Deployment Scenario with Siteminder : Separate LDAP support

Added by Vincent Perrin | Edited by IBM contributor

J Paul Kelsey on April 7, 2010 | Version 11

Edit
More Actions ▼

Abstract

Configuring WebSphere Portal and CA Siteminder to authenticate users against two different user directories.

Tags: siteminder, security, ldap, deployment, scenario, 6.1

Authors

Paul Kelsey : Software Engineer pkelsey@us.ibm.com
Vincent Perrin : Software IT Specialist vincent.perrin@fr.ibm.com

Introduction

In this scenario, Siteminder is responsible for user authentication, but SiteMinder and WebSphere Portal are not configured to authenticate users against the same user store. The SiteMinder Agent for IBM WebSphere provides user mapping functionality that enables the SiteMinder Agent for IBM WebSphere to support environments.

Environment overview

The environment included the following items:

IBM WebSphere Portal 6.1 and WebSphere Application Server 6.1.0.15
IBM HTTP Server 6.1
IBM Tivoli Directory Server 6.1 (pdoglinux.raleigh.ibm.com)
Sun One Directory 5.2.4 (pdogwinxp.raleigh.ibm.com)
Netegrity Siteminder® 6.0.2

LDAP hierachy

IBM® Tivoli Directory Server 6.1 :

User Base Search: cn=users, o=ibm, c=us
Groups: cn=groups, o=ibm, c=us

Sun One Directory 5.2.4 :

User Base Search: ou=people, dc=raleigh, dc=ibm, dc=com
Groups: ou=groups, dc=raleigh, dc=ibm, dc=com

Architecture

diagram

Installation and configuration
Refer to the topics from the WebSphere Portal 6.1 Information Center and Netegrity SiteMinder Documentation listed in the steps below for more detailed instructions on the steps to install and configure the environment used for this test.

1 Install and configure IBM Tivoli Directory Server (ITDS) 6.1
2 Install WebSphere Portal 6.1, using the topic “Setting up a stand-alone production server” in 6.1 Information Center
3 Enable security for WP 6.1 to IBM Tivoli Directory Server (ITDS) 6.1, using the topic “Configuring WebSphere Portal to use a user registry”
4 Install and configure the IBM HTTP Server using the topic “Setting up a remote Web server with WebSphere Portal” in WP 6.1 Information Center
5 Verify Portal Security against ITDS and IHS WAS Plugin.
6 Install Sun One Directory 5.2.4
7 Install and Configure Siteminder Policy Server 6.0 with Sun One Directory, as the User Directory.
8 Install Siteminder Web Agent on top of IHS 6.1 using the “Netegrity SiteMinder® Web Agent Installation Guide”, in my environment named portal61.
9 Install Siteminder Web Agent for WebSphere on top of WP 6.1 using the “SiteMinder Agent for IBM WebSphere Guide”, in my environment named was_portal61.
10 Create a siteminder Domain and associate the Sun One Directory to it.
11 Create a siteminder realm and one rule to protect the portal context root, in my case/wps/myportal

Siteminder Admin Console :

Siteminder Realm Dialog Box:
You have to select the IHS Web Agent and /wps/myportal as resource filter.

Siteminder Rule Dialog Box:
To protect the effective resource /portal61/wps/myportal* for all action (Get,Post, Put)

12 In order to provide accurate mapping between user stored in Sun One Directory Server and ITDS, performed the following : In the Sun One Directory, add (or reuse) a LDAP exiting field to provide the ITDS user DN. For example, in this environment, I used the “mail” field (of pkelsey’s user attribute in Sun One Directory) to put the value “uid=pkelsey, cn=users, o=ibm, c=us”, which correspond to the “pkelsey” user DN in the ITDS Directory.

13 Create a user mapping response
A response passes user attributes, DN attributes, static text, or customized active responses from the Netegrity Policy Server to a SiteMinder Agent. The Sitemine Agent for Websphere supports a special variable _SM_MAPPED_USER which represents the mapped identity that the SiteMinder Agent will propagate to WebSphere.
In the Siteminder Administration, Domains Tabs :
a. Right-click Responses and select Create Response.
b. On the Response dialog, enter a Name and Description for the response and click Create (response attribute).
c. On the Attribute Setup tab of the Response Attribute Editor dialog, enter the following information:

– Attribute: Select the HTTP Header Variable
– Variable Name: _SM_MAPPED_USER
– Variable Value: mail or the attribute name used to store the DN

14 During the Siteminder Application Server Agent configuration (TAI), you have already created a siteminder realm (SiteMinder TAI Assertion Realm) and one rule to protect /siteminderassertion. You have to select the Siteminder Application Server Agent (TAI) and /siteminderassertion as resource filter. To perform the user mapping, you must create a rule under this ‘siteminderassertion’ realm to trigger this mapping. During rule creation, you have to select “Authentication Event” and “onAuthAccept”.

15 Create a policy

In the Users tab, select the Sun One Directory
In the Rules tab, add the two rules you have created previously, and for the “onauth_rule” add the response.

Siteminder policy screenshot

16 Now, you can try to log in into WebSphere Portal through Siteminder Authentication process
17 Open a new brower windows, enter http://[Hostname]/wps/myportal
18 You should be prompted and authenticated by the Siteminder Web Agent, only being allowed authenticated against the Sun One Directory.
19 Siteminder Application Server Agent (TAI) receives the value of the “mail” attribute in the Sun One Directory, and if the value exists in the ITDS as an unique DN, that user is allowed to the protected portal page.