Symantec Access Management

  • 1.  Siteminder Open ID Connect Client Side

    Posted Jun 30, 2017 07:13 PM

    Has anyone in the community implemented an OpenID Connect client side implementation with Siteminder / Single Sign on. In other words, an external partner is the OpenID Connect Provider (OP) while Siteminder/Sign sign on based infrastructure on the your side is the Relying Party (RP). On Siteminder, we can have an OAuth partnership (or) an OAuth authentication scheme configured.   


    If yes, were you able to get Siteminder read the claims from the ID token.

     

    Thanks

    Paul



  • 2.  Re: Siteminder Open ID Connect Client Side

    Broadcom Employee
    Posted Oct 01, 2017 06:23 PM

    Hi Paul

     

    We found that we needed to implement the userinfo callback to get the claims.  We did at one stage try adding them to the access token, but that didn't seem to work (ie the encrypted token size did not increase).  Adding the SMSESSION to the token did seem to work (at least the encrypted value became a lot longer).

     

    I added an entry to Jack's post, but here is the link to the setup we did to diagnose the support client issue : 

     

    CA SSO OpenID Connect Provider - with Apache OpenID Client 

     

    Cheers - Mark

    ----
    Mark O'Donohue
    Snr Principal Support Engineer - Global Customer Success



  • 3.  Re: Siteminder Open ID Connect Client Side

    Posted Oct 03, 2017 01:46 AM

    Hi Mark.ODonohue

     

    Thanks for your reply. Looked at the example, this seems to be a case of Siteminder acting as an OpenIDConnect provider (OP)and Apache with the OIDC module acting as a Relying party (RP). I am clear on this use-case.

     

    However, on my original post, i was looking for any references for a different use-case where we have an external partner acting as an OpenID Connect Provider (OP) and Siteminder based infrastructure acting as the Relying party (RP). In other words, an external partner sends out an ID Token and an Access Token into a Siteminder based infrastructure. Can we have siteminder consume both these tokens or at least either of them to generate an SMSESSION and send the user to an integrating application.



  • 4.  Re: Siteminder Open ID Connect Client Side
    Best Answer

    Posted Nov 13, 2017 05:27 PM

    A bit late here, but to confirm CA SSO can not act as Open ID connect relying party.

    This ER is currently under review :

     

    CA SSO full support for OpenID Connect