Transcript CA Single Sign-On Office Hours: A Live Chat (Jun 18th)

Document created by Chris Stallone Employee on Jun 18, 2015Last modified by kristen.palazzolo on Dec 17, 2016
Version 2Show Document
  • View in full screen mode

Jeff :

No questions at this time

 

David Inglehart :

Is there a way to turn on word-wrap?  This is really hard to follow long responses witht the infinite line length

 

Jim Lundell :

Have any dates been determined as to when R12.5x will be supported on Windows 2012?

 

David Inglehart :

I am asking my techs.  They were supposed to be here but alas prod IAM issues

 

 

Sid Mautte (CA) :

@David, have you tried to write an Active Response within SiteMinder or have you looked at SmWalker?

 

David Inglehart :

I have been told that it was not doable.  Here is the scenario as I undersand it:

 

David Inglehart :

So....we have multiple employees.  Some work for company X, some for Company y.  The SSO (i.e. letting them in) works but what we needed to happend is that bob  X should land at https:/vendor/x and Charlie  Y should land at https://vendor/y

 

Herb Mehlhorn (CA) :

Hi Jim,  Believe you are probably asking about Policy Server (today there are agents on 2012).  The upcoming release will have 2012 R2 support for POlicy Server and we are in the process of generating our customer validation plan.  If your organization would be interested in getting a drop of the code to do some testing with pls. let your account rep know to give me your contact info.   As for GA timeline we are done with development and working to burn down remaining  work, but GA is outside of end of July and how much beyond that is not fully defined.

 

David Inglehart :

(sorry for the slowness but I have other IM windows opened up with the team)

 

Tony Pham :

I hear  a third party that in one of the WA release version, the WA now has the ability to cache az requests, is that true?

 

Shahn Soomro (CA) :

@David...an easier way to direct the user to correct landing page will be to setup on auth accept responses to collect user information (assuming it is available in the authentication user store) and pass it to simple ASP/JSP page that runs the logic of redirecting the user to appropriate landing page based on the responses data passed ...

 

Jim Lundell :

@Herb Thanks!

 

Herb Mehlhorn (CA) :

@Tony.  Do you mean turn off "isauthorized"? 

 

Tony Pham :

perhaps.  do you have info? pointer that you can share?

 

Kristen Malzone (CA) :

We just posted a new event in the CA Security Community! RSVP for this webcast "What you need to know about OAuth and CA Single Sign-On" (happening July 7th): https://communities.ca.com/events/2098

 

Herb Mehlhorn (CA) :

@Tony, I can send you a quick snippet of what is involved.

 

Josh Coffman :

Is there any known way to log SM Access to a file, but also insert the logs into the DB in real-time?

 

Josh Coffman :

we have had issues logging directly to a DB, but we want to be able to perform more real-time security analysis

 

Tony Pham :

thx. i would imagine the info is in hte WA release note.  if you can give me the release version, i can take a look at it as well.

 

Herb Mehlhorn (CA) :

@Tony,  we ahve had support for cached authz but think you may be interested in the turn off 

 

Herb Mehlhorn (CA) :

@Tony ...."isauthorized"...sorry...pushed send to early

 

Tony Pham :

you know how today, the WA would send an isauthorized request to the PS.  my understanding is that this new feature would allow the WA to know via cache, (or to turn off) this isauthorized request.   

 

Tony Pham :

to know is better, as the WA would "see" this request before (base on the context root)

 

Tony Pham :

as az call is usually high in number compare with validate or auth call

 

Ricardo Dos Santos :

When you have SiteMinder integrated with IdentityMinder and IdentityMinder have some endpoints, How you resolve password services (like change password) and synchronize with all endpoints?

 

Tony Pham :

or a feature that allow the WA to see if a request to this context root, then just auto authorized, even that context root is protected.  

 

Herb Mehlhorn (CA) :

@Josh, today there isn't a way to log simulataneously into two places.  Just a thought around the "security analysis" part of your comment, there may be way to use one of our 3rd party partners for addressing this if you are rolling your own right now.

 

Shahn Soomro (CA) :

@Josh...here is the link to our partner IdentityLogix..they have a plugin for SiteMinder that allows custom analytics etc: http://www.identitylogix.com/products/spylogix-suite-enterprise/spylogix-modules/spylogix-for-ca-siteminder

 

Josh Coffman :

@Herb, thank you! I will look into this.

 

Stephen McQuiggan (CA) :

@Tony – the webagent consists of two caches “resource cache” “user "Session cache” size is set in (2) ACO parameters - they help reduce the number of trips to the policy server

 

Kristen Malzone (CA) :

CA Support Engineers post Tech Tips weekly for Single Sign-On customers. Check out the feed here: http://cainc.to/SSOtips

 

Tony Pham :

@Josh, you might want to look into Splunk as well.  it's a log analytic that would take not only SM, but LDAP, web server access log, application logs, network devices, so you can trace the user reqeust end to end

 

Tony Pham :

@Stephen, i'm aware of those two caches.  doesn't fit my need thought.   will wait for the info that Herb is going to send me

 

Shahn Soomro (CA) :

@Thanks Tony, @Josh here is the link to Splunk plugin: https://splunkbase.splunk.com/app/842/

 

Josh Coffman :

@Tony- Thanks, I have looked at Splunk a little bit and it looks good. I am just trying to identify all of the options before making a decision. I appreciate the input!

 

Stephen McQuiggan (CA) :

@Tony is your need for webagent to just process authentications and not process any AZ - the only trip to the policy server is auth ?

 

Tony Pham :

@Stephen, yes

 

Sid Mautte (CA) :

@Ricardo, Password management when SiteMinder and Identity Manager are integrated needs to be managed  Identity Manager. It will then be able to properly populate the passwords to the managed endpoints.

 

Kristen Malzone (CA) :

15 minutes left! Get your last questions in now!

 

Josh Coffman :

@Tony, if you only want AU, can you not just protect the application login page, and leave everything else unprotected with SiteMinder? This leaves AZ up to your application.

 

Herb Mehlhorn (CA) :

@all ...one thing I wanted to alert you to is an upcomign Ideation vote period we will announce on the community site...goign to ask folks to "get their votes" in so to speak so at end of July we will take a snapshot of vote totals....fYI

 

Jim Marsen :

Hi, all.  How do i determine the value for maxthreads in sm admin console.  we are using 4 cpu vms and sometimes have some high serverqueuelength values at peak time

 

Tony Pham :

@Josh, that's an option.  however, i don't think you can use taht if you have a common WA name for all apps.  

 

Tony Pham :

if you have that "az bypass" feature, you can use localconfig and have the parameter turn-on/off locally

 

Ricardo Dos Santos :

Thanks, but When indicated URL of Password Services   Identity into Siteminder instead of smpwservices.fcc not work redirection

 

Herb Mehlhorn (CA) :

@Tony, Will dig up the summary of the approach and provide out of band.

 

Kristen Malzone (CA) :

Regarding Herb's comment on Ideas, you can vote on or submit ideas here: http://cainc.to/xO8Po9

 

Stephen McQuiggan (CA) :

@Jim – there are a few factures that affect the # of threads.  1. The performance (latency) associated with the backend directory (user store). 2, The number of CPUs in the machine hosting the policy server. 3. Policy design, in terms of the number of directory searches (or writes) required to execute a login or authorization request

 

Herb Mehlhorn (CA) :

@Kristen...thx. 

 

Kristen Malzone (CA) :

@Ricardo - Please post this question to the CA Security Community under the CA Identity Suite category and someone  IDM support will respond. https://communities.ca.com/community/ca-security

 

Ricardo Dos Santos :

ok , Thanks

 

Ricardo Dos Santos :

Any one has worked with SSO between SiteMinder and the workspace of Oracle BPM (Business Process Manager)?

 

Stephen McQuiggan (CA) :

@Jim - best approach is to test in lower environment with prod load, adjust thread, monitor queue depeths

 

Jim Marsen :

how could I tell if the value was too high?

 

Josh Coffman :

@Sid - If we are not pushing passwords anywhere with IDM, but SM and IDM are integrated, is it still acceptable to use SiteMinder for password services?

 

Stephen McQuiggan (CA) :

@ jim - run stats review data provided - Having a “Waits” value that is very close to the “Msgs” value coupled with a low “Misses” value implies that there are enough threads to handle the incoming load, but there are not too many threads configured. A high “Misses” value would indicate that you may have too many threads configured. A large “Msgs” value coupled with a low “Waits” value and a low “Misses” value would imply that you may need to increase the number of Worker Threads

 

Herb Mehlhorn (CA) :

@Ricardo,...that does tickle a memory of mine where we did some work with a customer on this combination , but I would have to do some deeper digging to find it as it is not a regularly tested/certified combination.

 

Herb Mehlhorn (CA) :

@Ricardo,...trying to find the thread..

 

Sid Mautte (CA) :

@Josh, there are well defined integrations for SiteMinder and Identity Manager. There are too man combinations to discuss here. At a high level you would need to ensure you have not deployed the full integration between the two products if you are looking for a loose coupling. Please bring your full use case forward to the communities forum under Identity Manager for a fuller discussion.

 

Ricardo Dos Santos :

I understand, Can you send me later some information aboout it?

Kristen Malzone (CA):

Ok - that's all the time we have for today! Thanks for joining this month's session of CA Single Sign-On Office Hours! The next session will be Thursday, July 16, 2015 at 10:00am EDT. We'll post the chat transcript from today's session to the CA Security Community here: https://communities.ca.com/community/ca-security

 

Tony Pham:

thx

 

Kristen Malzone (CA):

We'll continue to answer the remaining questions..

 

Herb Mehlhorn (CA):

@Ricardo..not immediately avail. I will get your email and follow up. 


Ricardo Dos Santos:

Thanks

 

Ricardo Dos Santos:

Can SiteMinder federated with 3rd party using SAML2?, I mean login into SiteMinder and when user request an URL of 3rd party have SSO?, in that case 3rd party should be a ServiceProvider (SP) and SiteMinder tha IdentityProvider (IdP)

 

 

Herb Mehlhorn (CA):

@Richardo, yes this is std. supported capability

 

Shahn Soomro (CA:

@Ricardo, yes siteminder supports both IDP and SP partnerships from the same installation..

 

Ricardo Dos Santos:

ok thanks so much

 

Jim Marsen:

I'm not clear on waits msgs and misses - is this os or sm stats? - btw, we're running win2008R2

Attachments

    Outcomes