What are the ways to integrate Single Sign On with SiteMinder and a to-be-developed java/.Net bespoke solution?
I am thinking of building a bespoke solution using either java or .NET and I want to integrate the authentication layer with SiteMinder.
A. From what I have found so far, it seems that SiteMinder provides some kind of APIs for external application to pass the login credentials to Siteminder and Siteminder is able to revert whether the login credentials are correct or not:
-https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP2-ENU/Bookshelf_Files/PDF/siteminder_java_dev_enu.pdf
-https://support.ca.com/cadocs/0/CA%20SiteMinder%20r12%20SP2-ENU/Bookshelf_Files/PDF/siteminder_sdk_overview_enu.pdf
=> From your experience, is there any issue when you implement this?
B. After authentication, I envisage SiteMinder would pass the login user ID to my to-be-developed application, which will search the database to find out the roles and functions associated with the login user ID. This means that I would need to have a database table storing the list of user IDs from SiteMinder.
=> Is there any way to export the userIDs and names from siteminder into a flat file? I am thinking of setting up a regular data interfac开发者_如何学JAVAe job that will extract user info from siteminder and updating my to-be-developed application.
A. I strongly recommend not to use the SDK if you're not obligated to. Your code will be too tied to Siteminder and might break on every upgrade of the Siteminder infrastructure. The SDK is used when there are no other solutions.
A more standard way to integrate Siteminder would be to install a Web Agent/J2EE Agent on your web/application server. Siteminder will take care of the authentication process of the user, so you don't have to worry about passwords and passing credentials to Siteminder. This authentication process is totally transparent for the application.
Once the user is authenticated by Siteminder, the web agent will add specific HTTP headers to the request with informations on the user (username, email address, applicative roles, other informations...).
The application just has to fetch and trust these informations in the incoming HTTP request.
B. You have two way to achieve this:
- Siteminder can add these informations in a header, so you don't have to handle them.
- If you really need those informations in your database, Barra already gave you the most significant informations.
A. API to create SiteMinder session but you need credential input from user
B. SiteMinder does not use it's own user repository. It is outsourced to optional LDAP or Database servers. So you deal with that component without going thru SiteMinder
If you don't want to install a Web Agent or are concerned about the security implications of using HTTP Headers, you might want to look into using SAML. SiteMinder includes support for SAML based user authentication which may be an easier solution to implement.
SAML is a standard SSO protocol, you should be able to find many examples and possibly even a ready built module that can be used.
精彩评论