Assuming that the policy to protected or unprotected web resources is in place; then all that is pending is to ‘Enable SSO’ on those web apps. Web apps hosted on major application servers such as WebLogic server, etc.. would make it easy to do this. Otherwise you would have to build your own custom authentication module to integrate with SiteMinder.

“What I need is when user is not authenticated to ask for login, then carry on. When the session expired I want to ask for the authentication again and go the the sumbitted screen if the authentication was successful.”

There are two parts to it..

1. Protecting resources:

Say we define a realm to protect URLs like /web-app/(*) on the Policy server – so when the web agent reads the request HTTP readers and comes across an unauthenticated user, requesting for /web-app/home.jsp, it will challenge the user for their SSO credentials and will validate the same the Policy server. Once this is done, the WebAgent checks if the user is authorized to access the resource it is requesting for. If yes then it
the web agent will include some SiteMinder HTTP headers/cookies.

2. Passing the user name from SiteMinder to the web app:

This request contains a HTTP header that stores the user name (generally HTTP_SM_USER, check with the policy server admin). The web-app needs to read the user from this header; also it should be set to ‘trust’ SiteMinder. Now the web-app would check if the user is an existing user in its database (active directory, etc..) and then pull provisioning information on that user.

So that’s about it at… the high level.. 🙂

Recommended ebooks:

1. CA™ eTrust® SiteMinder – Web Agent Guide 6.x QMR 5.
2. CA eTrust Policy
   Design