Siteminder Concepts Guide

6LWH0LQGHU
&RQFHSWV*XLGH
9HUVLRQ
1HWHJULW\6LWH0LQGHU
Netegrity, Inc.
52 Second Avenue
Waltham, MA 02451
Phone: (781) 890-1700
Fax: (781) 487-0515
http://www.netegrity.com
Copyright © 1997-2001 Netegrity, Inc. All rights reserved.
SiteMinder products and associated documentation are protected by copyright and are dis-
tributed under a licensing agreement. Netegrity Inc. has prepared this document for use by
Netegrity Inc. personnel, licensees, and customers. The information contained herein is pro-
tected by copyright. No part of this document may be reproduced, translated, or transmitted
in any form or by any means, electronic, mechanical, photocopying, optical magnetic, or
otherwise, without prior written permission from Netegrity Inc. Netegrity Inc. reserves the
right to, without notice, modify or revise all or part of this document and/or change product
features or specifications.
This product contains encryption technology. Exporting these encryption algorithms to cer-
tain countries may be prohibited or restricted by the laws of the United States.
Some portions of the code are licensed from RSA Data Security, Inc.
SiteMinder products are protected by copyright and are distributed under a licensing agree-
ment. No part of the SiteMinder product or related documentation may be reproduced with-
out expressed written permission from Netegrity, Inc.
SiteMinder and Netegrity are registered trademarks, and the SiteMinder and Netegrity logos
are trademarks of Netegrity, Inc.
All other trademarks or registered trademarks mentioned in this document are the property
of their respective owners.
NETEGRITY, INC. SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR

OMISSIONS CONTAINED HEREIN; NOR FOR INCIDENTAL OR CONSEQUENTIAL DAM-
AGES RESULTING FROM THE PERFORMANCE OR USE OF THIS MATERIAL.
&RQWHQWV
3UHIDFH
SiteMinder® Print Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
SiteMinder Online Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Online Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Online Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
SiteMinder Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9
About this Book . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Who Should Read This Book? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
How this Book is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Recommended Reading List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
&KDSWHU0DQDJLQJ(&RPPHUFH,QIUDVWUXFWXUH
Portals Increase the Need for Secure Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13
Enterprise Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Consumer Portals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
Issues Facing Internet Businesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15
&KDSWHU,QWURGXFLQJ6LWH0LQGHU
SiteMinder Solutions for E-Commerce Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Privilege Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Centralized Security Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19
Easy Platform and Environment Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21
SiteMinder Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22
SiteMinder Policy Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24
SiteMinder Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25
SiteMinder Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
What is a Policy Domain? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30
What is a Resource? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
What is a Realm? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
What is a Rule? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
What is a Response? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
6LWH0LQGHU&RQFHSWV*XLGH
&RQWHQWV
SiteMinder Authorization Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Authorizing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Structuring Authorization Privileges with Nested Realms . . . . . . . . . . . . . . . . . . . . . 37
Denying Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Extending Authorization Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
&KDSWHU6LWH0LQGHU)HDWXUHV
Single Sign-on . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
SSO in a Single Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
SSO Across Multiple Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Authentication Scheme Protection Levels for SSO . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Affiliate Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Registration Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Delegated Management Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
DMS Configuration Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Anonymous User Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Directory Integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
LDAP Directory Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
NT Domain Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
ODBC Database Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Mainframe Database Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Directory Mapping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Personalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Delegated Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Password Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
User-Initiated Password Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Authentication Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Public Key Infrastructure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Session Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
User Disablement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Full Logoff Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Agent Key Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Scalability and Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Load Balancing and Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Replicating the Policy Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
SiteMinder Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
SiteMinder Developer Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
SiteMinder Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
&RQWHQWV
,QGH[
&RQWHQWV
3UHIDFH
6LWH0LQGHU3ULQW'RFXPHQWDWLRQ
The following SiteMinder documentation is available in print form:
6LWH0LQGHU,QVWDOODWLRQ*XLGH
Describes the processes for installing all SiteMinder components.
Refer to About this Book on page 10 of this document.
6LWH0LQGHU'HSOR\PHQW*XLGH
Provides practical information and guidelines about issues that should be
considered before deploying SiteMinder and procedural information about
setting up a Web site or portal.
6LWH0LQGHU3ROLF\6HUYHU2SHUDWLRQV*XLGH
Reference guide for all SiteMinder Policy Server related information.
6LWH0LQGHU$JHQW2SHUDWLRQV*XLGH
Provides conceptual information and procedures for configuring SiteMinder
Agents.
6LWH0LQGHU'HYHORSHU¶V$3,*XLGH
Describes and provides examples for the set of Application Program
Interfaces (APIs).
6LWH0LQGHU$SSOLFDWLRQ6HUYHU$JHQW*XLGH
Provides information for installing and configuring Application Server
Agents on IBM WebSphere and BEA WebLogic application servers.
3UHIDFH
6LWH0LQGHU2QOLQH'RFXPHQWDWLRQ
SiteMinder provides the following types of online documentation:
2QOLQH+HOS
The following HTML online help systems are available:
n SiteMinder Policy Server User Interface—Invoke the help system by

selecting 6LWH0LQGHU+HOSfrom the +HOS menu or clicking the +HOS
button in any of the dialog boxes. This help system provides policy
management and configuration management information.
n SiteMinder Policy Server Management Console—Invoke the help file
by clicking the +HOS button.
n SiteMinder IIS Web Agent Management Console—Invoke the help file
by clicking the +HOS button.
2QOLQH'RFXPHQWDWLRQ
SiteMinder provides different types of online documentation. The document
set varies with the installation.
n SiteMinder Policy Server Installation

PDF versions of all SiteMinder printed manuals are placed in the
siteminder/admin/manual directory of the SiteMinder installation
directory. This directory also contains the following online guides for
the DMS product:
n Customizing Delegated Management Services (DMS)

n Netegrity Template Language (NetTL) Description
The DMS guides are not distributed in printed form. However, you can
print the PDF file if you wish.
To access any of these documents from the SiteMinder Policy Server
User Interface, select 2QOLQH0DQXDOV from the +HOS menu.
The SiteMinder Software Developer Kit (SDK) is installed with the

Policy Server. The SDK includes Javadoc HTML pages to describe the
Java Agent API. Access the Javadoc pages through the file:
siteminder/sdk/samples/smjavaagentapi/index.html.
3UHIDFH
n SiteMinder Web Agent Installation

PDF versions of the following printed manuals are installed in the Docs
subdirectory of the Agent installation directory:
n SiteMinder Agent Operations Guide

n SiteMinder Installation Guide
The same directory contains the following online guides for the DMS
product:
n Netegrity Template Language (NetTL) Description

n Customizing Delegated Management Services (DMS)
The DMS guides are not distributed in printed form. However, you can
print the PDF file if you wish.
n SiteMinder Application Server Agent Installation

PDF versions of the following printed manuals are installed with the
SiteMinder Application Server Agent:
n SiteMinder Application Server Agent Guide

n SiteMinder Installation Guide
The installation location varies depending on the platform:
WebSphere/NT - Netegrity/Documentation subdirectory of the

Application Server Agent installation directory.
WebLogic/NT - Documentation subdirectory of the Application

Server Agent installation directory.
WebSphere and WebLogic/Solaris - directory where you untar the

installation file.
6LWH0LQGHU5HOHDVH1RWHV
The SiteMinder Release Notes are in ASCII text format. They provide
information about new features and known issues for a release. They are
displayed during SiteMinder installation and, on NT platforms, are available
from the 6WDUW menu. In addition, they are installed at the root of the
SiteMinder installation directory.
3UHIDFH
$ERXWWKLV%RRN
This guide provides information about the features, functionality, and
components that comprise SiteMinder.
:KR6KRXOG5HDG7KLV%RRN"
This guide is intended for anyone who wants to become familiar with
SiteMinder concepts and features.
&RQYHQWLRQV
SiteMinder documentation uses the following conventions:
&RQYHQWLRQ 5HSUHVHQWHGE\ ([DPSOH
Text that you enter courier bold Enter YES or NO.

Text that the courier The system displays the
system displays following message:
Process Complete
Button, menus, WDKRPDEROG Click 2. to continue.
menu items
Field names and WDKRPDEROG Select the (QDEOH:HE$JHQW
check boxes checkbox.
File names courier Open the WebAgent.conf file.
Path names and courier Navigate to
file locations c:\SiteMinder\Bin.
Keys times new roman Press ENTER.

uppercase
Place holders and WDKRPDLWDOLF Enter LQVWDOOBURRW!/bin, where
variables LQVWDOOBURRW! is the location of
SiteMinder.
3UHIDFH
+RZWKLV%RRNLV2UJDQL]HG
This book consists of the following chapters:
&KDSWHU0DQDJLQJ(&RPPHUFH,QIUDVWUXFWXUH
Describes portals as a new business model and the issues that face portals,
extranets, and intranets.
Describes the SiteMinder Policy Server, Agents, policy components, and the
SiteMinder authorization process. In addition, this chapter discusses how
SiteMinder can help solve e-business issues.
Provides an overview of SiteMinder features.
7HFKQLFDO6XSSRUW
Before contacting Customer Support, please have the following information:
n The type of computer you are using.

n The operating system version number.
n The product name and version number.
n The license number for your software.
n Type of network devices attached to your computer.
n A description of your problem.
Notify Netegrity Customer Support using any of the following options:
n (PDLO [email protected]
n 7ROOIUHH3KRQH1XPEHU86DQG&DQDGDRQO\ 1-877-748-3646
(877-SITEMINDER)
,QWHUQDWLRQDO3KRQH1XPEHU (781) 890-1700
n )D[ (781) 487-7791
3UHIDFH
5HFRPPHQGHG5HDGLQJ/LVW
To learn about Web security and other related topics, refer to the following
resources:
6HFXULW\DQG&U\SWRJUDSK\
Ford, Warwick, and Michael S. Baum. Secure Electronic Commerce:
Building the Infrastructure for Digital Signatures and Encryption. New
York: Prentice Hall, 1997.
Garfinkel, Simson, and Gene Spafford. Web Security & Commerce (Nutshell
Handbook). Chicago: O’Reilly & Associates, 1997.
Ghosh, Aunup P. E Commerce Security: Weak Links, Best Defenses. New
York: Wiley, John, and Sons, 1998.
Kaufman, Charlie, Radia Perlman, and Mike Speciner. Network Security:

Prive Communication in a Public World. New York: DIANE: Publishing
Company, 1999.
Stallings, William. Cryptography and Network Security, 2nd Edition. New

York: Prentice Hall, 1998.
&HUWLILFDWHV
Feghhi, Jalal, Peter Williams, and Jalil Feghhi. Digital Certificates: Applied
Internet Security. Boston: Addison Wesley Longman, Inc., 1998.
Grant, Gail. Understanding Digital Signatures: Establishing Trust over the

Internet and Other Networks. New York: McGraw Hill, 1997.
/'$3
Howes, Timothy A., Mark S. Smith, and Gordon S. Good. Understanding
and Deploying LDAP Directory Services. San Francisco: Macmillan
Technical Publishing, 1998.
Howes, Timothy A. and Mark S. Smith. LDAP: Programming Directory-

Enabled Applications with Light Weight Directory Access Protocol. San
Francisco: Macmillan Technical Publishing, 1997.
Johner, Heinz et. al. Understanding LDAP. IBM RedBook.

Wilcox, Mark. Implementing LDAP. Birmingham, UK: Wrox Press Ltd.,
1999.
&KDSWHU0DQDJLQJ(&RPPHUFH
,QIUDVWUXFWXUH
With the introduction of the World Wide Web (WWW), the use of the
Internet, extranets, and intranets for conducting business has increased
dramatically. As more companies enter the e-business arena, attracting and
retaining customers, suppliers, partners, and other users are the challenges
that businesses face. The way to meet these challenges is to customize
services and applications for each user, thereby making each user’s
experience unique and their transactions secure.
SiteMinder’s out-of-the-box solution can help solve some of the problems
that face Web business environments.
3RUWDOV,QFUHDVHWKH1HHGIRU6HFXUH5HODWLRQVKLSV
As the Web has shifted from static content to dynamic e-business
applications and services, the portal has emerged as the new e-commerce
model.
6LWH0LQGHUFDQ Portals are virtual gateways through which users pass to access Web-based
SURYLGHDVLQJOH
applications and sensitive business resources. Portals also serve as the single
FXVWRPL]HGYLHZRI
DQ\SRUWDOWRD
access point for any user, that is, an anonymous user, a customer, an
YDULHW\RIXVHUV
employee, or a business partner.
Portals secure access to resources, help to categorize information, and
provide utilities for information searches. They integrate data and
applications to satisfy demands for security, performance, applications, and
development tools.
Portals can be divided into two main categories:
n Enterprise (corporate) portals
n Consumer portals
0DQDJLQJ(&RPPHUFH,QIUDVWUXFWXUH
(QWHUSULVH3RUWDOV
An enterprise portal is one that aggregates business applications and
information to match specific needs of its user population. An enterprise
portal can be internally focused if the users are employees, or externally
focused if the users are primarily partners and customers. An example of an
enterprise portal that is externally focused is Compaq.com, whose site
includes information about the company’s products and services.
An enterprise portal’s main purpose is to address the needs of the business,
its customers, and its partners. This type of site focuses on the extranet and
internet user, who may be registered or anonymous. Personalization, user
registration, and anonymous user support are just some of the features that
make a portal capable of handling a variety of users with a wide range of
business needs.
(QWHUSULVHSRUWDOV The enterprise portal can also provide access to intranet users, making a
IRFXVRQDVSHFLILF
variety of internal resources available. For example, a company’s employees
FRPSDQ\
can access corporate information appropriate to internal personnel only.
Enterprise portals also offer links to partner sites and related industry sites,
also referred to as affiliate sites, that extend the usefulness of a portal. Even
the functions of enterprise portals are expanding as the integration of data
and applications increase.
&RQVXPHU3RUWDOV
The consumer portal, also called Internet portals, addresses the needs of an
even wider user base than the enterprise portal. Consumer portals can be
divided into two types: vertical and horizontal.
&RQVXPHUSRUWDOV Vertical portals are sites that focus on a subset of the Internet market. These
FDQEHGLYLGHGLQWR
are portals that cater to users with a common interest, for example, a portal
YHUWLFDODQG
KRUL]RQWDOSRUWDOV
for users interested in travel. Though the user base is large, the site’s focus
and content is limited.
Horizontal portals, often called mega portals, are large-scale sites that bring
together a wide range of unrelated information. Many of these sites provide
their own applications as well as links to other sites. Yahoo.com is an
example of a horizontal portal. The horizontal portal has similar technology
and infrastructure requirements as a vertical portal. It is only distinguished
from the vertical portal by the size of the user base and the scope of content.
,VVXHV)DFLQJ,QWHUQHW%XVLQHVVHV
Portals, extranets, and intranets need to address the expanding and diverse
user base and the ways these users access information. To do this, portals
need to consider the following issues when implementing e-commerce
infrastructure:
n Securing content
To increase business, sites need to allow users access without exposing
themselves to security risks. Secure authentication and authorization
must be available, which includes the ability to apply more strict
security measures to sensitive resources.
n Managing users, entitlements, and granular access control reliably and
cost effectively
Access must be based on entitlements, permitting different levels of
access to different users; keeping the administration of user profiles
efficient for entitlement-based access control is critical.
n Customizing the user experience
Users across the Internet economy want a positive experience when
accessing information or engaging in a transaction. In addition to
feeling that transactions are secure, users want to traverse different areas
of a site without having to re-enter credentials each time, to visit sites
related to their original destination, and to view content relevant to their
needs. A successful e-business site must address these needs and find
ways to distinguish themselves from their competition to retain user
loyalty.
n Scaling for large and small numbers of users and handling data traffic
Providing comprehensive capabilities to respond quickly to user
requests even during high-peak traffic is important. If response is slow,
users will go to other sites where they can get their information more
quickly. In addition, a site needs to integrate legacy and new
applications together.
n Integrating existing systems together with new Web-based methods of
doing business
Being able to deploy e-business across heterogeneous hardware and
software environments is necessary. Existing user directories may also
need to be integrated.
n Providing a seamless integration between portal and affiliate sites

Visitors to a portal site should be able to link easily to related
businesses. Establishing relationships should result in increased
visibility and revenues for both the portal and the affiliate.
SiteMinder addresses all of these issues.
SiteMinder is a platform for secure portal, extranet, and intranet

management. It meets key authentication, authorization, and personalization
requirements for building and managing secure Web sites.
Using SiteMinder, administrators can easily implement security policies that
protect Web applications and resources. It enables administrators to manage
authentication and authorization privileges based on a user-centric policy
based model for security. SiteMinder can also help developers deliver secure
Web applications on time and on budget by managing all of the complex
security and management requirements.
6LWH0LQGHU6ROXWLRQVIRU(&RPPHUFH,VVXHV
SiteMinder is a directory-enabled, standards-based system that can work
with heterogeneous Web and application servers, operating systems, and
application development platforms.
SiteMinder can do the following:
n Operate across multiple server platforms:
- Microsoft IIS (NT and Windows 2000)
- iPlanet Enterprise Server (NT, Windows 2000, Solaris, HP-UX, AIX)
- Netscape Enterprise Server, (NT, Windows 2000, Solaris, AIX,
HP-UX)
- Apache (Solaris)
- Lotus Domino Application Server (NT, Windows 2000, Solaris)
- BEA WebLogic Server (NT and Solaris)
- IBM WebSphere Application Server Advanced Edition (NT and
Solaris)
n Centralize control of user access privileges
,QWURGXFLQJ6LWH0LQGHU
n Leverage existing directory servers

SiteMinder provides native integration with industry-standard LDAP
directory servers, NT domains, ODBC databases, and mainframe
databases for authentication and access management.
In addition, SiteMinder can authenticate users against one directory
server and authorize users against another directory. This is useful if
authentication information is stored at a centralized user directory but
authorization privileges reside in different distributed directories.
n Deliver an improved user experience
Using personalization, user registration services, anonymous user
support, and single sign-on, SiteMinder improves Web site usability for
each user.
n Provide delegated administration
SiteMinder offers a flexible administrative model that allows the
management of SiteMinder objects and tasks to be delegated to any
administrator.
n Scale for large or small sites
SiteMinder can support very large portals, with millions of users and
thousands of applications as well as extranets and intranets with a
smaller user base.
n Integrate applications and improve workflow
SiteMinder can integrate directories and external databases in its
policies. This means that when a SiteMinder event occurs, for example,
an authentication or authorization, SiteMinder can call external
applications or libraries, and extract the necessary information from
these sources. As a result, a company’s dynamic business data can be
used directly to make user entitlement decisions.
n Allow easier Web application development
Web site developers can use SiteMinder to deliver secure personalized
Web applications on time and within a budget by managing all of the
complex security and entitlement requirements for those applications.
3ULYLOHJH0DQDJHPHQW
The issue of privilege management is one of the most critical aspects for
business. Users require access to information, but each user must be
authenticated and then authorized based on their privileges before gaining
access.
SiteMinder can meet the requirements for building and managing secure
user-based Web sites and portals.
The privilege management model for Web resources often varies across Web
servers, Web application servers, operating systems, and development tools.
Consequently, the administration of one server can differ from the
administration of another, and the privilege management capabilities offered
by these various servers and tools can differ. These differences can lead to
administrative problems as well as an inconsistent security framework.
The privilege management model for multi-tier applications can delegate
user privileges differently for each tier. This implementation would allow
users of one client to perform tasks that users of other clients could not.
SiteMinder’s ability to deliver user privilege information to Web
applications makes it an excellent access control solution for applications
based on a three- or four-tier Web-based distributed architecture.
&HQWUDOL]HG6HFXULW\0DQDJHPHQW
As user populations for portals, extranets, and intranets increase, delivering
and securing content in heterogeneous environments can be done many
different ways, depending on the platforms, operating systems, Web servers,
and applications in use. Administering these more complex environments is
often more costly and time consuming than administering single-platform
environments. As a result, the quality of Web site security is sometimes
lower in heterogeneous environments.
SiteMinder security management features let administrators make business
processes and sensitive information available to users outside the company,
giving partners and suppliers access to sales and marketing information,
production schedules, and certain applications. The advantage of making
this information available from an enterprise portal is that it improves time
to market and business planning.
6LWH0LQGHULVDXVHU Administrators can use SiteMinder to implement a security policy to protect
FHQWULFSROLF\EDVHG
Web applications and Web site content. By providing a user-centric, policy-
VHFXULW\PRGHO
based model for Web and portal site security, SiteMinder enables
administrators to assign authentication schemes and define and manage

authorization privileges to specific resources. Access permissions are
specified by a set of rules that are bound to users or groups to form policies,
not only on the basis of resources.
Basic authentication schemes (schemes that rely on username and password)
often become targets for hackers. As a result, many of today’s users do not
feel comfortable sending their personal information electronically with such
minimal protection. Along with Basic authentication, SiteMinder supports
other authentication methods including X.509 certificates and SSL
connections, which eases many of the security fears of both users and
administrators.
3ROLF\EDVHG&RQWURORI8VHU$FFHVV
SiteMinder provides a single, browser-based, administrative system that
extends across all intranet and extranet applications. Using a consistent
security policy, multiple Web applications can be centrally managed.
A centralized approach to security management provides the following
advantages:
n Applying the same security policy to each Web application eliminates
the need to write complex code to manage security in each application.
n The time and cost to develop and maintain multiple security systems is
reduced, making it comparable with developing and maintaining only
one security system.
n Customers, business partners, and employees accessing the network all
have their security privileges managed through SiteMinder whether they
access the corporate network locally or remotely through the Internet or
a private network.
SiteMinder’s user-centric approach to security policy management enables
administrators to define rules to control the actions performed on a specific
resource, and bind the rules to user groups defined in a directory service.
Rules can be re-used within realms, to minimize the administration required
to manage access control for a large environment.
SiteMinder does not require a client-side component. This makes
installation, configuration, and ongoing management simple.
(DV\3ODWIRUPDQG(QYLURQPHQW,QWHJUDWLRQ
SiteMinder easily integrates and scales with your existing technologies and
environment.
In particular, SiteMinder integrates with the following:
n Web browsers
n Web and application servers
n User directory services
n Development tools and scripting environments
n Authentication mechanisms
n Public key infrastructures
n RADIUS devices
The following graphic shows SiteMinder’s support for a wide variety of
technologies.
RADIUS
User Development Authentication
Platforms Network
Directories Environments Methods
Access Devices
Anonymous
Web Agents: ISOCOR (InJoin) All CGI scripting Communication
Custom methods
- Microsoft IIS IBM SecureWay environments, including: Servers
Combined methods
- Netscape Microsoft Active Directory - Allaire ColdFusion Firewalls
(AIX, NT, HPUX, Forms
Netscape Directory Server - Bluestone Proxy servers
Solaris) NTLM
NT Domains - Oracle Application
- Apache Passwords
Novell Directory Services Server
- Domino - PERL, C, and ASP RADIUS
Oracle Internet Directory
(NT, Solaris) Tokens
PeerLogic i500 - Sun NetDynamics
Application Server X.509 Certificates
Agents: SQL Database
- Cert. Revocation
Mainframe directories
- WebSphere List checking
- WebLogic
Policy Servers:
- NT
- UNIX
6LWH0LQGHU&RPSRQHQWV
A SiteMinder installation consists of two main components: the SiteMinder
Policy Server and the SiteMinder Agent.
The SiteMinder Policy Server is an NT or UNIX-based server that provides
the following services:
n Policy-based user management
n Secure portal management
n Authentication services
n Authorization services
n User registration services
n Password services
n Session management
n Auditing services
The SiteMinder Agent integrates with Web servers, Web application servers,
or custom applications to enforce security and user management functions
based on pre-defined policies. For RADIUS environments, the Agent is a
Network Access Devices (NAS) device.
SiteMinder supports the following types of Agents:
n Web Agents
n Application Server Agents
n Affiliate Agents
n Custom Agents
n RADIUS devices
The following diagrams illustrate different SiteMinder installations.
6LWH0LQGHU,QVWDOODWLRQZLWK$IILOLDWH:HEDQG$SSOLFDWLRQ6HUYHU$JHQWV
Affiliate Site
Web Server
Affiliate Site
Affiliate
Agent
Internet
Internet
Portal Site
Internet Web Server
Web
Agent
Protected
Internet Resources
Policy Server
Administration
Authentication
Authorization
Accounting
Application
Server Accounting
Logs
Application
Server
Agent
Policy
Protected Store
Resources
User
Directories
6LWH0LQGHU5$',86,QVWDOODWLRQ
RADIUS Server
RADIUS Network
Administration
Authentication
Authorization
Accounting
Wide Area
Network
NAS
Accounting
Logs
Policy
Store
User
Directories
6LWH0LQGHU3ROLF\6HUYHU
The Policy Server manages the access control policies established by an
administrator. These policies define which resources are protected and which
users or user groups are allowed access to resources. Using policies, you can
set time constraints on resource availability and IP address constraints on the
client attempting access.
The Policy Server runs on an NT or UNIX system and performs key security
and portal management operations. To meet the security needs of each
environment, the Policy Server supports a range of authentication methods
and uses existing directory services to authenticate users. By supporting a
wide range of authentication methods, the Policy Server provides flexibility
and security for a diverse set of users.
To define policies, administrators use the SiteMinder Policy Server User
Interface. This Web-based application enables you to create policies that
protect any resource, and lets you configure responses that supply data for
Web applications. Policies can be updated by administrators as the user
population or the security requirements change.
The Policy Server generates audit logs that contain information about user
activity relevant to SiteMinder. These logs can be printed in the form of pre-
defined reports so that you can analyze security breaches or anomalies and
correct them. You can also log auditing information to a console window.
6LWH0LQGHU$JHQWV
A SiteMinder Agent integrates with a Web server, a Web application server,
or a custom application to enforce access control based on pre-defined
policies. For RADIUS environments, a NAS serves as a RADIUS Agent.
SiteMinder supports a variety of Agents, as described in the following
sections.
& For information about configuring Agents, refer to the SiteMinder Agent
Operations Guide.
:HE$JHQWV
SiteMinder Web Agents work with the SiteMinder Policy Server to
authenticate and authorize users for access to resources on a Web server.
The SiteMinder Web Agent is integrated with a Web server or a Web
application server. The Agent intercepts requests for a resource and
determines whether or not the resource is protected by SiteMinder.
The Web Agent works with the following Web servers:
n Microsoft IIS (NT and Windows 2000)
n Netscape iPlanet Enterprise (NT, Windows 2000, and UNIX)
n Apache (Solaris platforms only), configured as a standard server or a
reverse proxy server
n Lotus Domino (NT, Windows 2000, and Solaris)
n Red Hat Stronghold SSL Web server 3.0 on Solaris 2.5.1, 2.6, 2.7
n IBM HTTP Server on Solaris 2.5.1, 2.6, 2.7
F 1RWH Agents operating on Windows 2000 platforms do not support

Password Services or Delegated Management Services (DMS).
If a resource is unprotected, a user gains access without intervention. If the

resource is protected, the Web Agent interacts with the Policy Server to
authenticate the user and determine if they are authorized to access the
resource. When an authorization is successful, the Web Agent proceeds with
the request. The Web Agent can also forward additional user-specific
attributes to an application in the form of a response, which enables content
personalization.
The Web Agent caches information about authenticated users and protected
resources. Caching improves the processing of user requests and provides
the mechanism to support single sign-on for multiple applications.
Administrators can modify the caching parameters that control these
services.
Web Agents provide a logging function to monitor the performance of the
Web Agent and its communications with the Policy Server.
$SDFKH:HE$JHQWDVD5HYHUVH3UR[\$JHQW
You can configure the Apache Web server to function as a reverse proxy
server. A reverse proxy server is a type of proxy server that acts on behalf of
clients outside an organization’s internal network.
Financial
Resources
User Request
Internet
Oracle Application
Server
Apache Reverse
Proxy Server
with an
Apache Web Agent User Policy
Store Store
Payroll
Policy Server Resources
Firewall IIS Web Server

(SSL)
Typically, a proxy server enables clients residing behind a firewall to access

the Internet. A reverse proxy server allows clients outside the firewall to
access a server behind the firewall. The reverse proxy server secures a
backend server’s resources against unauthorized access.
If your environment uses an Apache reverse proxy server as a gateway to
your backend servers, a SiteMinder Web Agent can protect these resources.
The advantage of using a SiteMinder Web Agent with a reverse proxy server
is that you can protect resources not already protected by a SiteMinder Web
Agent. Also, your resources are secure for intranet and authorized Internet
users.
$SSOLFDWLRQ6HUYHU$JHQWV
A SiteMinder Application Server Agent secures resources deployed to
application servers that follow the Java 2 Enterprise Edition (J2EE) standard.
These resources can be Java servlets, JavaServer Pages (JSPs), and
Enterprise JavaBean (EJB) components. The Application Server Agent
intercepts requests for a resource and determines whether or not the resource
is protected by SiteMinder.
The SiteMinder Application Server Agent works with the following
application servers:
n BEA WebLogic Server 4.5.1 Service Pack 11 or 4.5.2 (NT and Solaris)
n IBM WebSphere Application Server Advanced Edition, Version 3.0.2
(NT and Solaris)
The SiteMinder Application Server Agent consists of two components:
n Java Servlet Agent — a collection of servlets that communicates with
the Policy Server via the SiteMinder Agent API.
n EJB Agent — a component that integrates with the application server
and communicates with the Policy Server like the servlet Agent. The
EJB Agent protects only EJB components.
For complete information about Application Server Agents, refer to the
SiteMinder Application Server Agent Guide.
$IILOLDWH$JHQWV
A SiteMinder Affiliate Agent provides a seamless connection from a main
portal to an affiliate site without requiring a user to re-identify or provide
additional information about themselves. The affiliate site can determine that
the user has been registered at the main portal, and optionally, that the user
has an active SiteMinder session. Based on policies configured at the portal
for the affiliate, information can be passed to the affiliate and set as cookies
or header variables for applications at the affiliate Web server.
The Affiliate Agent is the only SiteMinder component that resides at the
affiliate site. The affiliate site does not require a full SiteMinder installation
because an Affiliate Agent does not protect resources in the same way as a
Web Agent. It simply provides user information to the affiliate Web server
for use with its applications.
Affiliate Agents provide a logging function to monitor the performance of

the Affiliate Agent and its communications with the Policy Server at the
portal site.
&XVWRP$JHQWV
Custom agents together with the SiteMinder Policy Server can provide
access control for a wide range of resources that extend beyond Web
resources.
The SiteMinder Web Agent and the Policy Server protect Web resources that
can be identified by a URL. However, because the Policy Server is a general-
purpose rules engine, it can also protect any resource that can be expressed
as a text string. It can also protect any operation to be performed on a
resource. Consequently, a custom agent working with the Policy Server as
the core engine, can extend the types of resources that SiteMinder can
protect. These resources can be a software architecture method, an
application, or a specific task performed by an application.
The Agent API enables you to create a custom Agent that can implement
security for any type of resource. For example, an Administrator can create
policies that control administrative functions on SNMP-based objects. These
policies allow some users to perform an SNMP- SET PDU operation, which
sets certain variables that are part of a managed object. Other users may only
be allowed to perform a GET PDU operation, and others might be prevented
from doing any SNMP operations. The custom Agent protects these objects
by contacting the Policy Server whenever any SNMP operation is attempted
on a managed resource.
& For detailed information about creating custom Agents, refer to the
SiteMinder Developer’s API Guide.
5$',86'HYLFHV
You can use the SiteMinder Policy Server as a RADIUS authentication

server to authenticate users for access to network services. After a user is
authenticated, the NAS, which controls network access, grants the user
access. The NAS device serves as a SiteMinder RADIUS Agent. When you
define a RADIUS Agent you specify the type of NAS that controls network
access.
& For detailed information about RADIUS, refer to the SiteMinder

Deployment Guide.
6LWH0LQGHU3ROLFLHV
SiteMinder provides security and access management based on policies.
SiteMinder policies make access and security management more flexible
and scalable because they are built around the user and that user’s
relationship to the protected resource, not just the resource itself.
A policy protects resources by explicitly allowing or denying users access to
resources. It specifies the resources that are protected, the users or groups
that have access to these resources, the conditions under which this access
should be granted, and the delivery method of those resources to authorized
users. If a user is denied access to a resource, the policy also determines how
that user is treated.
A SiteMinder policy binds rules and responses to users and user groups. The
responses in a policy enable you to customize the delivery of content for
each user, which cements a better relationship between a user and a site.
Policies are stored in the policy store, which is the database that contains all
the SiteMinder entitlement information.
The basic structure of a policy is shown in the following diagram.
Policy =
User Active
Rule Response IP Address Time
+ Directory + + + + Policy
Allows or denies Identifies users Time when the Custom

Action that occurs IP address that
access to a policy can or extension of the
when a rule fires the policy applies
specific resource cannot fire policy
(optional) to (optional)
(optional) (optional)
When you construct a policy, you can include multiple rule-response pairs
and bind them to individuals, user groups, or an entire user directory. You
can also configure multiple policies to protect the same Web resources
against different sets of users, adding responses that enable the Web
application to further refine the Web content shown to the user.
One of the configuration options of a policy is a time restriction. If you
specify a time restriction for a policy and a rule in that policy also contains a
time restriction, the policy fires during the times when both restrictions
overlap. For example, if a policy can only fire between 9:00AM and 5:00PM
and the rule can only fire Monday through Friday, the policy can only fire
between 9:00AM and 5:00PM, Monday through Friday. If a policy does not
fire, the rule will not fire.
In addition to supporting static rules, you can configure an active policy. An
active policy authorizes users based on dynamic data obtained from external
business logic.
& The next sections define the specific parts of a SiteMinder policy. For
complete details about SiteMinder policies, refer to the SiteMinder Policy
Server Operations Guide.
:KDWLVD3ROLF\'RPDLQ"
A policy domain is a logical set of resources grouped together from an
administrative perspective. For example, a corporate intranet may be
implemented across five servers that support the Marketing and Finance
divisions of a company. These divisions can be partitioned into a marketing
policy domain and a finance policy domain.
Policy domains make the administration of a site much easier because
independent administrators can be assigned policy management
responsibilities for different domains based on their job function. As users or
resources change, the administrator knows how to properly update the policy
for the domain. After establishing policy domains, you then associate
resources, rules, and responses with each domain.
The following diagram shows an example of a policy domain.
([DPSOHRID3ROLF\'RPDLQ
Marketing Policy Domain

User Directory
of Marketing and Marketing Projects
Engineering
Employees Project_1.html
Project_2.html
Marketing Marketing Strategy

Administrator
Strategy.html
:KDWLVD5HVRXUFH"
When protected by a Web or Application Server Agent, a resource is any
object that a user attempts to access or any privilege that a user attempts to
get. The following table shows some examples of resources:
5HVRXUFH ([DPSOH
Web page /applications/myapp.exe
CGI script /www.acme.com/price/1,2,0-a-0-

0,000.html?st.dl.search.qs.results
Directory /mydirectory
Servlet or com.mycompany.finance.payroll
EJB
JSP page /promotions/offers.jsp
To identify resources and enable policies to reflect your site’s infrastructure,

SiteMinder uses resource filters. A resource filter specifies the location of
the resources in your Web or Application Server’s hierarchy of files and
applications that you want to protect. It lets you group or single out resources
for protection from different sets of users.
For Web servers, the resource filter always begins with the Web server root.
For example, to protect files in mydirectory, the resource filter would be
/mydirectory/.
For Java Application Servers, the resource filter begins at a directory in your
classpath. For example, to protect methods for EJB1 the resource filter
would be com.myorg.ejb1. To protect servlet1 it would be
com.companyA.servlet1.
The following figure shows the directory structure on which the resource
filter is based.
5HVRXUFH)LOWHU
/mydirectory/ com.myorg com.companyA
file1.html ejb1 servlet1

method1
file2.html servlet2
method2
servlet3
file3.html ejb2
method1
script1
method2
These files can be These EJBs and their These servlets can be
protected methods can be protected protected
The resource filter only specifies resource location; the specific resource or
set of resources to be protected is defined in a rule.
:KDWLVD5HDOP"
A realm is a collection of resources grouped together according to security
requirements. All resources in a realm are protected by the same Agent. You
associate realms with policy domains; policy domains can contain one or
more realms.
For example, engineering resources in the /engineering directory could
be configured as a realm in the Development policy domain, as shown in the
following diagram:
([DPSOHRID5HDOP
Development Policy Domain

Engineering Realm
To configure realms, think of the organization of your environment’s

resources as a directory structure of the resources that reside on your Web
server. You need to determine which sections of the directory have common
access requirements and identify them by their location in the directory tree
as specified by the resource filter.
Each realm can require a different authentication method to gain access. For
example, in the Development policy domain, you could have two realms, the
Engineering realm with a resource filter of /engineering, which can be
set up to require a password for authentication, and the System Test realm
with a resource filter of /systemtest that can require certificate-based
authentication.
:KDWLVD5XOH"
A rule defines a set of actions for the resource it protects. For example, if a
collection of CGI scripts is protected by a rule in a realm, one group of users
is allowed access to the scripts, while another group of users is denied access
and redirected to another site in the company’s network.
A rule is comprised of a realm, a resource, an action, and optionally, a time
constraint, as shown in the following diagram:
5XOH'HILQLWLRQ
Rule =
Realm Resource Action Time Active Rule

+ + + +
Identifies a group Web pages, Action allowed Time when the Custom
of resources CGI scripts, against resource rule can or extension of the
and authentication applications, cannot fire rule (optional)
JSPs, EJBs, (optional)
servlets
Included in a rule is the action that a user can perform on a resource after
they have been granted access. For example, an Accounting realm can have
a CheckReceivables rule that includes an HTTP GET action on the resource
receivables/*. This rule states that an authenticated user can view all the
files included in the receivables directory.
The Policy Server supports the following actions:
7\SHRI6LWH0LQGHU$JHQW $FWLRQV
Web Agent HTTP Get, HTTP Post, HTTP Put

Affiliate Agent Visit - this action lets the SiteMinder portal
and the affiliate interact.
Application Server Agent For servlets: doGet, doPost
For EJBs: invoke, lookup, load, close
RADIUS Authenticate - a RADIUS server only
authenticates users.
You can also configure a rule to fire based on specific authentication or

authorization events. For example, you might configure a rule that includes
an 2Q$XWK5HMHFW action. When a user fails to authenticate, this rule is
triggered, and it redirects the user to another URL.
You can configure a time restriction for a rule. This restriction is only
applicable if the policy containing the rule fires. If the policy that contains a
time restriction includes a rule with a time restriction, the policy fires when
the two restrictions overlap.
In addition to supporting static rules, you can configure an active rule. An
active rule authorizes users based on dynamic data obtained from external
business logic. SiteMinder invokes a function in a customer-supplied shared
library. This shared library must conform to the interface specified by the
Authorization API described in the SiteMinder Developer’s API Guide.
:KDWLVD5HVSRQVH"
A response lets an administrator manage the user experience by passing data
to applications that can personalize content. Responses contain sets of HTTP
name/value pairs, which are paired with rules. When a rule is triggered, the
Policy Server returns the response attributes to a SiteMinder Agent. The
Agent passes these attributes to the HTTP headers, which make the data
available to the applications on the server.
The table that follows shows how a response can be used to customize
content. In this example, there are two access levels for a set of users: basic
access and privileged access. The buttons that the application displays are
dependent on the access level associated with each user.
5HVSRQVH([DPSOHV
5HVSRQVH1DPH 5HVSRQVH$WWULEXWHV
Basic_Access ShowButton1=Yes
ShowButton2=Yes
ShowButton3=Yes
Privileged_Access ShowButton1=Yes
ShowButton2=Yes
ShowButton3=Yes
ShowButton4=Yes
ShowButton5=Yes
ShowButton6=Yes
For basic access, the user sees only three buttons; for privileged access the
user sees six, as shown in the following diagram.
Acme Software.com
Address http://www.acme.com
Priority Email
View Account
Basic User Create Ticket Acme Software.com
Address http://www.acme.com
Priority Email Update Ticket
View Account Order Upgrade
Create Ticket Priority Service
Privileged User
Responses can also contain data from a user directory profile or some other
directory object’s profile. For example, the attribute “USER_ADDR=123
Main St.” could be passed to an application.
SiteMinder also supports active responses. An active response includes data
from external business logic. When a rule with an active response fires, the
Policy Server executes a custom library program, which returns response

attributes to the application.
You can configure responses using common scripting languages and
programming environments, including Microsoft Active Server Pages
(ASPs), Java servlets, JSPs, and CGI-compliant environments.
6LWH0LQGHU$XWKRUL]DWLRQ3URFHVV
The SiteMinder authorization process brings the components of a
SiteMinder policy together. Authorizing a user for access requires that the
Policy Server determine which policies have rules that trigger when a user
attempts to access a particular resource.
The Policy Server performs two primary functions in the following order:
n Determines whether a resource is protected
The Web Agent asks the Policy Server whether a resource is protected,
which prompts the Policy Server to check the configured rules and
determine the answer. If the resource is protected, the Policy Server
instructs the Web Agent to challenge the user for credentials so it can
authenticate the user.
n Determines whether a user is authorized
After determining protection and authentication, the Policy Server looks
for applicable policies for the user and the resource and collects the
privileges that the policy permits.
$XWKRUL]LQJ8VHUV
When a user attempts to access a protected resource, the Policy Server first
authenticates the user. Users are then authorized to access resources based on
policies configured by an administrator.
A user is authorized as follows:
1. The SiteMinder Agent sends the details of the HTTP request along with
the user’s identity to the Policy Server for authorization.
2. The Policy Server determines which policies protect the resource in
question and whether or not the policies apply to the user attempting
access.
3. The Policy Server communicates its decision to grant or deny user
access along with the applicable responses to the Agent.
4. If access is granted by the Policy Server, the Agent adds the attributes to
the HTTP header, which is then forwarded to the Web or application
server for processing.
The authorization process also includes user-configurable SiteMinder
actions, which are configured on a per-realm basis. These actions, which are
configured as response attributes, instruct the Policy Server to accept or
reject user requests if the user is authenticated or authorized. For example, if
a user is allowed access, the action may be to reject the user and redirect
them to another resource. This is referred to as an 2Q$FFHVV5HMHFWaction.
SiteMinder’s policy-based management is a user-centric approach that
enables administrators to manage authorizations and customize content on a
per-user or per-group basis.
For example, an administrator can create a policy that contains a rule tied to
an authorization event. When an authenticated user assigned to a “bronze”
user group accesses a Web application, the Policy Server authorizes the user
and sends a response allowing them access to their account balance.
However, the administrator might define a different response for users
assigned to the “gold” user group. When these users access the same Web
application, they can not only check their account balances, but they can also
transfer funds between accounts. In each scenario, the group the user
belongs to determines their authorization privileges.
6WUXFWXULQJ$XWKRUL]DWLRQ3ULYLOHJHVZLWK1HVWHG5HDOPV
To provide secure access to authorized users, you can set up a security model
to reflect the hierarchical structure of your site’s protected resources. To do
this, you can configure a series of realms and sub-realms to reflect this
hierarchy. Nested realms enable you to set up a security model in which each
layer has progressively stricter security requirements, with different
privileges, personalization, and handling requirements.
The following diagram shows how nested realms can represent a directory
structure for resources on a Web server.
Directory Structure Realms and Nested Realms
/marketing/ /marketing/ Basic Authentication

Protection Level 5
index.html index.html
competitors/ HTML Forms
/competitors/ Authentication
Protection Level 10
list.html list.html
strategy.html strategy.html
new_products/ X509 Client Certificate

/new_products/ Authentication
Protection Level 15
description.html
description.html
pricing.html
pricing.html
For all realms that share the same resources, the Policy Server goes through
the realms hierarchically and evaluates policies in all matching realms,
starting with the least-secure realm and moving to the most secure. The least
secure realm is the first realm in the directory structure and the most secure
is the last.
For example, in the diagram above, the policy domain reflects the directory
hierarchy of your resources. You can configure different levels of protection
for the resources in the /marketing/competitors/directory than for the
resources in the /marketing/new_products directory.
'HQ\LQJ$FFHVV
By default, a rule allows access to a resource; however, you can create a rule
to deny access to a resource. A deny access rule always takes precedence
over an allow access rule. This ability to create allow and deny access rules
enables you to configure two different policies for resources in the same
realm but for different users. One policy allows certain users access, while
the other denies a different group of users access.
([WHQGLQJ$XWKRUL]DWLRQ)XQFWLRQDOLW\
Using the SiteMinder Authorization API, administrators can extend
SiteMinder’s authorization functionality and integrate custom programs and
legacy data into decision-making processes. This is useful when the access
control decisions of a Web application depend on existing business rules or
databases. For example, an administrator might define a policy that is only

valid if a user’s account balance is greater than a specified amount.
This chapter describes advanced SiteMinder features that you can implement
for your site.
F 1RWH For environments that use Java Application Servers, there are some
feature limitations. For specific information about which features are
supported, refer to the SiteMinder Application Server Agent Guide.
6LQJOH6LJQRQ
Single sign-on (SSO) is the ability for a user to authenticate once and then
access other protected resources without re-authenticating. SiteMinder can
implement SSO within a single domain or across multiple Internet domains.
This feature provides the user a seamless transition across different sites and
portals.
& For information about configuring single sign-on, refer to the SiteMinder
Agent Operations Guide.
662LQD6LQJOH'RPDLQ
A single domain environment is one in which all resources exist in the same
cookie domain. Multiple Web Agents within the same cookie domain can be
configured for SSO provided that you specify the same cookie domain in
each Web Agent’s configuration.
If SSO is enabled, the Web Agent caches the successful authentication, and
issues a SSO cookie to the user’s browser. When the user accesses protected
resources in other realms with the same protection level, they do not have to
re-authenticate. Also, if the user moves to another Web server within this
cookie domain, then the SSO cookie provides appropriate session
information to allow the user access, provided the protection level rules we
maintained.
The following diagram shows SSO in a single cookie domain.
6LWH0LQGHU)HDWXUHV
Policy Domain 1
Web Server with
Web Agent Policy Server
/app1/
single cookie domain:

mycompany.com
Policy Domain 2
servlet1
Application Server Policy Server
with
Application Server Agent
F 1RWH If you are using replicated user directories with non-replicated policy
stores, the user directory must be named identically for all policy
stores. Also, the session ticket key, which encrypts session tickets,
must be the same for all key stores in the SSO environment. The
session ticket determines the duration of a valid user session.
662$FURVV0XOWLSOH'RPDLQV
Users are often required to log on and enter their credentials multiple times
as they access different applications and resources on separate servers. This
leads to frustration, wasted time, and security concerns if passwords are
written down and kept within the office working area.
&RRNLHSURYLGHU In an environment that includes resources located across multiple cookie
SDVVHVXVHU
domains, SiteMinder supports single sign-on across applications running on
LQIRUPDWLRQWRRWKHU
GRPDLQV
heterogeneous Web and application server platforms.
SiteMinder implements SSO across multiple cookie domains using a cookie
provider. The cookie provider, which is a specially configured SiteMinder
Agent, passes a cookie that contains the user’s identity and session
information to other cookie domains in the SSO site. The user can then
authenticate across the entire site. If the user’s browser is missing this
cookie, the cookie provider sets it.
6LWH0LQGHU)HDWXUHV
Within the SSO site, users are only challenged for identification upon their
first attempt to access a resource. After they are authorized and
authenticated, users can move freely between different realms that are
protected by authentication schemes of an equal or lower protection level
without re-entering their identification information.
The following diagram shows SSO across multiple cookie domains.
session session
identity yourcompany.com identity
subsidiaryA.com subsidiaryB.com
Web Server
with Web Server
Application Server
Protected with
with
Applications Protected
Protected
Applications Applications
User authenticates once to any domain. The authentication

session is passed to other domains automatically.
F 1RWH SSO across multiple cookie domains does not require that the same
user directory be used across the SSO environment. However, if you
are using replicated user directories with non-replicated policy stores,
the user directory must be named identically for all policy stores.
Also, the session ticket key, which encrypts session tickets, must be
the same for all key stores in the SSO environment. The session ticket
determines the duration of a valid user session.
SiteMinder’s support for SSO improves the overall user experience by

making it easier to move between servers and applications. It also lowers the
administrative costs by allowing users to access the data they need using
only one password instead of multiple passwords.
6LWH0LQGHU)HDWXUHV
$XWKHQWLFDWLRQ6FKHPH3URWHFWLRQ/HYHOVIRU662
SiteMinder lets administrators assign protection levels to authentication
schemes. The level can be a number from 1 through 20, with 1 being the
least secure and 20 being the most secure. These protection levels enable
administrators to implement authentication schemes with an additional
measure of security and flexibility for an SSO environment.
A user who is authenticated in one realm can access a resource in another
realm if the second realm is protected by an authentication scheme of an
equal or lower protection level. As long as the protection level is the same or
lower, that user does not need to re-authenticate. If a user tries to access a
resource protected by an authentication scheme with a higher protection
level, SiteMinder prompts the user to re-enter their credentials.
$IILOLDWH6HUYLFHV
A common feature of any portal is its relationship to affiliate sites. An
affiliate site provides resources and services related to the main portal. For
example, companyA.com and companyB.com have an agreement that
visitors to companyA.com receive special privileges for purchases at
companyB.com. These two sites are affiliates.
$IILOLDWH$JHQWV A SiteMinder Affiliate Agent provides a seamless connection from a main
FRQQHFWSRUWDODQG
portal to an affiliate site without requiring a user to re-authenticate or
DIILOLDWHVLWHV
provide additional information at the affiliate site. The Affiliate Agent
extends the single sign-on and personalization capabilities provided by
SiteMinder at the portal site to an affiliate site.
At the affiliate site, there is only a partial SiteMinder installation that
includes an Affiliate Agent; there is no Policy Server. The affiliate site does
not require a full installation because an Affiliate Agent does not protect
resources in the same way as a Web Agent. It simply provides user
information to a Web server for use with its Web applications, which use the
information to personalize Web content for each user. The Affiliate Agent
enables the affiliate to determine that the user has been authenticated at the
main portal.
6LWH0LQGHU)HDWXUHV
3RUWDO6LWHVDQG$IILOLDWHV
Portal Site
Web Agent/Web Server Policy Server
Affiliate Site
Affiliate Agent/Web Server
The more seamless the relationship between the main site and the affiliate,
the greater the chances for improving revenue and user relationships for both
sites. Also, as affiliates and main sites develop partnerships, the user can
benefit from receiving preferential treatment from one site if they have
already visited the affiliate site, and vice versa.
& For information about Affiliate Agents, refer to the SiteMinder Agent
Operations Guide. For instructions on configuring policies for portal and
affiliate communication, refer to the SiteMinder Policy Server Operations
Guide.
5HJLVWUDWLRQ6HUYLFHV
As the numbers and needs of users grow, registering them becomes
increasingly time consuming and costly. SiteMinder’s user registration
services simplifies this task.
<RXFDQFXVWRPL]H SiteMinder provides user registration services for LDAP user directories.
IRUPVIRUXVHU
Using customized forms, users can register themselves or they can be
UHJLVWUDWLRQ
registered by administrators. An administrator may want to register users for
resources that require strict security instead of letting users have this ability.
The following diagram illustrates SiteMinder’s user registration services.
6LWH0LQGHU)HDWXUHV
8VHU5HJLVWUDWLRQ
Web Server
Web Agent
Protected
Custom User registration
Resources
registration servlet
form
Policy Server
LDAP Policy
Directory Store
User registration makes user management much easier for portal sites,
particularly for those sites that receive many anonymous users and want an
efficient method to enter them into the portal’s user directories.
'HOHJDWHG0DQDJHPHQW6HUYLFHV
For large Web sites and portals, the task of managing users can be time
consuming and overwhelming for a single administrator. SiteMinder’s
Delegated Management Services (DMS) make the administration of LDAP
user directories more manageable.
DMS uses a two-tiered delegation structure to manage users in an LDAP
directory. This structure includes the following two administrator levels:
n Super Administrator
n Organization Administrator
The Super Administrator has the highest level of privileges. A Super
Administrator can search, create, modify, and delete user and organization
entries throughout an entire directory. The Super Administrator can also
create organization administrators, and then delegate management
responsibilities for a specific organization to that administrator. Delegating
6LWH0LQGHU)HDWXUHV
the management role is beneficial to an organization because the people

most familiar with an organization can control the access privileges of each
member of the organization. Also, the Super Administrator can alleviate
their own administrative burdens.
The Organization Administrator can add, modify, create, and delete users in
a group within the organization. These types of administrators have a much
more focused scope than the Super Administrator.
A Super Administrator or Organization Administrator can group users
together based on their user roles. A DMS user role defines the function of a
user in an organization and grants a user membership in a group. A user role
is synonymous with a DMS group. For example, you can assign a user the
role Accountants and that user will be included in the group Accountants.
The user role also determines the access privileges for that person because
the group is bound to SiteMinder policies. To determine all the roles for an
individual user, DMS can look across multiple LDAP directories.
In addition to the management capabilities, DMS also incorporates
SiteMinder’s user registration services. User registration services enable
users to register themselves, eliminating the need for an administrator to add
a user to a directory manually. Administrators can also register users if they
want to have more control of the registration process. For more information,
refer to Registration Services on page 45.
'06&RQILJXUDWLRQ:L]DUG
DMS includes an easy-to-use configuration wizard that creates all of the
SiteMinder objects required to run DMS automatically. After you have run
the configuration wizard, you can use the default configuration or modify the
DMS objects to suit your applications.
$QRQ\PRXV8VHU6HUYLFHV
Many users visit a site without registering or leaving any record of their
identity. This makes it difficult to attract users to a site and customize
business applications. The ability to collect information and track their
behavior provides portals and extranets with the information to customize
services and applications.
SiteMinder has the ability to track anonymous users with an anonymous
authentication scheme. Using a Globally Unique Identifier (GUID) that the
Policy Server assigns, SiteMinder can track user behavior within the realm
protected by the anonymous authentication scheme and record the results in
6LWH0LQGHU)HDWXUHV
Web server logs. In addition, you can bind policies to anonymous users to
provide personalized content for the entire group of anonymous users.
F 1RWH Implementing anonymous authentication does not provide protected

access control for resources in a realm.
'LUHFWRU\,QWHJUDWLRQ
Policy administrators often work with multiple user directories to store
information about the user population for each application. For example, a
list of approved users might need to exist in multiple repositories because
there is no centralized directory used by all the applications. Duplicating
user lists is inefficient because the administrator needs to synchronize
redundant databases on a constant basis.
6LWH0LQGHUZRUNV SiteMinder integrates with your local directory service to provide user
ZLWKQDWLYHXVHU
authentication, and enforce access control policies based on a user’s identity
GLUHFWRULHV
attributes and group membership. SiteMinder allows you to use your
existing NT domains, an LDAP directory, or an ODBC-compliant database
as a user directory; with SiteMinder, there is no separate proprietary user
databases.
By integrating with and supporting existing directories, SiteMinder can do
the following:
n Eliminate the complexities of using a separate database of user names
and attributes for each application.
n Eliminate redundant administration of users and groups that can occur
with multiple directories.
n Eliminate synchronization issues across application-specific directories.
Directories are integrated into SiteMinder by linking namespaces to
SiteMinder policy domains, which makes SiteMinder well suited to the
needs of extranets that maintain a different namespace for each user
category, such as employees, vendors, and partners.
Multiple namespaces can be linked to a single SiteMinder policy domain,
which allows SiteMinder to authenticate and authorize users from several
directories. Each SiteMinder policy domain can be associated with a
configurable sequence of directories. SiteMinder searches these directories
with optimal speed by using an administrator-defined order, which is based
on expected user population and access patterns. SiteMinder searches
sequentially through each of these namespaces looking for matching
6LWH0LQGHU)HDWXUHV
credentials. The first match in the namespace sequence determines the

authenticated identity of the user.
SiteMinder uses directories in several ways:
n Users can be authenticated based on their identity in a directory.
n SiteMinder policies can be associated with directory objects such as
users and groups. When a user attempts to access a protected resource,
all policies that protect the resource are checked to determine whether
they apply directly to the user or to a directory object such as a group to
which the user belongs.
n The attributes of a user in a directory can be included in SiteMinder
responses. This feature is useful for Web applications that require
personalization based on user profiles.
n SiteMinder can use certain LDAP-enabled directories as policy
repositories. This option allows multiple SiteMinder Policy Servers to
leverage an LDAP directory for policy storage and user storage.
Replication between directory servers ensures that Policy Servers
always get up-to-date policy and user information.
& For more information about user directories, refer to the SiteMinder Policy
/'$3'LUHFWRU\6XSSRUW
SiteMinder can work with all leading LDAP user directories. SiteMinder
policies can be associated with any object in an LDAP directory that belongs
to one of the following object classes:
n organizationalRole
n organization
n organizationalUnit
n person
n organizational Person
n inetOrgPerson
n residentialPerson
n groupOfNames
n groupOfUniqueNames
Configuration options are provided to extend this support to other object
classes.
6LWH0LQGHU)HDWXUHV
In addition to objects, SiteMinder policies can be associated with any user

attributes via LDAP queries. For example, you could associate a policy
based on email addresses using the PDLO attribute of an LDAP object class.
This powerful feature allows flexible security policies to be created that are
based on a set of users with common attributes rather than on organizational
factors.
SiteMinder responses can be set up to use the extensive features and
flexibility of LDAP directories. Response attributes can be configured to
include specific user attributes from a directory. If the existing object class
structure does not include the information you want to use, you can
customize the directory schema.
LDAP directories can also be used for policy storage. SiteMinder provides
access control attributes in an LDAP directory to prevent other applications
from modifying the policy store.
/'$3([SUHVVLRQ(GLWRU
For policies that use an LDAP directory to authenticate and authorize users,
the LDAP Expression Editor lets you bind users, groups, and organizations
to policies using search expressions. These search expressions can contain
attributes of the user, group, and organization profiles to improve the
efficiency of searches through the directory.
For example, if your LDAP directory has a group called domestic sales
with an attribute of country=USA, you can bind the entire group to a policy;
you are not limited to searching for only individual users with this attribute.
This makes it easier to associate users with policies because you are not
manually searching through an entire directory and selecting individual
users.
When you create an LDAP search expression, the search expression instructs
the Policy Server to go through the directory and find all entries that satisfy
the expression. The policy is then applied to those users. You can search for
users based on common characteristics. It also allows you to create
expressions that include operators, such as and, or, not.
/'$35HIHUUDOV
An LDAP referral is a feature of an LDAP server. If a server receives a
request for information that it does not have, the server sends an LDAP
referral back to the client. The referral contains the address of a server that
does have the requested data. The client then forwards the request to this
server. In a SiteMinder environment, the client is usually the Policy Server.
6LWH0LQGHU)HDWXUHV
Some of the advantages of LDAP referrals are that the client request is easily
fulfilled, a request can be passed on to a non-LDAP server or a server
outside your organization, and data can be distributed among servers so one
system is not overburdened.
SiteMinder supports two types of LDAP referrals:
n Write referrals—enable changes that are written to a master LDAP
directory to be replicated to any slave LDAP directories.
n Read referrals—enable information stored across multiple servers to be
accessed at the client’s request. One server can be configured to refer to
another server to retrieve different types of information.
There is no specific SiteMinder configuration required to use LDAP
referrals.
17'RPDLQ6XSSRUW
Windows NT supports user accounts that are local to a specific machine and
user accounts in a domain. Domain authentication is supported if the system
where the Policy Server resides has a computer account in the appropriate
domain. If this system does not have a computer account in all domains for
which users need authentication, the appropriate trust relationships must be
established between domains.
SiteMinder policies can be associated with user groups in an NT domain.
SiteMinder treats every NT domain as an independent namespace. While
support for local users and local groups is included, policies that are
associated with these users and groups are only usable in SiteMinder
installations that have a single Policy Server.
2'%&'DWDEDVH6XSSRUW
You can configure SiteMinder to view a proprietary schema in an ODBC-
enabled database and use this database as a user directory for authentication
and authorization purposes. This option is useful when user information,
such as the user name, password, and group membership, is stored in a
database.
6LWH0LQGHU)HDWXUHV
0DLQIUDPH'DWDEDVH6XSSRUW
The SiteMinder Security Bridge enables you to integrate IBM’s RACF,
Computer Associates CA-ACF2 and CA-Top Secret mainframe security
databases into a SiteMinder environment for authentication and
authorization of mainframe users.
The Security Bridge provides an LDAP interface to the mainframe
databases, enabling the SiteMinder Policy Server to connect to the database
using standard LDAP calls. This LDAP interface converts these legacy
systems into LDAP-compliant directory servers, which enables them to
become part of your enterprises e-business infrastructure.
When SiteMinder wants to authenticate a user stored in a RACF, CA-ACF2,
or CA-Top Secret database, the Policy Server contacts the SiteMinder
Security Bridge and passes the user’s credentials on for authentication. The
Security Bridge authenticates the user and returns the results to the Policy
Server.
The following graphic shows how SiteMinder Security Bridge fits into a
SiteMinder environment.
Internet
Web Server
Web
Agent
Protected
Resources
Policy Server
OS/390
Mainframe
Administration
Authentication
Authorization
Accounting
Siteminder
LDAP
Security
Bridge
Mainframe
Policy security
Store database
User Directories
6LWH0LQGHU)HDWXUHV
After a user is authenticated, the Policy Server determines the user’s access
privileges based on the policies defined for the resource. Policies for
mainframe users rely on names of groups or roles stored in the database to
determine who has access to resources. In addition, you can configure time
and location constraints and use dynamic data for more fine-grained access
control.
For information on configuring RACF, CA-ACF2 and CA-Top Secret as a
directory namespace, refer to the SiteMinder Policy Server Operations
Guide.
'LUHFWRU\0DSSLQJ
SiteMinder provides a directory mapping feature to improve the flexibility
of the SiteMinder authorization model.
Directory mapping lets an administrator implement security for an
environment that maintains user data using different infrastructures.
SiteMinder can authenticate a user against one directory and, based on the
user’s identity, determine that user’s authorization privileges against a
different directory. By dividing the authorization and authentication
functions, you can also integrate legacy applications.
You can use one of the following methods to map the authentication
directory to the authorization directory.
n Identical DN—Maps the user’s distinguished name (DN) exactly from
the authentication directory to the authorization directory.
n Universal ID—Matches the value of the Universal ID attribute from the
authentication directory with the value of the Universal ID in the
authorization directory to identify the user.
Directory mapping is configured on a per-realm basis, which means that
each set of protected resources can have a different mapping. In addition,
responses that are returned to the user can gather attributes from different
directories depending on whether SiteMinder is authenticating or
authorizing that user.
3HUVRQDOL]DWLRQ
Users across the Internet economy want a positive experience when
accessing information or engaging in a transaction. In addition to feeling that
the exchange of data is secure, users want to traverse different aspects of a
site without having to re-enter credentials each time, visit sites related to
6LWH0LQGHU)HDWXUHV
their original destination, and have content relevant to their needs. A

successful e-business site must address these needs and find ways to
distinguish themselves from their competition in order to retain user loyalty.
Personalization lets you customize the resource content for a user or group
of users, even if those users are anonymous.
3HUVRQDOL]DWLRQKDVVHYHUDOEHQHILWV
n Provides a better user experience because all information presented to
users is customized to their needs.
Users do not have to see or navigate around extraneous material that is
of no interest to them.
n Allows a vendor or advertiser to target their message to the needs and
buying patterns of each user.
To achieve successful one-on-one marketing, you need to cater to each
customer’s needs and preferences. Tailoring Web content for different
users is an effective way to do this. High priority customers or partners
can be presented with more, or different, options than those of lower
priority.
n Provides better security.
If users are not authorized to access certain resources, those resources
are not presented to them. This reduces the possibility of security
breaches by unauthorized users.
n Provides a single access point
The portal can become the single point of access, regardless of whether
the user is from the Internet, extranet, or intranet. There is no need to
create separate portals depending on the user base.
When an authentication or authorization occurs, the SiteMinder Policy
Server can send a SiteMinder customized response back to the application
that is relevant to that user and grants that user specific entitlements. For
example, an application developer may configure a Welcome page with a
response that stores the name of the user. When the Policy Server authorizes
the user, their name is passed back to the application and the user sees a
personalized welcome. You can even customize information at the sub-page
level, such as sections of a page, data fields, or buttons.
Personalization can also include the use of responses that control the
behavior of Web Agents on a per-user or per-group basis. Based on an
authentication or authorization event, SiteMinder will treat the user
6LWH0LQGHU)HDWXUHV
according to the rule definition. For example, if the 2Q5HMHFW5HGLUHFW

attribute is configured, a user who is denied access to a resource is redirected
to another URL.
& For more information about responses, refer to the SiteMinder Policy Server
Operations Guide and the SiteMinder Agent Operations Guide.
'HOHJDWHG$GPLQLVWUDWLRQ
SiteMinder’s architecture separates system and policy domain management,
so that each type of management can be performed by different
administrators. By delegating management tasks, SiteMinder makes
administration of large environments easier because those people in an
organization who are most familiar with a particular set of resources and
users can be assigned the privileges to manage them. In addition, it improves
security by controlling who can create and modify users and policy objects.
Anyone who has access to SiteMinder objects and tools is considered an
administrator. Depending on their role in an organization, SiteMinder
administrators can have different privileges to manage SiteMinder objects.
An administrator with maximum privileges can delegate the following
management privileges to other managers:
n Create and manage system and policy domain objects
n Manage users
n Manage keys and password policies
n View and modify system reports
'HIDXOW By default, SiteMinder sets up a default administrator account that has
DGPLQLVWUDWRUKDV
maximum privileges. This administrator can then create additional
PD[LPXPSULYLOHJHV
administrator accounts for those people who need to add or make changes to
parts of the SiteMinder environment.
F 1RWH SiteMinder administrators do not have user directory management

privileges and have no control over the administrative model for user
directories. User management must be coordinated with the
individuals who maintain the applicable directories.
& For more information, refer to the SiteMinder Policy Server Operations
Guide.
6LWH0LQGHU)HDWXUHV
$XGLWLQJ
SiteMinder can track user behavior and monitor your site’s performance.
$XGLWLQJOHWV\RX SiteMinder audits all user activity, which includes all authentications and
PRQLWRU\RXUXVHUV
authorizations, as well as administrative activity, which includes any
DQG\RXUVLWH
changes to the policy store.
SiteMinder also tracks user sessions so you can monitor the resources being
accessed, how often users attempt access, and how many users are accessing
your site.
5HSRUWLQJ
The Policy Server can generate reports that include audit information about
user activity, failed access attempts, and administrative changes. The types
of reports are as follows:
n Activity reports — include information such as the type of resources
that users access and how frequently they attempt access, how many
users are accessing particular resources, and whether access attempts
were successful.
n Intrusion reports — include information about failed authentication
and authorization attempts by a specific user, SiteMinder Agent, or
both.
n Administrative reports — include administrative activity by a
particular administrator or by the object that changed administratively.
Administrative activity includes changes to policies and policy domain
configurations.
You can select the kind of reports you want to generate using the SiteMinder
Policy Server User Interface.
In addition to the SiteMinder-provided reports, you can create custom
reports. When a SiteMinder access or object event occurs, SiteMinder writes
this data to the ODBC database tables: smaccesslog4 and smobjlog4.
Access events include authentications, authorizations, and administration
events. Object events include creating, modifying, and deleting SiteMinder
objects. You can extract the information in these tables using database
queries, then place the data into your own reporting application to generate
customized reports.
The Event API also lets you create custom reports with its custom event
handler, which is described in the SiteMinder Developer’s API Guide.
6LWH0LQGHU)HDWXUHV
3DVVZRUG6HUYLFHV
Password management is a critical security issue for any Web resource and
application. To maintain the integrity of a password, it must:
n Change frequently
n Not be reused
n Not be easy to predict
Strong password management must also include the ability to indicate when
attempted breaches in security have occurred, such as a user trying and
failing successive login attempts.
SiteMinder’s password services allow you to manage user passwords in
LDAP and ODBC user directories.
Password services allow an administrator to do the following:
n Specify the user directories where the password policies apply.
n Determine when a password expires, which includes redirecting a user
if they fail to enter a valid password.
n Specify the requirements for how a password is created.
n Define password restrictions, which include the criteria and limitations
that can be placed on passwords to increase security.
Password policies are stored in the SiteMinder policy store. If a policy
exists, SiteMinder checks the password against the rules of the policy
criteria. If the password meets the criteria, the user is authenticated by the
Policy Server.
8VHU,QLWLDWHG3DVVZRUG&KDQJHV
If a user’s password has been compromised, for example, it was written
down where others could see it, that user may want to change his or her
password. SiteMinder’s password services lets users change their own
passwords without any intervention by an administrator. The administrator
can delegate the management of password changes directly to the user.
For a user to modify a password, the administrator provides an interface
(HTML page or application) where the change can be made. The user directs
a Web browser to the target location set up by the administrator, then follows
the steps necessary to modify the password.
6LWH0LQGHU)HDWXUHV
$XWKHQWLFDWLRQ6FKHPHV
SiteMinder allows Web developers to use an authentication scheme that is
appropriate for their application. SiteMinder supports the following
authentication schemes:
n Basic — identifies a user based on a user name and password.
SiteMinder supports Basic (HTTP) and Basic over SSL.
n X509 client certificates — identifies a user by verifying the user’s
digital certificate. Certificate authentication can be combined with basic
authentication for very strict security. SiteMinder supports X509
certificates and Basic and X509 certificates or Basic.
The certificate or Basic option is designed for ease of deployment of
certificates. For example, in a company with 50,000 users, it would be
difficult to issue all 50,000 certificates at once. However, using the
certificate or Basic scheme, you could introduce the use of certificates
gradually, starting with 500 or 5000. During the transition period, your
resources remain protected by certificates for users who already have
them, allowing other authorized users to access resources based on a
username and password.
n HTML forms — identifies a user with customized HTML forms that
collect the user’s credentials. Forms authentication enables you to
collect additional information beyond the username and password.
n Tokens — identifies a user with hardware tokens that provide unique
passwords. The passwords that are created by the hardware token
change regularly. SiteMinder supports the CRYPTOCard RB-1 and
Encotone TeleID hardware tokens.
n Proxy — authenticates users with SiteMinder as a substitute for a third
party authentication server. SiteMinder supports the following proxy
authentication schemes: SecureID tokens, Secure Computing Safeword
Server, and RADIUS server.
n Digest — identifies users by comparing an encrypted user attribute
string stored in a server’s directory against an encrypted string entered
by the user. If they match, the user’s identity is verified. SiteMinder
supports the following digest authentication schemes: RADIUS CHAP
and RADIUS PAP.
n Anonymous — identifies non-registered users, that is, a user who is
unknown to the site at which the target resource resides. SiteMinder
assigns anonymous users a Globally User ID (GUID), which then
6LWH0LQGHU)HDWXUHV
identifies the user so they will not have to be challenged when accessing
a resource.
n NT Lan Manager (NTLM) — authenticates users based on the
Windows NT login name and password instead of challenging for
credentials. This scheme is only for protected resources that reside on an
IIS Web server and whose users access these resources using the
Internet Explorer browser.
n Custom — identifies a user with a custom authentication scheme
created with the SiteMinder Authentication API.
SiteMinder lets administrators assign protection levels to authentication
schemes for added security and flexibility in a single sign-on environment.
For details about protection levels for single sign-on, refer to Authentication
Scheme Protection Levels for SSO on page 44.
3XEOLF.H\,QIUDVWUXFWXUH$XWKHQWLFDWLRQ
A public key infrastructure (PKI) is a system of digital certificates,
Certificate Authorities, and other registration authorities that authenticate
users transmitting electronic data. PKIs protect the exchange of information
online.
SiteMinder’s certificate authentication integrates with many leading PKIs
from vendors such as Verisign, Microsoft, Netscape, Entrust, CyberTrust,
and Security Dynamics to ensure secure user authentication.
When a user authenticates using a certificate, the SiteMinder Web Agent
takes the necessary user information from the certificate, such as a user’s
distinguished name (DN) and the certificate issuer’s DN. The Web Agent
passes this information to the Policy Server. The Policy Server then verifies
that the user is listed in the appropriate user directory and authenticates the
user. After verifying the user’s identity, the Policy Server authorizes the user
for access to the requested resources.
SiteMinder also supports certificate revocation list (CRL) processing
provided by most PKI vendors. Certificate revocation ensures that the
certificates in use are still valid. If a certificate expires, the PKI system does
not accept it, which is critical to securing transactions.
6LWH0LQGHU)HDWXUHV
6HVVLRQ0DQDJHPHQW
The infrastructure of Internet business is a mix of Web servers, application
servers, programming languages, legacy applications, and APIs. This multi-
tiered environment spans local and remote users, who may be recognized as
registered users or who are anonymous. With this complex mix, user
sessions need to be managed across different application environments while
allowing each environment to manage its own user-specific entitlements.
SiteMinder session management functions fall into two categories:
operational and administrative.
Administrative Operational
Session Management Session Management
creation tracking
delegation revocation
validation
termination
n Session creation—establishing a user session when a user successfully

logs into an application.
n Session delegation—passing session information across an application
environment.
n Session validation—verifying the session token to make sure the user
session is still active.
n Session termination—terminating a session when a user logs out, when
the configured session timeouts expire, or when a user is disabled.
n Session tracking—tracking user sessions by recording session activity
in Web server and Policy Server logs.
n Session revocation—disabling a user in a user directory and terminating
the session.
SiteMinder implements session management using a session ticket. The
session ticket contains basic information about a user and their
6LWH0LQGHU)HDWXUHV
authentication information. The Web Agent places the session ticket in a

cookie. It is the cookie that represents the user’s session across all sites in a
SiteMinder installation. The cookie is used as an index into the Web Agent’s
cache, which contains the user session data; no user-specific data is kept in
the cookie itself. The Web Agent is responsible for validating the cookie and
enforcing the session timeouts.
& For more information about session management, refer to the SiteMinder
Deployment Guide.
8VHU'LVDEOHPHQW
SiteMinder gives administrators the ability to enable and disable user
accounts administratively. This feature works with LDAP and ODBC user
directories and is configured in the Policy Server User Interface.
'LVDEOLQJXVHU User disablement prevents security breaches. When an administrator
DFFRXQWVFDQ
observes suspicious or unusual activity on the network, they can disable a
SUHYHQWVHFXULW\
EUHDFKHV
specific user’s account in the user directory, then flush the user session
cache, which deletes cached information about the user. User disablement is
useful, for example, when an organization terminates an employee and they
want to immediately remove that employee’s access privileges to company
resources.
After a user is disabled, the Policy Server ends all active SiteMinder sessions
for the user. All subsequent login and session validation requests are
rejected. The user cannot log in again until an administrator re-enables their
account.
SiteMinder can effect these changes across an intranet or extranet spanning
multiple Web servers. In addition, administrators can view reports that detail
user activity by specific user names.
F 1RWH User accounts can also be disabled automatically if a password policy

is triggered. In this case, the administrator needs to re-enable the
account for the user to have any access to resources.
& For instructions on how to disable users, refer to the SiteMinder Policy
6LWH0LQGHU)HDWXUHV
)XOO/RJRII6XSSRUW
To ensure that resources are secure, a Web developer can completely log a
user out of a SiteMinder session. If a user is completely logged off, an
unauthorized person cannot restart the original user’s browser and resume
access to protected resources.
If the user attempts to access a protected resource after the SiteMinder Web
Agent performs a full logoff, the user’s basic credentials are no longer valid
because the cached session cookies that store the user’s credentials no longer
exist.
& To implement full logoff support, refer to the SiteMinder Agent Operations
Guide.
$JHQW.H\0DQDJHPHQW
Web Agents use keys to encrypt and decrypt cookies that pass information
between Web Agents, for example, cookies that enable single sign-on. Keys
are kept in a key store, which holds all the key information and is the
location from which all Web Agents can retrieve keys.
To keep key information updated across large SiteMinder installations,
SiteMinder provides an automated key rollover mechanism. You can update
keys automatically for SiteMinder installations that share the same key store.
Automating key changes also ensures the integrity of the keys. For Agents
that are configured for single sign-on, the key store must be replicated and
shared across all Policy Servers in the single sign-on environment.
& For information about configuring agent key management, refer to the
SiteMinder Policy Server Operations Guide.
6FDODELOLW\DQG3HUIRUPDQFH
Portals and extranets have complicated traffic and administrative scalability
considerations. Millions of users may contact a site and in certain business
environments, traffic peaks at specific times. Administering a site with large
numbers of users that fluctuate is also a critical issue when implementing
security. SiteMinder can scale to met an organization’s growing user
population and resources.
There are several aspects to scalability that must be considered when
selecting a product that is intended to support large environments: load
scalability, administration scalability, and replication.
6LWH0LQGHU)HDWXUHV
/RDG%DODQFLQJDQG)DLORYHU
SiteMinder’s distributed architecture allows for scalability in large
installations through the use of additional Policy Servers and directory
servers. SiteMinder lets you configure how traffic is managed across these
replicated systems in a SiteMinder environment.
Load balancing distributes data traffic across many systems to avoid
overburdening a single system. Load balancing provides faster and more
efficient access to resources, such as policies or user directories.
Failover is a redundancy mode that lets an administrator specify a primary
and a set of backup systems. When the primary system fails, requests are
transferred to the backup systems until the primary recovers.
SiteMinder supports load balancing and failover between the following:
n Web Agents and Policy Servers

n Policy Servers and LDAP user directories
n Policy Servers and ODBC user databases (failover only)
You can select load balancing operation to distribute user requests directed
from the Web Agents to multiple Policy Servers, and from the Policy Server
to replicated LDAP user directories.
You can select failover operation to specify primary and backup Policy
Servers and user directories.
F 1RWH For the Web Agents, you can select either load balancing or failover.
& To specify how the Web Agent handles load balancing, refer to the
SiteMinder Agent Operations Guide. To configure load balancing for the
Policy Server, refer to the SiteMinder Policy Server Operations Guide.
5HSOLFDWLQJWKH3ROLF\'DWDEDVH
The SiteMinder policy database can be replicated using LDAP directory
replication or the replication schemes available for off-the-shelf ODBC
compatible databases such as Oracle and SQL Server. Replicating the policy
data store allows a SiteMinder installation to grow in terms of back-end
Policy Servers and consequently, additional supported Web Agents.
SiteMinder offers various options for its policy data storage. You can select
an ODBC-compliant database (such as Oracle or Microsoft SQL Server), or
6LWH0LQGHU)HDWXUHV
you can choose to use an LDAP directory for policy data storage. Included
with SiteMinder are utilities you can use to export data from a policy store
and import data into another policy store.
6LWH0LQGHU&DFKLQJ
SiteMinder provides comprehensive caching capabilities for the Web Agent
and the Policy Server. It caches policy store, resource, and user information,
which ensures that SiteMinder responds quickly to user requests. SiteMinder
caches can be configured to meet the needs of your organization whether the
user base is large or small.
3ROLF\6WRUH&DFKH
The Policy Server cache ensures efficient authorization performance by
caching policy data. This cache remains up to date across all policy servers
that share the same policy store. This cache can be configured to meet the
unique needs of your organization.
/&DFKH
L2 cache stores information about the relationship between policies and
resources. The L2 cache eliminates the need to repeatedly search for policy
matches to the same resource. This improves the authorization performance
because there is no need to search all the policies for a domain.
8VHU$XWKRUL]DWLRQ&DFKH
SiteMinder has a user directory cache that improves response times and
throughput during authorizations. This cache is useful for environments
where user membership is known to be fairly static, with only infrequent
changes.
If this cache is enabled, SiteMinder stores the results of user-policy
evaluations, which helps the policy server reduce its response time each time
a user needs to be authorized. Response time improves because the Policy
Server does not have to access user directories over slow connections.
8VHU6HVVLRQ&DFKH
The Web Agent stores user session information in cache, such as the
duration of the session and whether that user successfully accessed a
resource. A user session begins when SiteMinder authenticates the user. The
session ends when the user logs out, the maximum session or idle time limit
6LWH0LQGHU)HDWXUHV
is reached, or the user is disabled. Caching user session information

improves the processing of user requests.
5HVRXUFH&DFKH
The SiteMinder Web Agent stores information about every resource that a
user tried to access and what authorization information that user has for that
resource. This improves the response time for user requests because the Web
Agent does not have to contact the Policy Server for each resource request.
6LWH0LQGHU'HYHORSHU7RRONLW
The SiteMinder Developer’s Toolkit is an extensive set of client-side and
server-side Application Programming Interfaces (APIs) for developers to
extend the capabilities of SiteMinder based on their site’s environment.
SiteMinder provides the following client-side APIs:
n Agent API
A SiteMinder Agent is a program that enforces policies specified by the
SiteMinder Policy Server.
Custom Agents can be developed to protect resources that use protocols
other than HTTP, such as applications that use the RADIUS protocol. A
custom Agent developed using the Agent API with its own resource
types, action types, and response types can be supported by the
SiteMinder Policy Server. The Policy Server User Interface enables
administrators to configure, delete, and edit new Agent types, which
protect various types of resources.
n Policy Management API
The SiteMinder Policy Management API is used to manipulate the
policy objects within a SiteMinder installation. This can be used to
make environment-specific administrative interfaces.
SiteMinder supports the following server-side APIs:
n Authentication API
The Authentication API allows custom authentication mechanisms, for
example, special-purpose token cards, to be integrated with SiteMinder.
6LWH0LQGHU)HDWXUHV
n Authorization API
The Authorization API allows you to modify access control policies to
fit into environments that require custom policy decisions.
n Event API
The SiteMinder Event API enables a developer to specify a custom
event handler for SiteMinder events.
n Tunnel Service API
The Tunnel Service API enables you to build a shared service library
that can communicate with a SiteMinder Agent and securely transfer
data.
n DMS Workflow API
The DMS Workflow API enables you to add simple pre- and post-
process workflow for DMS events.
The following diagram shows the APIs that SiteMinder supports.
Custom Custom
Interfaces Agents
Policy
Agent API
Management API
Extensions
RADIUS
RADIUS
Client
Event
Event
API
SiteMinder Policy Engine
Authorization Authentication Tunnel DMS

API API Service API Workflow API
Policy Authentication Tunnel Workflow

Extensions Extensions Extensions Extensions
6LWH0LQGHU)HDWXUHV
6LWH0LQGHU([DPSOHV
This example illustrates how SiteMinder secures resources and manages
users. SiteMinder is deployed by the fictitious Transpolar airline. The
resources that SiteMinder is protecting are accessible to Transpolar’s
employees as well as their external customers.
F 1RWH Although the examples in this section illustrate concepts that apply to
any SiteMinder environment, the Transpolar resources reside on a
Web server protected by a Web Agent.
The Transpolar Site is organized as follows:

7UDQVSRODU6LWH
Transpolar Home Page

transpolar.com
Departures Employee
Mileage Special Inventory
and Bidding
Program Offers Manager
Arrivals
transpolar.com/ transpolar.com/ transpolar.com/ transpolar.com/ transpolar.com/

mileage specials depart-arrive inventory bidding
External Web Site: Internal Web Site:

Customers and Employees Employees
The site is organized to provide an extranet for customers and employees

and an intranet for employees only through one access point,
transpolar.com. The different purposes and security needs of the extranet
and the intranet require that the Transpolar administrator configure different
policies for the different realms.
For example, the employee bidding information is highly confidential and
should only be accessible to employees who are pilots. This set of resources
requires greater security than the departure and arrival schedule, which is
available to anyone inside or outside the company.
6LWH0LQGHU)HDWXUHV
The SiteMinder Web Agent is installed on the Web server, which protects
transpolar.com. The SiteMinder Policy Server is located on a second server
at a remote location from the Web server.
([DPSOH7KH7UDQVSRODU3RUWDODVDQ([WUDQHW
The following steps explain the SiteMinder process flow when a registered
Transpolar customer wants to check their frequent flyer mileage.
The diagram below shows the SiteMinder installation and the flow of the
customer’s access request.
7UDQVSRODU([WUDQHW
transpolar.com
1 2 3
4 5
6
8 7
Web Agent/ Policy Server

Internet Firewall
Web Server with
protected resources
7
User Policy
Directory Store
SiteMinder processes the frequent flyer request as follows:

1. A registered customer opens their Web browser and enters the URL for
the external Transpolar Web site (www.transpolar.com).
The customer arrives at the Transpolar home page, where the main page
is displayed in the customer’s browser (see the following figure).
2. When the customer selects the 0LOHDJH3URJUDP link from the main
page, the Web Agent intercepts the request for access, and determines
whether the resource is protected.
6LWH0LQGHU)HDWXUHV
3. The Web Agent checks its resource cache. If there is no information in

cache about this resource, the Web Agent then sends the request to the
Policy Server, asking if the resource is protected.
The Policy Server responds indicating that the resource is protected.
4. The Web Agent then challenges the user for their credentials. The
credentials request is a customized log-in form.
5. The user enters their name and password. These credentials are then
forwarded by the Web Agent back to the Policy Server for
authentication.
6. The Policy Server authenticates the customer, using the native user
directory, and sends the information back to the Web Agent.
7. After verifying the user’s identity, the Web Agent sends an authorization
request to the Policy Server. The Policy Server checks rules in the
6LWH0LQGHU)HDWXUHV
policy store, where user entitlements are stored, and grants the user
access to the resource.
The Policy Server notifies the Web Agent that the user is authorized.
The Web Agent permits access.
8. The Web server delivers the desired document, through the Web Agent,
to the user’s browser.
The document contains customized responses, configured by an
administrator using the SiteMinder Policy Server User Interface. One
response informs the customer of their frequent flyer miles that they
have in their account, shown in the following diagram.
This response is configured to recalculate this number every one

second. To do this, the Web Agent contacts the Policy Server each time
the rule associated with the response fires to ensure that the value is up
to date.
As part of SiteMinder’s user registration feature, when the user first
registered for the frequent flyer program, they were asked how often
they travel during the year. This information was used to track which
6LWH0LQGHU)HDWXUHV
customers were most likely to accumulate enough frequent flyer miles

to take advantage of an advertised upgrade.
In addition, if the administrator has enabled cookies, the Web Agent
stores a cookie in the user’s browser. The information in the cookies
enables single sign-on, if configured. Using single sign-on, the customer
can navigate to other links within Transpolar and to its affiliates without
having to re-authenticate.
([DPSOH'LVDEOLQJD8VHUIURPWKH7UDQVSRODU,QWUDQHW
This example demonstrates how SiteMinder handles an unauthorized user.
The administrator revokes a user’s access privileges by disabling the user’s
account and clearing any cached user session and resource information using
the Policy Server User Interface.
The diagram below shows the flow of the employee’s access request.
7UDQVSRODU,QWUDQHW
LAN
transpolar.com
1 2
3 4
6 5
Web Agent/Web Server Policy Server

with protected resources
User Policy
Directory Store
1. The terminated employee tries to access the company’s intranet by

entering the URL for Transpolar. The employee arrives at the Transpolar
employee page.
6LWH0LQGHU)HDWXUHV
2. When the employee selects the (PSOR\HH%LGGLQJlink, the Web Agent

intercepts the request for access, and determines whether the resource is
protected.
Based on the information in the Agent’s resource cache, it determines

that the resource is protected.
3. The Web Agent then sends a request for the user’s credentials.
4. The employee enters their name and password. These credentials are
then forwarded by the Web Agent back to the Policy Server for
authentication.
The Policy Server checks the policy store and sees that the user account
is disabled.
5. The Policy Server sends a message back to the Web Agent that the user
is not authenticated, which in turn, triggers the Web Agent to deny
access.
6. The Web server delivers a document in the employee’s browser
informing the employee that they no longer have access privileges for
the Transpolar site.
In addition, an authentication reject event is recorded in the Policy
Server activity log. This event is also sent to a library developed using
the SiteMinder Event API, which provides information about the access
attempt to a monitoring application. The monitoring application sends
an email message to an administrator that an unauthorized user tried to
access resources.

,QGH[
$ APIs
access control authentication, 65
cost control, 15 authorization, 66
denying access, 38 DMS workflow, 66
managing, 15 event, 66
overview, 15 for custom Agents, 65
policies, 24 in SiteMinder, 65
SiteMinder solutions, 19 policy management, 65
user privileges, 19 tunnel service, 66
active policy, description, 30 Web Agent, 65
active response, description, 35 Application Server Agent
active rule, description, 34 overview, 27
activity reports, description, 56 supported servers, 27
administrative reports, description, 56 auditing
administrative scalability, 55 audit logs, using, 24
administrators overview, 56
assigning privileges, 55 authentication
delegating tasks, 55 options, 20
for DMS, 46 schemes, overview, 58
Affiliate services SiteMinder API, 65
Affiliate Agent, 27, 44 authorization process
affiliate site relationships, 16 auditing, 56
affiliate sites, 44 authorizing users, 36
overview, 44 caching, 64
Agent denying access, 38
description, 22 extending, 38
key management, 62 nested realms, 37
types, 22 overview, 36
anonymous user services policy-based, 37
authentication, 58 SiteMinder API, 38, 66
overview, 47
Apache Web server %
reverse proxy server, 25, 26 basic authentication, description, 58
Web Agent, 25
,QGH[
& (
CA-ACF2 user database, 52 e-commerce
caching business issues, 13
L2 caching, 64 portals, 13
overview, 64 SiteMinder solutions, 17
Policy Server information, 64 enterprise portal, description, 14
policy store, 64 Event API, description, 66
resource cache, 65 examples, using SiteMinder, 67
user authorizations, 64 Expressiom Editor, LDAP, 50
Web Agent, 26
Web Agent information, 64 )
CA-Top Secret user database, 52 failover, description, 63
certificate authentication features. See SiteMinder, 42
description, 58 forms authentication, overview, 58
revocation lists, 59 full logoff support, description, 62
consumer portal, description, 14
conventions, 10
custom Agent *
overview, 28 globally unique identifier (GUID), for
using Agent API, description, 65 anonymous authentication, 47
custom authentication scheme, 59
customer support, 11 ,
intrusion reports, description, 56
'
delegated administration, overview, 55 .
delegated management services (DMS) key management, overview, 62
configuration wizard, 47
overview, 46 /
denying access, 38 L2 cache, description, 64
developer toolkit, overview, 65 LDAP directories, 49
digest authentication schemes, 58 expression editor, 50
directories. See user directories, 48 for password services, 57
directory mapping, overview, 53 for policy stores, 49
documentation referrals, 50
conventions, 10 using, 63
Javadoc, 8 load balancing, description, 63
online books, 8 logoff support, description, 62
online help, 8
printed manuals, 7
release notes, 9 0
domain authentication, NT, 51 mainframe user directories, 52
mega portals, description, 14
,QGH[
multi-tier application solutions, 19 access control, 20

API, description, 65
1 Policy Server
nested realms, description, 37 auditing features, 56
Netscape Enterprise Server, supported description, 22
versions, 17 failover mode, 63
Network Access Server (NAS), RADIUS, 28 load balancing, 63
NT domain, 51 overview, 24
NT user directories, 51 reports, 56
NTLM authentication scheme, 59 SiteMinder user interface, 24
supported platforms, 24
policy store
2 cache, 64
ODBC databases using LDAP, 63
as user directories, 51 using ODBC, 63
for password services, 57 portals
using, 63 business issues, 15
online consumer, horizontal, 14
books, 8 consumer, vertical, 14
help, 8 enterprise, description, 14
Organization Administrator, DMS, 46 overview, 13
privilege management, description, 19
3 proxy authentication schemes, 58
password services public key infrastructure. See PKI
overview, 57
user-initiated changes, 57 5
personalization RACF user database, 52
benefits, 54 RADIUS
overview, 53 Agent, overview, 28
using responses, 34, 54 CHAP, 58
PKI authentication, 59 PAP, 58
platforms, SiteMinder supported, 21 reading list, 12
policy realm
active policy, 30 definition, 32
caching policies, 64 example, 32
definition, 29 nested, description, 37
time restrictions, 29 referrals, LDAP, 50
policy database, replication, 63 registration services, description, 45
policy domain registration. See registration services, 45
definition, 30 Remote Authentication Dial-In User Servce.
example, 30 See RADIUS, 22
policy management
,QGH[
replication, description, 63 policy-based, 20

reporting, Policy Server reports, 56 protection levels, authentication, 44
resource filter Security Bridge, overview, 52
definition, 31 session management
example, 31 creating sessions, 60
resources delegating session information, 60
caching, 65 overview, 60
definition, 31 revoking sessions, 61
example, 31 session ticket, description, 60
response terminating sessions, 60
active, 35 tracking sessions, 60
description, 34 validating sessions, 60
example, 34 session timeouts
for personalization, 34 description, 61
reverse proxy server single sign-on
Apache, 26 across multiple domains, 42
SiteMinder reverse proxy agent, 26 caching, 26
revoking user sessions, 61 for a single domain, 41
rule overview, 41
active, 34 with multiple policy stores, 43
Affiliate action, 34 SiteMinder
application server actions, 34 Affiliate Agent services, 27
definition, 33 agent key management, 62
denying access, 38 Agent types, 22
event action, 34 Agent, description, 22
RADIUS action, 34 anonymous user services, 47
Web Agent actions, 34 APIs, 65
Application Server Agent, 27
6 auditing, 56
scalability authentication, 20
administrative, 55 authentication schemes, 58
description, 62 caching information, 64
failover, 63 components, 22
for varied size sites, 15 custom Agent, 28, 65
load balancing, 63 developer toolkit, 65
overview, 62 directory integration, 48
replication, 63 directory mapping, 53
security DMS, 46
agent key management, 62 e-commerce solutions, 17
authentication, 20 examples, 67
managing, 19 features, 17, 41
flexible policy storage, 63
,QGH[
integrating technologies, 21 LDAP, 49

LDAP expression editor, 50 NT, 51
LDAP referrals, 50 ODBC, 51
overview, 17 user disablement, description, 61
password services, 57 user interface, SiteMinder Policy Server, 24
personalization features, 54 user privilege information, delivery, 19
PKI support, 59 user sessions
policy domain, 30 caching, 64
Policy Server, 22, 24 creating, 60
policy, description, 29 delegating, 60
policy-based access control, 20 full logoff, 62
privilege management, 19 revoking, 61
RADIUS, overview, 28 session tickets, 60
realm, 32 terminating, 60
registration services, 45 tracking, 60
reporting, 56 validating, 60
resource, 31
response, 34 :
reverse proxy agent, 26 Web Agent
rule, 33 API, description, 65
scalability, 62 caching, 26
Security Bridge, 52 custom agents, 65
security management, 19 failover, 63
session management, 60 load balancing, 63
single sign-on, overview, 41 overview, 25
supported platforms, 21 session timeouts, 61
user disablement, 61 supported Web servers, 25
Web Agent, 25 types, 22
Super Administrator, DMS, 46 Web servers, for Web Agent, 25
Web site personalization, 54
7
technical support, 11
token authentication, 58
troubleshooting, audit logs, 24
8
user authorization
process, 36
user directories
directory mapping, 53
integrating with local directories, 48
,QGH[

Siteminder Concepts Guide

Uploaded by

Copyright:

Available Formats

Siteminder Concepts Guide

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Siteminder Concepts Guide

Uploaded by

Copyright:

Available Formats

6LWH0LQGHU

Copyright © 1997-2001 Netegrity, Inc. All rights reserved.

NETEGRITY, INC. SHALL NOT BE LIABLE FOR TECHNICAL OR EDITORIAL ERRORS OR

SiteMinder Authorization Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

n SiteMinder Policy Server User Interface—Invoke the help system by

n SiteMinder Policy Server Installation

n Customizing Delegated Management Services (DMS)

The SiteMinder Software Developer Kit (SDK) is installed with the

n SiteMinder Web Agent Installation

n SiteMinder Agent Operations Guide

n Netegrity Template Language (NetTL) Description

n SiteMinder Application Server Agent Installation

n SiteMinder Application Server Agent Guide

WebSphere/NT - Netegrity/Documentation subdirectory of the

WebLogic/NT - Documentation subdirectory of the Application

WebSphere and WebLogic/Solaris - directory where you untar the

&RQYHQWLRQ 5HSUHVHQWHGE\ ([DPSOH

Text that you enter courier bold Enter YES or NO.

Keys times new roman Press ENTER.

n The type of computer you are using.

Kaufman, Charlie, Radia Perlman, and Mike Speciner. Network Security:

Stallings, William. Cryptography and Network Security, 2nd Edition. New

Grant, Gail. Understanding Digital Signatures: Establishing Trust over the

Howes, Timothy A. and Mark S. Smith. LDAP: Programming Directory-

Johner, Heinz et. al. Understanding LDAP. IBM RedBook.

n Providing a seamless integration between portal and affiliate sites

SiteMinder is a platform for secure portal, extranet, and intranet

n Leverage existing directory servers

administrators to assign authentication schemes and define and manage

Internet Web Server

F 1RWH Agents operating on Windows 2000 platforms do not support

If a resource is unprotected, a user gains access without intervention. If the

Firewall IIS Web Server

Typically, a proxy server enables clients residing behind a firewall to access

Affiliate Agents provide a logging function to monitor the performance of

You can use the SiteMinder Policy Server as a RADIUS authentication

& For detailed information about RADIUS, refer to the SiteMinder

Allows or denies Identifies users Time when the Custom

Marketing Policy Domain

Marketing Marketing Strategy

Web page /applications/myapp.exe

CGI script /www.acme.com/price/1,2,0-a-0-

To identify resources and enable policies to reflect your site’s infrastructure,

/mydirectory/ com.myorg com.companyA

file1.html ejb1 servlet1

Development Policy Domain

To configure realms, think of the organization of your environment’s

Realm Resource Action Time Active Rule

The Policy Server supports the following actions:

Web Agent HTTP Get, HTTP Post, HTTP Put

You can also configure a rule to fire based on specific authentication or

Basic User Create Ticket Acme Software.com

Priority Email Update Ticket

View Account Order Upgrade

Create Ticket Priority Service

Policy Server executes a custom library program, which returns response

Directory Structure Realms and Nested Realms

/marketing/ /marketing/ Basic Authentication

6LWH0LQGHU

F 1RWH Agents operating on Windows 2000 platforms do not support

F 1RWH Implementing anonymous authentication does not provide protected

F 1RWH SiteMinder administrators do not have user directory management

F 1RWH User accounts can also be disabled automatically if a password policy