Symantec Access Management

Hi all,

My aim to to have SSO for EEM contacts. Let me explain my environment

My CA SDM server is located in abc.com domain

EEM is configured with xyz.com domain. I want to these xyz.com people should have SSO when they access our CA SDM in their machine

I understood, this can be done by using CA Siteminder.

So installed CA Siteminder in one separate server and i created a User directory in Siteminder to pointout xyz.com Active directory

I am able to view contacts of xyz.com people in Siteminder. Then i changed the User store configuration of EEM to point to Siteminder User directory which i created.

Now i am able to get xyz.com contacts in Manage Identities of EEM. Fine.

Then as per the below doc, i configured in Siteminder

https://wiki.ca.com/display/eem1251/Integrating%20CA%20EEM%20with%20the%20SSO%20Server#

After this, when i enable the option Enable SSO Server in EEM as below:

I am getting an error as below:

Please help me on this. Appreciate you in advance

Thanks,

Saran

https://in.linkedin.com/in/saravanakumarkcapgemini

Mobile: +91 9972977877

Hello Saran,

The details you provided above are mixing two solutions together. The SSO connector in EEM and the "use siteminder as user store" config are not to be used together. Please look back at the wiki page you referenced. It does not include using siteminder as a user store. The wiki page also does not cover the second half of the solution which involves installing the Siteminder Secure Proxy Server and creating proxy rules for redirectiion. Please note: the author of that wiki does not or no longer works for CA.

Please open a new case for support to help you with this issue.

Hi Gregory,

Thanks for your correct direction

I followed the link you mentioned above.

1. Create agent and user directory to pulled contacts from xyz.com domain - Working fine, Showing contacts

2. In EEM, configured Reference from Siteminder and I'm able to get users of xyz.com in Manage Identities

3. I changed web authentication for default Access type in CA SDM to EEM authentication and Allow external authentication

From a client machine which is registered in xyz.com, if i login with windows user credential of one of user in xyz,com and open CA SDM portal and login, it is not automatically logging in in CA SDM

But if i supply Username and password manually, its login in.

Can you please help me on how to get SSO for CA SDM from the above configuration?

Hi Sara,

Point #3 would indeed have to be investigated by CA SDM support on whether what you are attempting is possible or even supported. As far as EEM support is concerned, you have accomplished #1 and #2 successfully which is as far as EEM Support is able to assist. I still recommend that you open a case with CA SDM support referencing this thread. They will ask for logs and verify if the integration you are attempting is possible.

Greg

Hello to all,

Which  is the implementation effort for this integration?

Thanks In Advance

Angeliki

I am also the same problem in my lab. And still worse is that by the time I realized the steps below:

Navigate to Configure, EEM Server, SSO Server.

Select Enable SSO Server.

Complete The Following fields:

The operation concluded not for nothing, causing a travamente, requiring a restart of all services "EEM".

When the "EEM" returned, the login page when the error occurs "EE_AUTHFAILED Authentication failed".

The logs show the following error when I restart the service "EEM":

INFO 05.09.2016 18: 28: 22.655 [0x000009f0] [eiam.server.poz.poz] Server :: init: setting windows system time resolution [time: 1 (ms)]

ERROR 05/09/2016 18: 28: 24.323 [0x000009f0] [eiam.server.siteminder.siteminderbridge] SiteMinderBridge :: init: failed in initialization of the java util SiteMinder

ERROR 09/05/2016 18: 28: 24.324 [0x000009f0] [eiam.server.poz.connectorfactory] UserStoreBuilder :: createSMConnector: failed to create SM Connector [UserStore: SiteMinder, type: 3]

ERROR 05/09/2016 18: 28: 24.324 [0x000009f0] [eiam.server.poz.userstoremanager] UserStoreManager :: init: failed to create UserStore connector [UserStore: SiteMinder, type: 3]

INFO 05.09.2016 18: 28: 24.324 [0x000009f0] [eiam.server.poz.userstoremanager] UserStoreManager :: ~ UserStoreManager: terminated

ERROR 05/09/2016 18: 28: 24.324 [0x000009f0] [eiam.server.poz.poz] Server :: init: failed to create user store manager

INFO 09.05.2016 18: 28: 24.325 [0x000009f0] [eiam.server.poz.poz] Server :: ~ Server: terminated

INFO 05.09.2016 18: 28: 24.326 [0x000009f0] [eiam.server.poz.poz] Poz :: ~ Poz: terminated

No meu caso agora eu consigo realizar a autenticação novamente no "EEM", sendo necessário alterar o nome do agente em "C:\Program Files\CA\SC\EmbeddedEntitlementsManager\config\server\server.xml"

<userstores>

    <smstore name="SiteMinder">

      <map>Microsoft Active Directory</map>

      <host>192.168.40.10</host>

      <adminname>SiteMinder</adminname>

      <adminpassword>{MUNGE2}ODQHA01AXQE=</adminpassword>

      <authenticationport>44441</authenticationport>

      <accountingport>44441</accountingport>

      <authorizationport>44441</authorizationport>

      <maxconnection>5</maxconnection>

      <minconnection>1</minconnection>

      <stepconnection>1</stepconnection>

      <timeout>60000</timeout>

      <agentname>caeem-agent</agentname>

      <agentsecret>{MUNGE2}ODQHA01AXQE=</agentsecret>

      <authdirname>AD_Directory</authdirname>

      <azdirtype></azdirtype>

      <azdirname>AD_Directory</azdirname>

      <searchtimeout>0</searchtimeout>

      <domain></domain>

    </smstore>

  </userstores>

----

Entretanto ainda continuo com o erro para integrar o "EEM" com o "SiteMinder", segue (C:\Program Files\CA\SC\EmbeddedEntitlementsManager\logs\ipoz.log) :

<fidm xmlns="http://eiam.ca.com/server/config" enabled="true">

  <connector classname="com.ca.eiam.sso.SiteMinderConnector" version="1.0">

    <parameter name="AgentName" value="caeem-agent"/>

    <parameter name="ConfigurationPath" value="C:\Program Files\CA\webagent\win64\config\"/>

    <parameter name="DisableAuthenticateWithPassword" value="false"/>

    <parameter name="DisableSearch" value="false"/>

    <parameter name="DisableUserProfileByAuthToken" value="false"/>

    <parameter name="DisableUserProfileByIdentity" value="false"/>

    <parameter name="ResourcePath" value="/"/>

    <parameter name="UseGroupNameAsDn" value="false"/>

  </connector>

</fidm>]

ERROR 2016-05-18 19:17:51,616 [0x00000804] [eiam.server.ipoz.sponsorinterfacev1] Exception[-900]: failed to initialize sso connector

ERROR 2016-05-18 19:17:51,616 [0x00000804] [eiam.server.ipoz.sponsorinterfacev1] [src/SsoConnectorBridge.cpp:557] bool __cdecl eiam::server::sso::SsoConnectorBridge::init(const class eiam::core::String &,const class HashMap<class eiam::core::String,class eiam::core::String> &)

ERROR 2016-05-18 19:17:51,616 [0x00000804] [eiam.server.ipoz.sponsorinterfacev1] [src/SsoConnectorBridge.cpp:651] class eiam::server::sso::SsoConnectorBridge *__cdecl eiam::server::sso::SsoConnectorBridge::createInstance(const class eiam::core::String &,const class HashMap<class eiam::core::String,class eiam::core::String> &)

ERROR 2016-05-18 19:17:51,616 [0x00000804] [eiam.server.ipoz.sponsorinterfacev1] [src/FederatedIdentityManager.cpp:83] bool __cdecl eiam::server::poz::FederatedIdentityManager::init(const class eiam::server::config::Server *)

ERROR 2016-05-18 19:17:51,616 [0x00000804] [eiam.server.ipoz.sponsorinterfacev1] [src/FederatedIdentityManager.cpp:114] class eiam::server::poz::FederatedIdentityManager *__cdecl eiam::server::poz::FederatedIdentityManager::createInstance(const class eiam::server::config::Server *)

ERROR 2016-05-18 19:17:51,616 [0x00000804] [eiam.server.ipoz.sponsorinterfacev1] [src/Server.cpp:205] bool __cdecl eiam::server::poz::Server::init(const class eiam::server::config::Server *,class eiam::common::EventHandler *)

ERROR 2016-05-18 19:17:51,616 [0x00000804] [eiam.server.ipoz.sponsorinterfacev1] [src/Server.cpp:270] class eiam::server::poz::Server *__cdecl eiam::server::poz::Server::createInstance(const class eiam::server::config::Server *,class eiam::common::EventHandler *)

ERROR 2016-05-18 19:17:51,616 [0x00000804] [eiam.server.ipoz.sponsorinterfacev1] [src/Poz.cpp:234] bool __cdecl eiam::server::poz::Poz::startServer(class eiam::server::config::Server *)

ERROR 2016-05-18 19:17:51,616 [0x00000804] [eiam.server.ipoz.sponsorinterfacev1] [src/Poz.cpp:760] bool __cdecl eiam::server::poz::Poz::modifyConfiguration(const class eiam::core::String &,const class eiam::core::String &,const class eiam::core::String &,const class eiam::core::String &)

ERROR 2016-05-18 19:17:59,962 [0x0000082c] [eiam.server.ipoz.sponsorinterfacev1] SponsorInterfaceV1::pozConfigure: poz configure failed [operation: modify, category: fidm, data:

I know this is a very old thread and I bumped into it while searching for the forum for the same issue I am facing now.

Finally, I fixed it and am putting it here for others to see.

1) if you want to share the session with SSO (user logged into one sso integrated application, comes to eem application, and you want to accept SMSESSION) you need to configure SSO settings.

The error you see above 

I was receiving this error due to 2 issues - a. the webagent (AgentName) was not protecting the url  (ResourcePath) and b. SmHost.conf path needs to be relative to EEM installation directory. My EEM installation directory was C:\EEM and SmHost.conf file was in C:\EEM\bin\ so I had to put bin\SmHost.conf in configurationpath parameter.

2) If you only want to use SSO Directory for authentication/authorization and do not want to share session, you can simply configure CA SSO as user store. Please note that this will mean that EEM integrated application will use CA SSO user store for authentication and authorization but will not be able to generate smsession for user to use it elsewhere.

Documentation for this is confusing so I had few trial and errors to reach this conclusion.

Finally, ITAM - even though integrated with CA EEM, will not be able to use CA SSO and SSO server. It can use only CA SSO as user store.