ProxySG TechBrief Configuring SiteMinder Authentication

Netegrity Corporations SiteMinder provides a single sign-on solution for enterprises that have multiple intranet Web servers all requiring authentication. The Netegrity SiteMinder solution relies on agents and a central policy server to provide seamless authentication. User credentials are generally contained in the SMSESSION cookie that is set by the agent on the client side.

What is Netegrity SiteMinder authentication?

Authentication with Netegrity SiteMinder is supported with the ProxySG version 3.2. The Blue Coat ProxySG provides all configuration parameters to the agent. The agent then connects to the policy server and retrieves the appropriate configuration and validates a users credentials. Additional attributes can be returned to the agent in order to be forwarded to other Web servers to provide single sign-on capability (e.g. HTTP_SM_USER header). The following diagram presents an overview of the communication process.

How does Netegrity SiteMinder authentication work with the Blue Coat ProxySG?

BCAAA Agent TCP 16101 request Authentication Authorization Accounting

Policy Server
A session cookie is also set on the client side called SMSESSION that contains the SiteMinder user credentials.

How to implement Netegrity SiteMinder authentication

There are five steps to implementing SiteMinder authentication services on the ProxySG 1. 2. 3. 4. Create a Netegrity SiteMinder Realm on the ProxySG Install the BCAAA agent Configure the Netegrity SiteMinder Policy Server with the agent Enable Netegrity SiteMinder authentication through the Blue Coat Visual Policy Manager and create an authentication policy based on user and group identification 5. Test the sequence policy

Technical Brief

Step 1 Create a Netegrity SiteMinder Realm Create a realm using the Blue Coat management console. Select the authentication option and then select the Netegrity SiteMinder tab.

1. Click the New button. The Add Realm dialog is displayed. Type in SiteMinder as the Realm name.

Technical Brief

2. Specify the IP address of the agent and the agent name. The name has to match the configuration on the Netegrity SiteMinder policy server

Click Apply to save your changes. 3. In the SiteMinder servers tab, specify the policy server(s) configuration parameters:

Technical Brief

You can specify multiple policy servers round robin load balancing or failover mechanism will be implemented. 4. In the SiteMinder Server General tab, specify the protected resource name (this needs to strictly match the resource name configured on the policy server). Optionally, you can click on Add header Response header to forward any headers sent by the Policy Server to upstream servers.

Technical Brief

5. In the SiteMinder General tab, specify the Display name of the virtual URL. In a reverse proxy mode, the virtual URL needs to be in the same domain as the front-ended servers.

Technical Brief

Step 2 Install the BCAAA agent Download the BCAAA agent from http://download.bluecoat.com and install on a Windows platform. Follow the installer instructions.

Technical Brief

Default port is 16101

Technical Brief

Technical Brief

Technical Brief

10

Technical Brief

The BCAAA agent is now installed.

11

Technical Brief

Step 3 Configure the Netegrity SiteMinder Policy Server 1. Create a new SiteMinder agent it needs to be a 4.x agent and the name of the agent needs to match the configuration on the ProxySG. The IP address is the IP address of the domain where the BCAAA agent is installed. Also, make sure to match the share secret.

12

Technical Brief

2. Create a domain

13

Technical Brief

Add the authentication schemes.

14

Technical Brief

3. Create a REALM under the domain:

Make sure the resource is protected and also the resource filter matches the protected resource name in the configuration of the ProxySG.

15

Technical Brief

4. Create a rule under the REALM. Youll need to create 3 rules for GET, OnAuthAccept and OnAccessAccept.

16

Technical Brief

5. Create the Response objects Youll need to return at least the following variables: a. BCSI_USER b. BCSI_GROUPS c. BCSI_LOGINNAME

Note: additional headers can be added to be forwarded to backend servers. The Attribute for BCSI_USERNAME needs to be whatever method they are using, whether it be UID, CN, or UserPrincipalName.

17

Technical Brief

6. Create a Policy

18

Technical Brief

Step 4 Install the authentication Policy using the VPM 7. From the Blue Coat Visual Policy Manager create a new Web authentication policy by selecting edit from the tool bar, and choosing Add Web Authentication Policy. 8. Name the new authentication, Authentication Policy. Click OK.

19

Technical Brief

9. On the Action field, right click and click on Set, then New, then Authenticate.

Select Origin-xx-redirect for forward proxy scenarios. Select Origin-xx for reverse proxy scenarios.

10.

Click on Install Policies to load Policy.

20

Technical Brief

Step 5 Test Netegrity SiteMinder authentication When you attempt to open up your browser, you should now receive a logon pop-up window requesting your user credentials

Successful authentication will display the requested Web site in the browser window.

21

Technical Brief

Conclusion

In this TechBrief we have discussed how to quickly install and configure Netegrity SiteMinder authentication using the Blue Coat ProxySG. The first step is to create a Netegrity SiteMinder realm on the ProxySG and then install the Blue Coat Authentication and Authorization Agent (BCAAA). Next, youll configure the Netegrity SiteMinder Policy Server with the agent. The last step is to configure SiteMinder authentication using the Visual Policy Manager on the ProxySG.

Copyright 2004 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor translated to any electronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Information contained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Blue Coat is a registered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the property of their respective owners. Contact Blue Coat Systems 1.866.30BCOAT 408.220.2200 Direct 408.220.2250 Fax www.bluecoat.com

22

Technical Brief