integrated with a Web server or a Web application server. The Agent intercepts requests for a resource and determines whether or not the resource is protected by SiteMinder.

The Web Agent works with the following Web servers:

n Microsoft IIS (NT and Windows 2000)

n Netscape iPlanet Enterprise (NT, Windows 2000, and UNIX)

n Apache (Solaris platforms only), configured as a standard server or a reverse proxy server

n Lotus Domino (NT, Windows 2000, and Solaris)

n Red Hat Stronghold SSL Web server 3.0 on Solaris 2.5.1, 2.6, 2.7

n IBM HTTP Server on Solaris 2.5.1, 2.6, 2.7

� 1RWH�� Agents operating on Windows 2000 platforms do not support Password Services or Delegated Management Services (DMS).

If a resource is unprotected, a user gains access without intervention. If the resource is protected, the Web Agent interacts with the Policy Server to authenticate the user and determine if they are authorized to access the resource. When an authorization is successful, the Web Agent proceeds with the request. The Web Agent can also forward additional user-specific attributes to an application in the form of a response, which enables content personalization.



The Web Agent caches information about authenticated users and protected resources. Caching improves the processing of user requests and provides the mechanism to support single sign-on for multiple applications. Administrators can modify the caching parameters that control these services.

Web Agents provide a logging function to monitor the performance of the Web Agent and its communications with the Policy Server.

,��3�0�,�� /�*��&��,��

You can configure the Apache Web server to function as a reverse proxy server. A reverse proxy server is a type of proxy server that acts on behalf of clients outside an organization’s internal network.

Typically, a proxy server enables clients residing behind a firewall to access the Internet. A reverse proxy server allows clients outside the firewall to access a server behind the firewall. The reverse proxy server secures a backend server’s resources against unauthorized access.

If your environment uses an Apache reverse proxy server as a gateway to your backend servers, a SiteMinder Web Agent can protect these resources. The advantage of using a SiteMinder Web Agent with a reverse proxy server is that you can protect resources not already protected by a SiteMinder Web Agent. Also, your resources are secure for intranet and authorized Internet users.

Apache ReverseProxy Server

with anApache Web Agent

Internet

User Request

PayrollResources

Oracle ApplicationServer

FinancialResources

IIS Web Server(SSL)

Firewall

Policy Server

PolicyStore

UserStore



,��)�� *��,��

A SiteMinder Application Server Agent secures resources deployed to application servers that follow the Java 2 Enterprise Edition (J2EE) standard. These resources can be Java servlets, JavaServer Pages (JSPs), and Enterprise JavaBean (EJB) components. The Application Server Agent intercepts requests for a resource and determines whether or not the resource is protected by SiteMinder.

The SiteMinder Application Server Agent works with the following application servers:

n BEA WebLogic Server 4.5.1 Service Pack 11 or 4.5.2 (NT and Solaris)

n IBM WebSphere Application Server Advanced Edition, Version 3.0.2 (NT and Solaris)

The SiteMinder Application Server Agent consists of two components:

n Java Servlet Agent — a collection of servlets that communicates with the Policy Server via the SiteMinder Agent API.

n EJB Agent — a component that integrates with the application server and communicates with the Policy Server like the servlet Agent. The EJB Agent protects only EJB components.

For complete information about Application Server Agents, refer to the SiteMinder Application Server Agent Guide.

,��)�� ,��

A SiteMinder Affiliate Agent provides a seamless connection from a main portal to an affiliate site without requiring a user to re-identify or provide additional information about themselves. The affiliate site can determine that the user has been registered at the main portal, and optionally, that the user has an active SiteMinder session. Based on policies configured at the portal for the affiliate, information can be passed to the affiliate and set as cookies or header variables for applications at the affiliate Web server.

The Affiliate Agent is the only SiteMinder component that resides at the affiliate site. The affiliate site does not require a full SiteMinder installation because an Affiliate Agent does not protect resources in the same way as a Web Agent. It simply provides user information to the affiliate Web server for use with its applications.



Affiliate Agents provide a logging function to monitor the performance of the Affiliate Agent and its communications with the Policy Server at the portal site.

�� !�,��

Custom agents together with the SiteMinder Policy Server can provide access control for a wide range of resources that extend beyond Web resources.

The SiteMinder Web Agent and the Policy Server protect Web resources that can be identified by a URL. However, because the Policy Server is a general-purpose rules engine, it can also protect any resource that can be expressed as a text string. It can also protect any operation to be performed on a resource. Consequently, a custom agent working with the Policy Server as the core engine, can extend the types of resources that SiteMinder can protect. These resources can be a software architecture method, an application, or a specific task performed by an application.

The Agent API enables you to create a custom Agent that can implement security for any type of resource. For example, an Administrator can create policies that control administrative functions on SNMP-based objects. These policies allow some users to perform an SNMP- SET PDU operation, which sets certain variables that are part of a managed object. Other users may only be allowed to perform a GET PDU operation, and others might be prevented from doing any SNMP operations. The custom Agent protects these objects by contacting the Policy Server whenever any SNMP operation is attempted on a managed resource.

� For detailed information about creating custom Agents, refer to the SiteMinder Developer’s API Guide.

/,("9��(�*��

You can use the SiteMinder Policy Server as a RADIUS authentication server to authenticate users for access to network services. After a user is authenticated, the NAS, which controls network access, grants the user access. The NAS device serves as a SiteMinder RADIUS Agent. When you define a RADIUS Agent you specify the type of NAS that controls network access.

� For detailed information about RADIUS, refer to the SiteMinder Deployment Guide.



�� )��

SiteMinder provides security and access management based on policies. SiteMinder policies make access and security management more flexible and scalable because they are built around the user and that user’s relationship to the protected resource, not just the resource itself.

A policy protects resources by explicitly allowing or denying users access to resources. It specifies the resources that are protected, the users or groups that have access to these resources, the conditions under which this access should be granted, and the delivery method of those resources to authorized users. If a user is denied access to a resource, the policy also determines how that user is treated.

A SiteMinder policy binds rules and responses to users and user groups. The responses in a policy enable you to customize the delivery of content for each user, which cements a better relationship between a user and a site. Policies are stored in the policy store, which is the database that contains all the SiteMinder entitlement information.

The basic structure of a policy is shown in the following diagram.

When you construct a policy, you can include multiple rule-response pairs and bind them to individuals, user groups, or an entire user directory. You can also configure multiple policies to protect the same Web resources against different sets of users, adding responses that enable the Web application to further refine the Web content shown to the user.

One of the configuration options of a policy is a time restriction. If you specify a time restriction for a policy and a rule in that policy also contains a time restriction, the policy fires during the times when both restrictions overlap. For example, if a policy can only fire between 9:00AM and 5:00PM

Policy =

Allows or deniesaccess to a

specific resource

+ +

Action that occurswhen a rule fires

(optional)

+ IP address that

the policy appliesto (optional)

Time when thepolicy can orcannot fire(optional)

+ +Custom

extension of thepolicy

(optional)

ResponseRule IP Address Time ActivePolicy

Identifies users

UserDirectory



and the rule can only fire Monday through Friday, the policy can only fire between 9:00AM and 5:00PM, Monday through Friday. If a policy does not fire, the rule will not fire.

In addition to supporting static rules, you can configure an active policy. An active policy authorizes users based on dynamic data obtained from external business logic.

� The next sections define the specific parts of a SiteMinder policy. For complete details about SiteMinder policies, refer to the SiteMinder Policy Server Operations Guide.

3�� )��(�!��5

A policy domain is a logical set of resources grouped together from an administrative perspective. For example, a corporate intranet may be implemented across five servers that support the Marketing and Finance divisions of a company. These divisions can be partitioned into a marketing policy domain and a finance policy domain.

Policy domains make the administration of a site much easier because independent administrators can be assigned policy management responsibilities for different domains based on their job function. As users or resources change, the administrator knows how to properly update the policy for the domain. After establishing policy domains, you then associate resources, rules, and responses with each domain.

The following diagram shows an example of a policy domain.

�&�!�)��)��(�!��

MarketingAdministrator

User Directoryof Marketing and

EngineeringEmployees

Marketing Policy Domain

Marketing Strategy

Strategy.html

Marketing Projects

Project_2.html

Project_1.html



3�� /��5

When protected by a Web or Application Server Agent, a resource is any object that a user attempts to access or any privilege that a user attempts to get. The following table shows some examples of resources:

To identify resources and enable policies to reflect your site’s infrastructure, SiteMinder uses resource filters. A resource filter specifies the location of the resources in your Web or Application Server’s hierarchy of files and applications that you want to protect. It lets you group or single out resources for protection from different sets of users.

For Web servers, the resource filter always begins with the Web server root. For example, to protect files in mydirectory, the resource filter would be /mydirectory/.

For Java Application Servers, the resource filter begins at a directory in your classpath. For example, to protect methods for EJB1 the resource filter would be com.myorg.ejb1. To protect servlet1 it would be com.companyA.servlet1.

The following figure shows the directory structure on which the resource filter is based.

5HVRXUFH ([DPSOH

Web page /applications/myapp.exe

CGI script /www.acme.com/price/1,2,0-a-0-0,000.html?st.dl.search.qs.results

Directory /mydirectory

Servlet or EJB

com.mycompany.finance.payroll

JSP page /promotions/offers.jsp



/��%�) ��

The resource filter only specifies resource location; the specific resource or set of resources to be protected is defined in a rule.

3�� /��)!5

A realm is a collection of resources grouped together according to security requirements. All resources in a realm are protected by the same Agent. You associate realms with policy domains; policy domains can contain one or more realms.

For example, engineering resources in the /engineering directory could be configured as a realm in the Development policy domain, as shown in the following diagram:

�&�!�)��/��)!

To configure realms, think of the organization of your environment’s resources as a directory structure of the resources that reside on your Web server. You need to determine which sections of the directory have common

/mydirectory/

file1.html

file2.html

file3.html

script1

These files can beprotected

These EJBs and theirmethods can be protected

com.myorg

ejb1

ejb2

method1method2

method1method2

These servlets can beprotected

com.companyA

servlet1

servlet2

servlet3

Engineering Realm

Development Policy Domain



access requirements and identify them by their location in the directory tree as specified by the resource filter.

Each realm can require a different authentication method to gain access. For example, in the Development policy domain, you could have two realms, the Engineering realm with a resource filter of /engineering, which can be set up to require a password for authentication, and the System Test realm with a resource filter of /systemtest that can require certificate-based authentication.

3�� /�)�5

A rule defines a set of actions for the resource it protects. For example, if a collection of CGI scripts is protected by a rule in a realm, one group of users is allowed access to the scripts, while another group of users is denied access and redirected to another site in the company’s network.

A rule is comprised of a realm, a resource, an action, and optionally, a time constraint, as shown in the following diagram:

/�)��(��

Included in a rule is the action that a user can perform on a resource after they have been granted access. For example, an Accounting realm can have a CheckReceivables rule that includes an HTTP GET action on the resource receivables/*. This rule states that an authenticated user can view all the files included in the receivables directory.

Rule =

Identifies a groupof resources

and authentication

Action allowedagainst resource

+ + +Time when the

rule can orcannot fire(optional)

Web pages,CGI scripts,applications,JSPs, EJBs,

servlets

Realm TimeResource Action

Customextension of therule (optional)

Active Rule+



The Policy Server supports the following actions:

You can also configure a rule to fire based on specific authentication or authorization events. For example, you might configure a rule that includes an 2Q$XWK5HMHFW action. When a user fails to authenticate, this rule is triggered, and it redirects the user to another URL.

You can configure a time restriction for a rule. This restriction is only applicable if the policy containing the rule fires. If the policy that contains a time restriction includes a rule with a time restriction, the policy fires when the two restrictions overlap.

In addition to supporting static rules, you can configure an active rule. An active rule authorizes users based on dynamic data obtained from external business logic. SiteMinder invokes a function in a customer-supplied shared library. This shared library must conform to the interface specified by the Authorization API described in the SiteMinder Developer’s API Guide.

3�� /��5

A response lets an administrator manage the user experience by passing data to applications that can personalize content. Responses contain sets of HTTP name/value pairs, which are paired with rules. When a rule is triggered, the Policy Server returns the response attributes to a SiteMinder Agent. The Agent passes these attributes to the HTTP headers, which make the data available to the applications on the server.

The table that follows shows how a response can be used to customize content. In this example, there are two access levels for a set of users: basic

7\SH�RI�6LWH0LQGHU�$JHQW $FWLRQV

Web Agent HTTP Get, HTTP Post, HTTP Put

Affiliate Agent Visit - this action lets the SiteMinder portal and the affiliate interact.

Application Server Agent For servlets: doGet, doPostFor EJBs: invoke, lookup, load, close

RADIUS Authenticate - a RADIUS server only authenticates users.



access and privileged access. The buttons that the application displays are dependent on the access level associated with each user.

For basic access, the user sees only three buttons; for privileged access the user sees six, as shown in the following diagram.

Responses can also contain data from a user directory profile or some other directory object’s profile. For example, the attribute “USER_ADDR=123 Main St.” could be passed to an application.

SiteMinder also supports active responses. An active response includes data from external business logic. When a rule with an active response fires, the

/��&�!�)��

5HVSRQVH�1DPH 5HVSRQVH�$WWULEXWHV

Basic_Access ShowButton1=YesShowButton2=YesShowButton3=Yes

Privileged_Access ShowButton1=YesShowButton2=YesShowButton3=YesShowButton4=YesShowButton5=YesShowButton6=Yes

Acme Software.com

Address http://www.acme.com

Priority Email

View Account

Create TicketBasic User

Privileged User

Acme Software.com

Address http://www.acme.com

Priority Email

View Account

Create Ticket

Update Ticket

Order Upgrade

Priority Service



Policy Server executes a custom library program, which returns response attributes to the application.

You can configure responses using common scripting languages and programming environments, including Microsoft Active Server Pages (ASPs), Java servlets, JSPs, and CGI-compliant environments.

�� ,� ��7� ��

The SiteMinder authorization process brings the components of a SiteMinder policy together. Authorizing a user for access requires that the Policy Server determine which policies have rules that trigger when a user attempts to access a particular resource.

The Policy Server performs two primary functions in the following order:

n Determines whether a resource is protected

The Web Agent asks the Policy Server whether a resource is protected, which prompts the Policy Server to check the configured rules and determine the answer. If the resource is protected, the Policy Server instructs the Web Agent to challenge the user for credentials so it can authenticate the user.

n Determines whether a user is authorized

After determining protection and authentication, the Policy Server looks for applicable policies for the user and the resource and collects the privileges that the policy permits.

,� ��7��9��

When a user attempts to access a protected resource, the Policy Server first authenticates the user. Users are then authorized to access resources based on policies configured by an administrator.

A user is authorized as follows:

1. The SiteMinder Agent sends the details of the HTTP request along with the user’s identity to the Policy Server for authorization.

2. The Policy Server determines which policies protect the resource in question and whether or not the policies apply to the user attempting access.

3. The Policy Server communicates its decision to grant or deny user access along with the applicable responses to the Agent.



4. If access is granted by the Policy Server, the Agent adds the attributes to the HTTP header, which is then forwarded to the Web or application server for processing.

The authorization process also includes user-configurable SiteMinder actions, which are configured on a per-realm basis. These actions, which are configured as response attributes, instruct the Policy Server to accept or reject user requests if the user is authenticated or authorized. For example, if a user is allowed access, the action may be to reject the user and redirect them to another resource. This is referred to as an 2Q$FFHVV5HMHFW�action.

SiteMinder’s policy-based management is a user-centric approach that enables administrators to manage authorizations and customize content on a per-user or per-group basis.

For example, an administrator can create a policy that contains a rule tied to an authorization event. When an authenticated user assigned to a “bronze” user group accesses a Web application, the Policy Server authorizes the user and sends a response allowing them access to their account balance. However, the administrator might define a different response for users assigned to the “gold” user group. When these users access the same Web application, they can not only check their account balances, but they can also transfer funds between accounts. In each scenario, the group the user belongs to determines their authorization privileges.

� �� ,� ��7� ��*�)��6� �� /��)!�

To provide secure access to authorized users, you can set up a security model to reflect the hierarchical structure of your site’s protected resources. To do this, you can configure a series of realms and sub-realms to reflect this hierarchy. Nested realms enable you to set up a security model in which each layer has progressively stricter security requirements, with different privileges, personalization, and handling requirements.

The following diagram shows how nested realms can represent a directory structure for resources on a Web server.



For all realms that share the same resources, the Policy Server goes through the realms hierarchically and evaluates policies in all matching realms, starting with the least-secure realm and moving to the most secure. The least secure realm is the first realm in the directory structure and the most secure is the last.

For example, in the diagram above, the policy domain reflects the directory hierarchy of your resources. You can configure different levels of protection for the resources in the /marketing/competitors/directory than for the resources in the /marketing/new_products directory.

(��,��

By default, a rule allows access to a resource; however, you can create a rule to deny access to a resource. A deny access rule always takes precedence over an allow access rule. This ability to create allow and deny access rules enables you to configure two different policies for resources in the same realm but for different users. One policy allows certain users access, while the other denies a different group of users access.

�& ��,� ��7� ��%�� )� �

Using the SiteMinder Authorization API, administrators can extend SiteMinder’s authorization functionality and integrate custom programs and legacy data into decision-making processes. This is useful when the access control decisions of a Web application depend on existing business rules or

Directory Structure Realms and Nested Realms

index.html

list.html

/new_products/

strategy.html

/marketing/

competitors/

new_products/

index.html

pricing.html

description.html

strategy.html

list.html

/competitors/

/marketing/

pricing.html

description.html

Basic AuthenticationProtection Level 5

X509 Client CertificateAuthenticationProtection Level 15

HTML FormsAuthenticationProtection Level 10



databases. For example, an administrator might define a policy that is only valid if a user’s account balance is greater than a specified amount.




�� #�� %��

This chapter describes advanced SiteMinder features that you can implement for your site.

� 1RWH�� For environments that use Java Application Servers, there are some feature limitations. For specific information about which features are supported, refer to the SiteMinder Application Server Agent Guide.

��)��

Single sign-on (SSO) is the ability for a user to authenticate once and then access other protected resources without re-authenticating. SiteMinder can implement SSO within a single domain or across multiple Internet domains. This feature provides the user a seamless transition across different sites and portals.

� For information about configuring single sign-on, refer to the SiteMinder Agent Operations Guide.

��+��)��(�!��

A single domain environment is one in which all resources exist in the same cookie domain. Multiple Web Agents within the same cookie domain can be configured for SSO provided that you specify the same cookie domain in each Web Agent’s configuration.

If SSO is enabled, the Web Agent caches the successful authentication, and issues a SSO cookie to the user’s browser. When the user accesses protected resources in other realms with the same protection level, they do not have to re-authenticate. Also, if the user moves to another Web server within this cookie domain, then the SSO cookie provides appropriate session information to allow the user access, provided the protection level rules we maintained.

The following diagram shows SSO in a single cookie domain.

��6LWH0LQGHU�)HDWXUHV


� 1RWH�� If you are using replicated user directories with non-replicated policy stores, the user directory must be named identically for all policy stores. Also, the session ticket key, which encrypts session tickets, must be the same for all key stores in the SSO environment. The session ticket determines the duration of a valid user session.

��+�,��) ��)��(�!��

Users are often required to log on and enter their credentials multiple times as they access different applications and resources on separate servers. This leads to frustration, wasted time, and security concerns if passwords are written down and kept within the office working area.

&RRNLH�SURYLGHU�

SDVVHV�XVHU�

LQIRUPDWLRQ�WR�RWKHU�

GRPDLQV

In an environment that includes resources located across multiple cookie domains, SiteMinder supports single sign-on across applications running on heterogeneous Web and application server platforms.

SiteMinder implements SSO across multiple cookie domains using a cookie provider. The cookie provider, which is a specially configured SiteMinder Agent, passes a cookie that contains the user’s identity and session information to other cookie domains in the SSO site. The user can then authenticate across the entire site. If the user’s browser is missing this cookie, the cookie provider sets it.

single cookie domain:mycompany.com

Policy ServerWeb Server with

Web Agent

Policy ServerApplication Serverwith

Application Server Agent

/app1/

Policy Domain 1

servlet1

Policy Domain 2

6LWH0LQGHU�)HDWXUHV��


Within the SSO site, users are only challenged for identification upon their first attempt to access a resource. After they are authorized and authenticated, users can move freely between different realms that are protected by authentication schemes of an equal or lower protection level without re-entering their identification information.

The following diagram shows SSO across multiple cookie domains.

� 1RWH�� SSO across multiple cookie domains does not require that the same user directory be used across the SSO environment. However, if you are using replicated user directories with non-replicated policy stores, the user directory must be named identically for all policy stores. Also, the session ticket key, which encrypts session tickets, must be the same for all key stores in the SSO environment. The session ticket determines the duration of a valid user session.

SiteMinder’s support for SSO improves the overall user experience by making it easier to move between servers and applications. It also lowers the administrative costs by allowing users to access the data they need using only one password instead of multiple passwords.

Application Serverwith

ProtectedApplications

Web Serverwith


Web Serverwith


User authenticates once to any domain. The authenticationsession is passed to other domains automatically.

subsidiaryA.com

yourcompany.com

subsidiaryB.com

sessionidentity

sessionidentity



,� �� !�� 8�*�)��+

SiteMinder lets administrators assign protection levels to authentication schemes. The level can be a number from 1 through 20, with 1 being the least secure and 20 being the most secure. These protection levels enable administrators to implement authentication schemes with an additional measure of security and flexibility for an SSO environment.

A user who is authenticated in one realm can access a resource in another realm if the second realm is protected by an authentication scheme of an equal or lower protection level. As long as the protection level is the same or lower, that user does not need to re-authenticate. If a user tries to access a resource protected by an authentication scheme with a higher protection level, SiteMinder prompts the user to re-enter their credentials.

,��)�� *��A common feature of any portal is its relationship to affiliate sites. An affiliate site provides resources and services related to the main portal. For example, companyA.com and companyB.com have an agreement that visitors to companyA.com receive special privileges for purchases at companyB.com. These two sites are affiliates.

$IILOLDWH�$JHQWV�

FRQQHFW�SRUWDO�DQG�

DIILOLDWH�VLWHV

A SiteMinder Affiliate Agent provides a seamless connection from a main portal to an affiliate site without requiring a user to re-authenticate or provide additional information at the affiliate site. The Affiliate Agent extends the single sign-on and personalization capabilities provided by SiteMinder at the portal site to an affiliate site.

At the affiliate site, there is only a partial SiteMinder installation that includes an Affiliate Agent; there is no Policy Server. The affiliate site does not require a full installation because an Affiliate Agent does not protect resources in the same way as a Web Agent. It simply provides user information to a Web server for use with its Web applications, which use the information to personalize Web content for each user. The Affiliate Agent enables the affiliate to determine that the user has been authenticated at the main portal.



�� )�� ,��)��

The more seamless the relationship between the main site and the affiliate, the greater the chances for improving revenue and user relationships for both sites. Also, as affiliates and main sites develop partnerships, the user can benefit from receiving preferential treatment from one site if they have already visited the affiliate site, and vice versa.

� For information about Affiliate Agents, refer to the SiteMinder Agent Operations Guide. For instructions on configuring policies for portal and affiliate communication, refer to the SiteMinder Policy Server Operations Guide.

/�� *��

As the numbers and needs of users grow, registering them becomes increasingly time consuming and costly. SiteMinder’s user registration services simplifies this task.

<RX�FDQ�FXVWRPL]H�

IRUPV�IRU�XVHU�

UHJLVWUDWLRQ

SiteMinder provides user registration services for LDAP user directories. Using customized forms, users can register themselves or they can be registered by administrators. An administrator may want to register users for resources that require strict security instead of letting users have this ability.

The following diagram illustrates SiteMinder’s user registration services.

Web Agent/Web Server

Portal Site

Affiliate Agent/Web Server

Affiliate Site

Policy Server



9��/��

User registration makes user management much easier for portal sites, particularly for those sites that receive many anonymous users and want an efficient method to enter them into the portal’s user directories.

(�)�� !�� *��

For large Web sites and portals, the task of managing users can be time consuming and overwhelming for a single administrator. SiteMinder’s Delegated Management Services (DMS) make the administration of LDAP user directories more manageable.

DMS uses a two-tiered delegation structure to manage users in an LDAP directory. This structure includes the following two administrator levels:

n Super Administrator

n Organization Administrator

The Super Administrator has the highest level of privileges. A Super Administrator can search, create, modify, and delete user and organization entries throughout an entire directory. The Super Administrator can also create organization administrators, and then delegate management responsibilities for a specific organization to that administrator. Delegating

Customregistrationform

LDAPDirectory

Policy Server

Web Server

Web Agent

User registrationservlet

PolicyStore

ProtectedResources



the management role is beneficial to an organization because the people most familiar with an organization can control the access privileges of each member of the organization. Also, the Super Administrator can alleviate their own administrative burdens.

The Organization Administrator can add, modify, create, and delete users in a group within the organization. These types of administrators have a much more focused scope than the Super Administrator.

A Super Administrator or Organization Administrator can group users together based on their user roles. A DMS user role defines the function of a user in an organization and grants a user membership in a group. A user role is synonymous with a DMS group. For example, you can assign a user the role Accountants and that user will be included in the group Accountants. The user role also determines the access privileges for that person because the group is bound to SiteMinder policies. To determine all the roles for an individual user, DMS can look across multiple LDAP directories.

In addition to the management capabilities, DMS also incorporates SiteMinder’s user registration services. User registration services enable users to register themselves, eliminating the need for an administrator to add a user to a directory manually. Administrators can also register users if they want to have more control of the registration process. For more information, refer to Registration Services on page 45.

(�� 3�7��

DMS includes an easy-to-use configuration wizard that creates all of the SiteMinder objects required to run DMS automatically. After you have run the configuration wizard, you can use the default configuration or modify the DMS objects to suit your applications.

,��!��9��*��

Many users visit a site without registering or leaving any record of their identity. This makes it difficult to attract users to a site and customize business applications. The ability to collect information and track their behavior provides portals and extranets with the information to customize services and applications.

SiteMinder has the ability to track anonymous users with an anonymous authentication scheme. Using a Globally Unique Identifier (GUID) that the Policy Server assigns, SiteMinder can track user behavior within the realm protected by the anonymous authentication scheme and record the results in



Web server logs. In addition, you can bind policies to anonymous users to provide personalized content for the entire group of anonymous users.

� 1RWH�� Implementing anonymous authentication does not provide protected access control for resources in a realm.

(�� "� ��

Policy administrators often work with multiple user directories to store information about the user population for each application. For example, a list of approved users might need to exist in multiple repositories because there is no centralized directory used by all the applications. Duplicating user lists is inefficient because the administrator needs to synchronize redundant databases on a constant basis.

6LWH0LQGHU�ZRUNV�

ZLWK�QDWLYH�XVHU�

GLUHFWRULHV

SiteMinder integrates with your local directory service to provide user authentication, and enforce access control policies based on a user’s identity attributes and group membership. SiteMinder allows you to use your existing NT domains, an LDAP directory, or an ODBC-compliant database as a user directory; with SiteMinder, there is no separate proprietary user databases.

By integrating with and supporting existing directories, SiteMinder can do the following:

n Eliminate the complexities of using a separate database of user names and attributes for each application.

n Eliminate redundant administration of users and groups that can occur with multiple directories.

n Eliminate synchronization issues across application-specific directories.

Directories are integrated into SiteMinder by linking namespaces to SiteMinder policy domains, which makes SiteMinder well suited to the needs of extranets that maintain a different namespace for each user category, such as employees, vendors, and partners.

Multiple namespaces can be linked to a single SiteMinder policy domain, which allows SiteMinder to authenticate and authorize users from several directories. Each SiteMinder policy domain can be associated with a configurable sequence of directories. SiteMinder searches these directories with optimal speed by using an administrator-defined order, which is based on expected user population and access patterns. SiteMinder searches sequentially through each of these namespaces looking for matching



credentials. The first match in the namespace sequence determines the authenticated identity of the user.

SiteMinder uses directories in several ways:

n Users can be authenticated based on their identity in a directory.

n SiteMinder policies can be associated with directory objects such as users and groups. When a user attempts to access a protected resource, all policies that protect the resource are checked to determine whether they apply directly to the user or to a directory object such as a group to which the user belongs.

n The attributes of a user in a directory can be included in SiteMinder responses. This feature is useful for Web applications that require personalization based on user profiles.

n SiteMinder can use certain LDAP-enabled directories as policy repositories. This option allows multiple SiteMinder Policy Servers to leverage an LDAP directory for policy storage and user storage. Replication between directory servers ensures that Policy Servers always get up-to-date policy and user information.

� For more information about user directories, refer to the SiteMinder Policy Server Operations Guide.

8(,��(��

SiteMinder can work with all leading LDAP user directories. SiteMinder policies can be associated with any object in an LDAP directory that belongs to one of the following object classes:

n organizationalRolen organizationn organizationalUnitn personn organizational Personn inetOrgPersonn residentialPersonn groupOfNamesn groupOfUniqueNames

Configuration options are provided to extend this support to other object classes.



In addition to objects, SiteMinder policies can be associated with any user attributes via LDAP queries. For example, you could associate a policy based on email addresses using the PDLO attribute of an LDAP object class. This powerful feature allows flexible security policies to be created that are based on a set of users with common attributes rather than on organizational factors.

SiteMinder responses can be set up to use the extensive features and flexibility of LDAP directories. Response attributes can be configured to include specific user attributes from a directory. If the existing object class structure does not include the information you want to use, you can customize the directory schema.

LDAP directories can also be used for policy storage. SiteMinder provides access control attributes in an LDAP directory to prevent other applications from modifying the policy store.

8(,��&��

For policies that use an LDAP directory to authenticate and authorize users, the LDAP Expression Editor lets you bind users, groups, and organizations to policies using search expressions. These search expressions can contain attributes of the user, group, and organization profiles to improve the efficiency of searches through the directory.

For example, if your LDAP directory has a group called domestic sales with an attribute of country=USA, you can bind the entire group to a policy; you are not limited to searching for only individual users with this attribute. This makes it easier to associate users with policies because you are not manually searching through an entire directory and selecting individual users.

When you create an LDAP search expression, the search expression instructs the Policy Server to go through the directory and find all entries that satisfy the expression. The policy is then applied to those users. You can search for users based on common characteristics. It also allows you to create expressions that include operators, such as and, or, not.

8(,��/��)�

An LDAP referral is a feature of an LDAP server. If a server receives a request for information that it does not have, the server sends an LDAP referral back to the client. The referral contains the address of a server that does have the requested data. The client then forwards the request to this server. In a SiteMinder environment, the client is usually the Policy Server.



Some of the advantages of LDAP referrals are that the client request is easily fulfilled, a request can be passed on to a non-LDAP server or a server outside your organization, and data can be distributed among servers so one system is not overburdened.

SiteMinder supports two types of LDAP referrals:

n Write referrals—enable changes that are written to a master LDAP directory to be replicated to any slave LDAP directories.

n Read referrals—enable information stored across multiple servers to be accessed at the client’s request. One server can be configured to refer to another server to retrieve different types of information.

There is no specific SiteMinder configuration required to use LDAP referrals.

�4�(�!��

Windows NT supports user accounts that are local to a specific machine and user accounts in a domain. Domain authentication is supported if the system where the Policy Server resides has a computer account in the appropriate domain. If this system does not have a computer account in all domains for which users need authentication, the appropriate trust relationships must be established between domains.

SiteMinder policies can be associated with user groups in an NT domain. SiteMinder treats every NT domain as an independent namespace. While support for local users and local groups is included, policies that are associated with these users and groups are only usable in SiteMinder installations that have a single Policy Server.

+(1��(� �0��

You can configure SiteMinder to view a proprietary schema in an ODBC-enabled database and use this database as a user directory for authentication and authorization purposes. This option is useful when user information, such as the user name, password, and group membership, is stored in a database.



��!��(� �0��

The SiteMinder Security Bridge enables you to integrate IBM’s RACF, Computer Associates CA-ACF2 and CA-Top Secret mainframe security databases into a SiteMinder environment for authentication and authorization of mainframe users.

The Security Bridge provides an LDAP interface to the mainframe databases, enabling the SiteMinder Policy Server to connect to the database using standard LDAP calls. This LDAP interface converts these legacy systems into LDAP-compliant directory servers, which enables them to become part of your enterprises e-business infrastructure.

When SiteMinder wants to authenticate a user stored in a RACF, CA-ACF2, or CA-Top Secret database, the Policy Server contacts the SiteMinder Security Bridge and passes the user’s credentials on for authentication. The Security Bridge authenticates the user and returns the results to the Policy Server.

The following graphic shows how SiteMinder Security Bridge fits into a SiteMinder environment.

OS/390Mainframe

Mainframesecuritydatabase

Au

tho

riza

tion

Au

then

ticat

ion

Ad

min

istr

atio

n

Acc

ou

ntin

g

User Directories

ProtectedResources

Policy Server

PolicyStore

Web Server

WebAgent

SiteminderSecurityBridge

Internet

LD

AP



After a user is authenticated, the Policy Server determines the user’s access privileges based on the policies defined for the resource. Policies for mainframe users rely on names of groups or roles stored in the database to determine who has access to resources. In addition, you can configure time and location constraints and use dynamic data for more fine-grained access control.

For information on configuring RACF, CA-ACF2 and CA-Top Secret as a directory namespace, refer to the SiteMinder Policy Server Operations Guide.

(��

SiteMinder provides a directory mapping feature to improve the flexibility of the SiteMinder authorization model.

Directory mapping lets an administrator implement security for an environment that maintains user data using different infrastructures. SiteMinder can authenticate a user against one directory and, based on the user’s identity, determine that user’s authorization privileges against a different directory. By dividing the authorization and authentication functions, you can also integrate legacy applications.

You can use one of the following methods to map the authentication directory to the authorization directory.

n Identical DN—Maps the user’s distinguished name (DN) exactly from the authentication directory to the authorization directory.

n Universal ID—Matches the value of the Universal ID attribute from the authentication directory with the value of the Universal ID in the authorization directory to identify the user.

Directory mapping is configured on a per-realm basis, which means that each set of protected resources can have a different mapping. In addition, responses that are returned to the user can gather attributes from different directories depending on whether SiteMinder is authenticating or authorizing that user.

��)�7� ��

Users across the Internet economy want a positive experience when accessing information or engaging in a transaction. In addition to feeling that the exchange of data is secure, users want to traverse different aspects of a site without having to re-enter credentials each time, visit sites related to



their original destination, and have content relevant to their needs. A successful e-business site must address these needs and find ways to distinguish themselves from their competition in order to retain user loyalty.

Personalization lets you customize the resource content for a user or group of users, even if those users are anonymous.

��)�7� ��*��)�0��

n Provides a better user experience because all information presented to users is customized to their needs.

Users do not have to see or navigate around extraneous material that is of no interest to them.

n Allows a vendor or advertiser to target their message to the needs and buying patterns of each user.

To achieve successful one-on-one marketing, you need to cater to each customer’s needs and preferences. Tailoring Web content for different users is an effective way to do this. High priority customers or partners can be presented with more, or different, options than those of lower priority.

n Provides better security.

If users are not authorized to access certain resources, those resources are not presented to them. This reduces the possibility of security breaches by unauthorized users.

n Provides a single access point

The portal can become the single point of access, regardless of whether the user is from the Internet, extranet, or intranet. There is no need to create separate portals depending on the user base.

When an authentication or authorization occurs, the SiteMinder Policy Server can send a SiteMinder customized response back to the application that is relevant to that user and grants that user specific entitlements. For example, an application developer may configure a Welcome page with a response that stores the name of the user. When the Policy Server authorizes the user, their name is passed back to the application and the user sees a personalized welcome. You can even customize information at the sub-page level, such as sections of a page, data fields, or buttons.

Personalization can also include the use of responses that control the behavior of Web Agents on a per-user or per-group basis. Based on an authentication or authorization event, SiteMinder will treat the user



according to the rule definition. For example, if the 2Q5HMHFW5HGLUHFW�attribute is configured, a user who is denied access to a resource is redirected to another URL.

� For more information about responses, refer to the SiteMinder Policy Server Operations Guide and the SiteMinder Agent Operations Guide.

(�)�� ,�!��

SiteMinder’s architecture separates system and policy domain management, so that each type of management can be performed by different administrators. By delegating management tasks, SiteMinder makes administration of large environments easier because those people in an organization who are most familiar with a particular set of resources and users can be assigned the privileges to manage them. In addition, it improves security by controlling who can create and modify users and policy objects.

Anyone who has access to SiteMinder objects and tools is considered an administrator. Depending on their role in an organization, SiteMinder administrators can have different privileges to manage SiteMinder objects.

An administrator with maximum privileges can delegate the following management privileges to other managers:

n Create and manage system and policy domain objects

n Manage users

n Manage keys and password policies

n View and modify system reports

'HIDXOW�

DGPLQLVWUDWRU�KDV�

PD[LPXP�SULYLOHJHV

By default, SiteMinder sets up a default administrator account that has maximum privileges. This administrator can then create additional administrator accounts for those people who need to add or make changes to parts of the SiteMinder environment.

� 1RWH�� SiteMinder administrators do not have user directory management privileges and have no control over the administrative model for user directories. User management must be coordinated with the individuals who maintain the applicable directories.

� For more information, refer to the SiteMinder Policy Server Operations Guide.



,��

SiteMinder can track user behavior and monitor your site’s performance.

$XGLWLQJ�OHWV�\RX�

PRQLWRU�\RXU�XVHUV�

DQG�\RXU�VLWH

SiteMinder audits all user activity, which includes all authentications and authorizations, as well as administrative activity, which includes any changes to the policy store.

SiteMinder also tracks user sessions so you can monitor the resources being accessed, how often users attempt access, and how many users are accessing your site.

/��

The Policy Server can generate reports that include audit information about user activity, failed access attempts, and administrative changes. The types of reports are as follows:

n Activity reports — include information such as the type of resources that users access and how frequently they attempt access, how many users are accessing particular resources, and whether access attempts were successful.

n Intrusion reports — include information about failed authentication and authorization attempts by a specific user, SiteMinder Agent, or both.

n Administrative reports — include administrative activity by a particular administrator or by the object that changed administratively. Administrative activity includes changes to policies and policy domain configurations.

You can select the kind of reports you want to generate using the SiteMinder Policy Server User Interface.

In addition to the SiteMinder-provided reports, you can create custom reports. When a SiteMinder access or object event occurs, SiteMinder writes this data to the ODBC database tables: smaccesslog4 and smobjlog4. Access events include authentications, authorizations, and administration events. Object events include creating, modifying, and deleting SiteMinder objects. You can extract the information in these tables using database queries, then place the data into your own reporting application to generate customized reports.

The Event API also lets you create custom reports with its custom event handler, which is described in the SiteMinder Developer’s API Guide.



��6��*��

Password management is a critical security issue for any Web resource and application. To maintain the integrity of a password, it must:

n Change frequently

n Not be reused

n Not be easy to predict

Strong password management must also include the ability to indicate when attempted breaches in security have occurred, such as a user trying and failing successive login attempts.

SiteMinder’s password services allow you to manage user passwords in LDAP and ODBC user directories.

Password services allow an administrator to do the following:

n Specify the user directories where the password policies apply.

n Determine when a password expires, which includes redirecting a user if they fail to enter a valid password.

n Specify the requirements for how a password is created.

n Define password restrictions, which include the criteria and limitations that can be placed on passwords to increase security.

Password policies are stored in the SiteMinder policy store. If a policy exists, SiteMinder checks the password against the rules of the policy criteria. If the password meets the criteria, the user is authenticated by the Policy Server.

9�� "�� 6��

If a user’s password has been compromised, for example, it was written down where others could see it, that user may want to change his or her password. SiteMinder’s password services lets users change their own passwords without any intervention by an administrator. The administrator can delegate the management of password changes directly to the user.

For a user to modify a password, the administrator provides an interface (HTML page or application) where the change can be made. The user directs a Web browser to the target location set up by the administrator, then follows the steps necessary to modify the password.



,� �� !��

SiteMinder allows Web developers to use an authentication scheme that is appropriate for their application. SiteMinder supports the following authentication schemes:

n Basic — identifies a user based on a user name and password. SiteMinder supports Basic (HTTP) and Basic over SSL.

n X509 client certificates — identifies a user by verifying the user’s digital certificate. Certificate authentication can be combined with basic authentication for very strict security. SiteMinder supports X509 certificates and Basic and X509 certificates or Basic.

The certificate or Basic option is designed for ease of deployment of certificates. For example, in a company with 50,000 users, it would be difficult to issue all 50,000 certificates at once. However, using the certificate or Basic scheme, you could introduce the use of certificates gradually, starting with 500 or 5000. During the transition period, your resources remain protected by certificates for users who already have them, allowing other authorized users to access resources based on a username and password.

n HTML forms — identifies a user with customized HTML forms that collect the user’s credentials. Forms authentication enables you to collect additional information beyond the username and password.

n Tokens — identifies a user with hardware tokens that provide unique passwords. The passwords that are created by the hardware token change regularly. SiteMinder supports the CRYPTOCard RB-1 and Encotone TeleID hardware tokens.

n Proxy — authenticates users with SiteMinder as a substitute for a third party authentication server. SiteMinder supports the following proxy authentication schemes: SecureID tokens, Secure Computing Safeword Server, and RADIUS server.

n Digest — identifies users by comparing an encrypted user attribute string stored in a server’s directory against an encrypted string entered by the user. If they match, the user’s identity is verified. SiteMinder supports the following digest authentication schemes: RADIUS CHAP and RADIUS PAP.

n Anonymous — identifies non-registered users, that is, a user who is unknown to the site at which the target resource resides. SiteMinder assigns anonymous users a Globally User ID (GUID), which then



identifies the user so they will not have to be challenged when accessing a resource.

n NT Lan Manager (NTLM) — authenticates users based on the Windows NT login name and password instead of challenging for credentials. This scheme is only for protected resources that reside on an IIS Web server and whose users access these resources using the Internet Explorer browser.

n Custom — identifies a user with a custom authentication scheme created with the SiteMinder Authentication API.

SiteMinder lets administrators assign protection levels to authentication schemes for added security and flexibility in a single sign-on environment.

For details about protection levels for single sign-on, refer to Authentication Scheme Protection Levels for SSO on page 44.

��0)��;��"�� ,� ��

A public key infrastructure (PKI) is a system of digital certificates, Certificate Authorities, and other registration authorities that authenticate users transmitting electronic data. PKIs protect the exchange of information online.

SiteMinder’s certificate authentication integrates with many leading PKIs from vendors such as Verisign, Microsoft, Netscape, Entrust, CyberTrust, and Security Dynamics to ensure secure user authentication.

When a user authenticates using a certificate, the SiteMinder Web Agent takes the necessary user information from the certificate, such as a user’s distinguished name (DN) and the certificate issuer’s DN. The Web Agent passes this information to the Policy Server. The Policy Server then verifies that the user is listed in the appropriate user directory and authenticates the user. After verifying the user’s identity, the Policy Server authorizes the user for access to the requested resources.

SiteMinder also supports certificate revocation list (CRL) processing provided by most PKI vendors. Certificate revocation ensures that the certificates in use are still valid. If a certificate expires, the PKI system does not accept it, which is critical to securing transactions.



��!��

The infrastructure of Internet business is a mix of Web servers, application servers, programming languages, legacy applications, and APIs. This multi-tiered environment spans local and remote users, who may be recognized as registered users or who are anonymous. With this complex mix, user sessions need to be managed across different application environments while allowing each environment to manage its own user-specific entitlements.

SiteMinder session management functions fall into two categories: operational and administrative.

n Session creation—establishing a user session when a user successfully logs into an application.

n Session delegation—passing session information across an application environment.

n Session validation—verifying the session token to make sure the user session is still active.

n Session termination—terminating a session when a user logs out, when the configured session timeouts expire, or when a user is disabled.

n Session tracking—tracking user sessions by recording session activity in Web server and Policy Server logs.

n Session revocation—disabling a user in a user directory and terminating the session.

SiteMinder implements session management using a session ticket. The session ticket contains basic information about a user and their

AdministrativeSession Management

creation

delegation

validation

termination

tracking

revocation

OperationalSession Management



authentication information. The Web Agent places the session ticket in a cookie. It is the cookie that represents the user’s session across all sites in a SiteMinder installation. The cookie is used as an index into the Web Agent’s cache, which contains the user session data; no user-specific data is kept in the cookie itself. The Web Agent is responsible for validating the cookie and enforcing the session timeouts.

� For more information about session management, refer to the SiteMinder Deployment Guide.

9��(��0)�!��

SiteMinder gives administrators the ability to enable and disable user accounts administratively. This feature works with LDAP and ODBC user directories and is configured in the Policy Server User Interface.

'LVDEOLQJ�XVHU�

DFFRXQWV�FDQ�

SUHYHQW�VHFXULW\�

EUHDFKHV

User disablement prevents security breaches. When an administrator observes suspicious or unusual activity on the network, they can disable a specific user’s account in the user directory, then flush the user session cache, which deletes cached information about the user. User disablement is useful, for example, when an organization terminates an employee and they want to immediately remove that employee’s access privileges to company resources.

After a user is disabled, the Policy Server ends all active SiteMinder sessions for the user. All subsequent login and session validation requests are rejected. The user cannot log in again until an administrator re-enables their account.

SiteMinder can effect these changes across an intranet or extranet spanning multiple Web servers. In addition, administrators can view reports that detail user activity by specific user names.

� 1RWH�� User accounts can also be disabled automatically if a password policy is triggered. In this case, the administrator needs to re-enable the account for the user to have any access to resources.

� For instructions on how to disable users, refer to the SiteMinder Policy Server Operations Guide.



%�))�8��

To ensure that resources are secure, a Web developer can completely log a user out of a SiteMinder session. If a user is completely logged off, an unauthorized person cannot restart the original user’s browser and resume access to protected resources.

If the user attempts to access a protected resource after the SiteMinder Web Agent performs a full logoff, the user’s basic credentials are no longer valid because the cached session cookies that store the user’s credentials no longer exist.

� To implement full logoff support, refer to the SiteMinder Agent Operations Guide.

,�� ;��!��

Web Agents use keys to encrypt and decrypt cookies that pass information between Web Agents, for example, cookies that enable single sign-on. Keys are kept in a key store, which holds all the key information and is the location from which all Web Agents can retrieve keys.

To keep key information updated across large SiteMinder installations, SiteMinder provides an automated key rollover mechanism. You can update keys automatically for SiteMinder installations that share the same key store. Automating key changes also ensures the integrity of the keys. For Agents that are configured for single sign-on, the key store must be replicated and shared across all Policy Servers in the single sign-on environment.

� For information about configuring agent key management, refer to the SiteMinder Policy Server Operations Guide.

��)�0�)� ��!��

Portals and extranets have complicated traffic and administrative scalability considerations. Millions of users may contact a site and in certain business environments, traffic peaks at specific times. Administering a site with large numbers of users that fluctuate is also a critical issue when implementing security. SiteMinder can scale to met an organization’s growing user population and resources.

There are several aspects to scalability that must be considered when selecting a product that is intended to support large environments: load scalability, administration scalability, and replication.



8��1�)��%��)�*��

SiteMinder’s distributed architecture allows for scalability in large installations through the use of additional Policy Servers and directory servers. SiteMinder lets you configure how traffic is managed across these replicated systems in a SiteMinder environment.

Load balancing distributes data traffic across many systems to avoid overburdening a single system. Load balancing provides faster and more efficient access to resources, such as policies or user directories.

Failover is a redundancy mode that lets an administrator specify a primary and a set of backup systems. When the primary system fails, requests are transferred to the backup systems until the primary recovers.

SiteMinder supports load balancing and failover between the following:

n Web Agents and Policy Servers

n Policy Servers and LDAP user directories

n Policy Servers and ODBC user databases (failover only)

You can select load balancing operation to distribute user requests directed from the Web Agents to multiple Policy Servers, and from the Policy Server to replicated LDAP user directories.

You can select failover operation to specify primary and backup Policy Servers and user directories.

� 1RWH�� For the Web Agents, you can select either load balancing or failover.

� To specify how the Web Agent handles load balancing, refer to the SiteMinder Agent Operations Guide. To configure load balancing for the Policy Server, refer to the SiteMinder Policy Server Operations Guide.

/��)�� )��(� �0��

The SiteMinder policy database can be replicated using LDAP directory replication or the replication schemes available for off-the-shelf ODBC compatible databases such as Oracle and SQL Server. Replicating the policy data store allows a SiteMinder installation to grow in terms of back-end Policy Servers and consequently, additional supported Web Agents.

SiteMinder offers various options for its policy data storage. You can select an ODBC-compliant database (such as Oracle or Microsoft SQL Server), or



you can choose to use an LDAP directory for policy data storage. Included with SiteMinder are utilities you can use to export data from a policy store and import data into another policy store.

��

SiteMinder provides comprehensive caching capabilities for the Web Agent and the Policy Server. It caches policy store, resource, and user information, which ensures that SiteMinder responds quickly to user requests. SiteMinder caches can be configured to meet the needs of your organization whether the user base is large or small.

��)��

The Policy Server cache ensures efficient authorization performance by caching policy data. This cache remains up to date across all policy servers that share the same policy store. This cache can be configured to meet the unique needs of your organization.

8$��

L2 cache stores information about the relationship between policies and resources. The L2 cache eliminates the need to repeatedly search for policy matches to the same resource. This improves the authorization performance because there is no need to search all the policies for a domain.

9��,� ��7� ��

SiteMinder has a user directory cache that improves response times and throughput during authorizations. This cache is useful for environments where user membership is known to be fairly static, with only infrequent changes.

If this cache is enabled, SiteMinder stores the results of user-policy evaluations, which helps the policy server reduce its response time each time a user needs to be authorized. Response time improves because the Policy Server does not have to access user directories over slow connections.

9��

The Web Agent stores user session information in cache, such as the duration of the session and whether that user successfully accessed a resource. A user session begins when SiteMinder authenticates the user. The session ends when the user logs out, the maximum session or idle time limit



is reached, or the user is disabled. Caching user session information improves the processing of user requests.

/��

The SiteMinder Web Agent stores information about every resource that a user tried to access and what authorization information that user has for that resource. This improves the response time for user requests because the Web Agent does not have to contact the Policy Server for each resource request.

�� (�*�)��4��)2�

The SiteMinder Developer’s Toolkit is an extensive set of client-side and server-side Application Programming Interfaces (APIs) for developers to extend the capabilities of SiteMinder based on their site’s environment.

SiteMinder provides the following client-side APIs:

n Agent API

A SiteMinder Agent is a program that enforces policies specified by the SiteMinder Policy Server.

Custom Agents can be developed to protect resources that use protocols other than HTTP, such as applications that use the RADIUS protocol. A custom Agent developed using the Agent API with its own resource types, action types, and response types can be supported by the SiteMinder Policy Server. The Policy Server User Interface enables administrators to configure, delete, and edit new Agent types, which protect various types of resources.

n Policy Management API

The SiteMinder Policy Management API is used to manipulate the policy objects within a SiteMinder installation. This can be used to make environment-specific administrative interfaces.

SiteMinder supports the following server-side APIs:

n Authentication API

The Authentication API allows custom authentication mechanisms, for example, special-purpose token cards, to be integrated with SiteMinder.



n Authorization API

The Authorization API allows you to modify access control policies to fit into environments that require custom policy decisions.

n Event API

The SiteMinder Event API enables a developer to specify a custom event handler for SiteMinder events.

n Tunnel Service API

The Tunnel Service API enables you to build a shared service library that can communicate with a SiteMinder Agent and securely transfer data.

n DMS Workflow API

The DMS Workflow API enables you to add simple pre- and post-process workflow for DMS events.

The following diagram shows the APIs that SiteMinder supports.

SiteMinder Policy Engine

AuthenticationAPI

PolicyManagement API

Eve

nt

AP

I

AuthorizationAPI

CustomInterfaces

Eve

nt

Ext

ensi

on

s

RA

DIU

S

RA

DIU

SC

lien

tTunnel

Service API

CustomAgents

PolicyExtensions

AuthenticationExtensions

TunnelExtensions

Agent API

DMSWorkflow API

WorkflowExtensions



�� &�!�)��

This example illustrates how SiteMinder secures resources and manages users. SiteMinder is deployed by the fictitious Transpolar airline. The resources that SiteMinder is protecting are accessible to Transpolar’s employees as well as their external customers.

� 1RWH�� Although the examples in this section illustrate concepts that apply to any SiteMinder environment, the Transpolar resources reside on a Web server protected by a Web Agent.

The Transpolar Site is organized as follows:

4��)��

The site is organized to provide an extranet for customers and employees and an intranet for employees only through one access point, transpolar.com. The different purposes and security needs of the extranet and the intranet require that the Transpolar administrator configure different policies for the different realms.

For example, the employee bidding information is highly confidential and should only be accessible to employees who are pilots. This set of resources requires greater security than the departure and arrival schedule, which is available to anyone inside or outside the company.

transpolar.com/mileage

MileageProgram

transpolar.com/inventory

InventoryManager

transpolar.com/bidding

EmployeeBidding

External Web Site:Customers and Employees

Internal Web Site:Employees

transpolar.com/specials

SpecialOffers

transpolar.comTranspolar Home Page

transpolar.com/depart-arrive

DeparturesandArrivals



The SiteMinder Web Agent is installed on the Web server, which protects transpolar.com. The SiteMinder Policy Server is located on a second server at a remote location from the Web server.

�&�!�)��4��4��)�� )��& ��

The following steps explain the SiteMinder process flow when a registered Transpolar customer wants to check their frequent flyer mileage.

The diagram below shows the SiteMinder installation and the flow of the customer’s access request.

4��)��& ��

SiteMinder processes the frequent flyer request as follows:

1. A registered customer opens their Web browser and enters the URL for the external Transpolar Web site (www.transpolar.com).

The customer arrives at the Transpolar home page, where the main page is displayed in the customer’s browser (see the following figure).

2. When the customer selects the 0LOHDJH�3URJUDP link from the main page, the Web Agent intercepts the request for access, and determines whether the resource is protected.

Web Agent/Web Server withprotected resources

Firewall Policy Server

PolicyStore

1

transpolar.com

2 3

7

Internet

67

54

8

UserDirectory



3. The Web Agent checks its resource cache. If there is no information in cache about this resource, the Web Agent then sends the request to the Policy Server, asking if the resource is protected.

The Policy Server responds indicating that the resource is protected.

4. The Web Agent then challenges the user for their credentials. The credentials request is a customized log-in form.

5. The user enters their name and password. These credentials are then forwarded by the Web Agent back to the Policy Server for authentication.

6. The Policy Server authenticates the customer, using the native user directory, and sends the information back to the Web Agent.

7. After verifying the user’s identity, the Web Agent sends an authorization request to the Policy Server. The Policy Server checks rules in the



policy store, where user entitlements are stored, and grants the user access to the resource.

The Policy Server notifies the Web Agent that the user is authorized. The Web Agent permits access.

8. The Web server delivers the desired document, through the Web Agent, to the user’s browser.

The document contains customized responses, configured by an administrator using the SiteMinder Policy Server User Interface. One response informs the customer of their frequent flyer miles that they have in their account, shown in the following diagram.

This response is configured to recalculate this number every one second. To do this, the Web Agent contacts the Policy Server each time the rule associated with the response fires to ensure that the value is up to date.

As part of SiteMinder’s user registration feature, when the user first registered for the frequent flyer program, they were asked how often they travel during the year. This information was used to track which



customers were most likely to accumulate enough frequent flyer miles to take advantage of an advertised upgrade.

In addition, if the administrator has enabled cookies, the Web Agent stores a cookie in the user’s browser. The information in the cookies enables single sign-on, if configured. Using single sign-on, the customer can navigate to other links within Transpolar and to its affiliates without having to re-authenticate.

�&�!�)��$��(��0)��9��!� ��4��)��"� ��

This example demonstrates how SiteMinder handles an unauthorized user. The administrator revokes a user’s access privileges by disabling the user’s account and clearing any cached user session and resource information using the Policy Server User Interface.

The diagram below shows the flow of the employee’s access request.

4��)��"� ��

1. The terminated employee tries to access the company’s intranet by entering the URL for Transpolar. The employee arrives at the Transpolar employee page.

Web Agent/Web Serverwith protected resources

Policy Server

PolicyStore

transpolar.com

2

6

LAN

5

3 4

1

UserDirectory



2. When the employee selects the (PSOR\HH�%LGGLQJ�link, the Web Agent intercepts the request for access, and determines whether the resource is protected.

Based on the information in the Agent’s resource cache, it determines that the resource is protected.

3. The Web Agent then sends a request for the user’s credentials.

4. The employee enters their name and password. These credentials are then forwarded by the Web Agent back to the Policy Server for authentication.

The Policy Server checks the policy store and sees that the user account is disabled.

5. The Policy Server sends a message back to the Web Agent that the user is not authenticated, which in turn, triggers the Web Agent to deny access.

6. The Web server delivers a document in the employee’s browser informing the employee that they no longer have access privileges for the Transpolar site.

In addition, an authentication reject event is recorded in the Policy Server activity log. This event is also sent to a library developed using the SiteMinder Event API, which provides information about the access attempt to a monitoring application. The monitoring application sends an email message to an administrator that an unauthorized user tried to access resources.

��


"��&

,access control

cost control, 15denying access, 38managing, 15overview, 15policies, 24SiteMinder solutions, 19user privileges, 19

active policy, description, 30active response, description, 35active rule, description, 34activity reports, description, 56administrative reports, description, 56administrative scalability, 55administrators

assigning privileges, 55delegating tasks, 55for DMS, 46

Affiliate servicesAffiliate Agent, 27, 44affiliate site relationships, 16affiliate sites, 44overview, 44

Agentdescription, 22key management, 62types, 22

anonymous user servicesauthentication, 58overview, 47

Apache Web serverreverse proxy server, 25, 26Web Agent, 25

APIsauthentication, 65authorization, 66DMS workflow, 66event, 66for custom Agents, 65in SiteMinder, 65policy management, 65tunnel service, 66Web Agent, 65

Application Server Agentoverview, 27supported servers, 27

auditingaudit logs, using, 24overview, 56

authenticationoptions, 20schemes, overview, 58SiteMinder API, 65

authorization processauditing, 56authorizing users, 36caching, 64denying access, 38extending, 38nested realms, 37overview, 36policy-based, 37SiteMinder API, 38, 66

1basic authentication, description, 58

��,QGH[


�CA-ACF2 user database, 52caching

L2 caching, 64overview, 64Policy Server information, 64policy store, 64resource cache, 65user authorizations, 64Web Agent, 26Web Agent information, 64

CA-Top Secret user database, 52certificate authentication

description, 58revocation lists, 59

consumer portal, description, 14conventions, 10custom Agent

overview, 28using Agent API, description, 65

custom authentication scheme, 59customer support, 11

(delegated administration, overview, 55delegated management services (DMS)

configuration wizard, 47overview, 46

denying access, 38developer toolkit, overview, 65digest authentication schemes, 58directories. See user directories, 48directory mapping, overview, 53documentation

conventions, 10Javadoc, 8online books, 8online help, 8printed manuals, 7release notes, 9

domain authentication, NT, 51

�e-commerce

business issues, 13portals, 13SiteMinder solutions, 17

enterprise portal, description, 14Event API, description, 66examples, using SiteMinder, 67Expressiom Editor, LDAP, 50

%failover, description, 63features. See SiteMinder, 42forms authentication, overview, 58full logoff support, description, 62

�globally unique identifier (GUID), for anonymous authentication, 47

"intrusion reports, description, 56

;key management, overview, 62

8L2 cache, description, 64LDAP directories, 49

expression editor, 50for password services, 57for policy stores, 49referrals, 50using, 63

load balancing, description, 63logoff support, description, 62

�mainframe user directories, 52mega portals, description, 14

,QGH[��


multi-tier application solutions, 19

�nested realms, description, 37Netscape Enterprise Server, supported versions, 17Network Access Server (NAS), RADIUS, 28NT domain, 51NT user directories, 51NTLM authentication scheme, 59

+ODBC databases

as user directories, 51for password services, 57using, 63

onlinebooks, 8help, 8

Organization Administrator, DMS, 46

�password services

overview, 57user-initiated changes, 57

personalizationbenefits, 54overview, 53using responses, 34, 54

PKI authentication, 59platforms, SiteMinder supported, 21policy

active policy, 30caching policies, 64definition, 29time restrictions, 29

policy database, replication, 63policy domain

definition, 30example, 30

policy management

access control, 20API, description, 65

Policy Serverauditing features, 56description, 22failover mode, 63load balancing, 63overview, 24reports, 56SiteMinder user interface, 24supported platforms, 24

policy storecache, 64using LDAP, 63using ODBC, 63

portalsbusiness issues, 15consumer, horizontal, 14consumer, vertical, 14enterprise, description, 14overview, 13

privilege management, description, 19proxy authentication schemes, 58public key infrastructure. See PKI

/RACF user database, 52RADIUS

Agent, overview, 28CHAP, 58PAP, 58

reading list, 12realm

definition, 32example, 32nested, description, 37

referrals, LDAP, 50registration services, description, 45registration. See registration services, 45Remote Authentication Dial-In User Servce. See RADIUS, 22

��,QGH[


replication, description, 63reporting, Policy Server reports, 56resource filter

definition, 31example, 31

resourcescaching, 65definition, 31example, 31

responseactive, 35description, 34example, 34for personalization, 34

reverse proxy serverApache, 26SiteMinder reverse proxy agent, 26

revoking user sessions, 61rule

active, 34Affiliate action, 34application server actions, 34definition, 33denying access, 38event action, 34RADIUS action, 34Web Agent actions, 34

�scalability

administrative, 55description, 62failover, 63for varied size sites, 15load balancing, 63overview, 62replication, 63

securityagent key management, 62authentication, 20managing, 19

policy-based, 20protection levels, authentication, 44

Security Bridge, overview, 52session management

creating sessions, 60delegating session information, 60overview, 60revoking sessions, 61session ticket, description, 60terminating sessions, 60tracking sessions, 60validating sessions, 60

session timeoutsdescription, 61

single sign-onacross multiple domains, 42caching, 26for a single domain, 41overview, 41with multiple policy stores, 43

SiteMinderAffiliate Agent services, 27agent key management, 62Agent types, 22Agent, description, 22anonymous user services, 47APIs, 65Application Server Agent, 27auditing, 56authentication, 20authentication schemes, 58caching information, 64components, 22custom Agent, 28, 65developer toolkit, 65directory integration, 48directory mapping, 53DMS, 46e-commerce solutions, 17examples, 67features, 17, 41flexible policy storage, 63

,QGH[��


integrating technologies, 21LDAP expression editor, 50LDAP referrals, 50overview, 17password services, 57personalization features, 54PKI support, 59policy domain, 30Policy Server, 22, 24policy, description, 29policy-based access control, 20privilege management, 19RADIUS, overview, 28realm, 32registration services, 45reporting, 56resource, 31response, 34reverse proxy agent, 26rule, 33scalability, 62Security Bridge, 52security management, 19session management, 60single sign-on, overview, 41supported platforms, 21user disablement, 61Web Agent, 25

Super Administrator, DMS, 46

4technical support, 11token authentication, 58troubleshooting, audit logs, 24

9user authorization

process, 36user directories

directory mapping, 53integrating with local directories, 48

LDAP, 49NT, 51ODBC, 51

user disablement, description, 61user interface, SiteMinder Policy Server, 24user privilege information, delivery, 19user sessions

caching, 64creating, 60delegating, 60full logoff, 62revoking, 61session tickets, 60terminating, 60tracking, 60validating, 60

3Web Agent

API, description, 65caching, 26custom agents, 65failover, 63load balancing, 63overview, 25session timeouts, 61supported Web servers, 25types, 22

Web servers, for Web Agent, 25Web site personalization, 54

��,QGH[


Documents

52046770 Siteminder Concepts Guide