Symantec Access Management

Hi all,

I am implementing GoogleApps SP-initiated SSO with SiteMinder 12.52. I have SiteMinder 12.52 setup with Secure Proxy server 12.52 and Sunone Directory as User Store.

To implement SP initiated SSO, i have created Local IDP entity, Remote SP Entity, configured Partnership(SAML 2 IDP -> SP) and protected Authentication URL by creating Application under Polices in Siteminder AdminUI.

Authentication URL: http://<sps-hostname>/affwebservices/redirectjsp/redirect.jsp

In GoogleApps side i have given the URL's as below and uploaded the certificate, which was created in SiteMinder side.

Sign-in URL: https://<sps-hostname>/affwebservices/public/saml2sso

Sign-out URL: https://<sps-hostname>/affwebservices/public/saml2slo

Change Password URL: http://www;google.com

To test, SP initiated SSO,in browser i gave URL as, http://mail.google.com/a/<googleappsdomain>. I am receiving an login page from Google to enter the details, not from SiteMinder Authenticated prompt page. User has to authenticate from IDP side to enter the credentials and it has to redirect to google apps services.

I am newbie to SiteMinder federation. Please suggest me, what i am missing here to do the federated setup.

Thanks in advance.

Regards,

Karthick

Have you checked the "Run Books"?

I think this had a "Run Book" made.

found the link....

PLACEHOLDER - Federation Runbooks - CA Technologies

and there is one for google apps.

maybe that will help?

Hi JPerlmutter,

Thanks for your reply.

I tried to implement the SP initiated SSO using the Google Federation Runbook, which you have mentioned.

But when I am testing the SP initiated SSO using the http://mail.google.com/a/<googleappsdomain>, Google login page is appearing to get the credentials not from the Siteminder login page(from Sunone Directory).

I think, I have missed something to protect the Googleapps services for federation. What I am missing here?

Please suggest on this.

Thanks & Regards,

Karthick

Karthick,

I have nottried this one yet.

However, if Google Apps is the IdP, would it not be their login that is expected?

-Josh

Hi Josh,

I am trying to do SP initiated SSO and here Google is an Service provider. For the Runbook I came to know that, only service provider initiated works for GoogleApps.  .

If Google is an Service provider, I will give the URL as http://mail.google.com/a/<google_domainname> and will get the authentication prompt page from Siteminder Identity provider side to collect the credentials.

I think I am doing a wrong configuration on protecting the Authentication URL and protection of FWS application.

Can you please suggest me on protecting the FWS application?

Thanks & Regards,

Karthick

Karthick,

I'm pretty new to Federation myself.

If you're having issues and no one else has a suggestion by thursday, i'd say open a case and get help from the experts

Karthick,

I got googleapps to work. Basically, as you said its SP initiated SSO. So try to go to www.google.com/a/companydomain. Enter your email id that you are using for SSO and click Sign In (do not enter password). Next, you should be protecting your redirect.jsp file with an authentication scheme (form based, try basic first). So Google should kick you to your federation authentication URL and since you are protecting your redirect.jsp file, it will prompt for userid and password. In this form, you enter your company network credentials and that will kick you back to google apps.

Your authentication URL should be something like: https://federationwebserver/affwebservices/redirectjsp/redirect.jsp

Create a SiteMinder domain, create a realm with the federation web server web agent. In the resource you should have /affwebservices/redirectjsp/redirect.jsp. The rule is simple get + post for *. In the policy, add the rule and add the users you want to give access to.

Hi pbiwas,

Thanks for our suggestion.

I have protected the /affwebservices/redirectjsp/redirectjsp in Siteminder Identity provider side, which you have mentioned as Authentication URL.

When I test the Federation by providing the URL in browser, http://mail.google.com/a/ idmsimulator.com, I received the below error,

HTTP Status 403 - Request Forbidden. Transaction ID: 131ef2f5-b753824f-494fa897-cff38006-a0ad0f0a-1e72 failed .

This issue was resolved after applied the patch in JVM for unlimited cyptography with the Java Cryptography Extension (JCE) package. The below files are in the directory <JDK jre_home>\lib\security.

1. local_policy.jar

2. US_export_policy.jar.

After JVM is patched i have tested the federation login, it works fine.

Thanks & Regards,

Karthick Sugumaran

Hi karthick,

Good work. Yes, I faced that 403 error in the past and had to update the JCE package.