Configuring CA SiteMinder as your External Identity Provider - Intergraph Smart API Manager - 2020 (4.0) - Help

Intergraph Smart API Manager Help
Language
English
Product
Intergraph Smart API Manager
Search by Category
Help
Smart API Manager Version
4.0

CA SiteMinder is a Web Access Management system offered by CA Technologies.

Smart API Manager is preconfigured to work with theCA SiteMinder. But you must still configure certain settings within the CA SiteMinder application itself.

CA SiteMinder configuration

CA SiteMinder administration and configuration is an involved process. Consult CA SiteMinder online resources for more information, if required.

Configuring CA SiteMinder to work with the SiteMinder identity provider involves several steps:

  1. The web server where Smart API Manager is installed must have CA SiteMinder configured in its IIS pipeline.

  2. You must configure CA SiteMinder to protect only the <host>/sam/sm/token resource.

  3. You must map a CA SiteMinder identity to a user or group in Smart API Manager.

    For instructions, see CA SiteMinder identity (below), Add external identity provider credentials to a user, and Add an external identity user to a group.

  4. You must configure the BadURLChars property in the CA SiteMinder Web Agent to allow tilde (~) and the forward slash and period (/.) character sequence as part of a URL request.

    For more details, see article TEC509747 in the CA technologies knowledge base, How BadURLChars, BadQueryChars and BadFormChars settings work.

  5. You must modify CSS prevention rules to allow single quotes. Change the BadCSSChars property on the CA SiteMinder Web Agent from the default value <,',> to: <,>.

    A comma separates the characters. The updated value: <,> directs the agent to scan only for left and right angle brackets.

    For more details, see the Help Prevent Attacks topic in the CA Technologies documentation.

  6. To ensure a comprehensive log out for SiteMinder, you must configure the LogOffUri property in CA SiteMinder Web Agent. Set the value for this parameter to:

    /sam/oauth/connect/endsessioncallback

    Configuring a comprehensive log out/full logoff ensures the SMSESSION cookie expires properly.

    For more details, see the Comprehensive Log Out/Configure Full Logoff topic in the CA Technologies documentation.

    SHARED Tip If you want to navigate a custom URI for SiteMinder logoff, set the LogOffUri property in CA SiteMinder Web Agent to the desired value. You must also cowishnfigure the same URI value for the SiteMinder identity provider in Smart API Manager; see the <appSettings> section in the following web.config file for instructions:

    <Smart API Manager Install Folder>\SiteMinderAuthentication\web.config

CA SiteMinder identity

Smart API Manager supports two claims for mapping external identity originating from CA SiteMinder. The following list shows the two claims, along with sample values:

  • sub – cn=Craig LINK,ou=Administration,ou=Corporate,o=DEMOCORP,c=AU

  • name – SiteMinderRealm\craiglink

SHARED Tip The sub claim contains information in LDAP (Lightweight Directory Access Protocol) format based on the user’s definition in CA SiteMinder. The information is organized in a hierarchy, listed from right to left:

  • c (country) – AU

  • o (organization) – DEMOCORP

  • ou (organizational unit) – Corporate

  • ou (organizational unit) – Administration

  • cn (common name) – Craig LINK

The name claim is SiteMinderRealm (where SiteMinderRealm represents the value for the realm configured for the SiteMinder agent), followed by a backslash character and the username.

For more detailed information on mapping an identity to a group or user, see Add an identity provider.