Symantec Access Management

Two kinds of users: employees of customer (user1) and external users (user2).

When user1 or user2 browses to the “Customer Portal” (CP), CP will redirect them to ADFS. ADFS will find out (Home Realm Discovery) whether this is an internal user (user1) or an external user (user2).

• Internal users (user1) are authenticated by ADFS using (on-premise Customer internal) Active Directory.
• External users (user2) are redirected by ADFS to CA SSO (formerly called SiteMinder). CA SSO presents a login page to user2 where he must enter his credentials, CA SSO will look up the user in the userstore (LDAP). If found and the credentials are correct, user2 is authenticated.

When CA SSO authenticates an external user (user2) it will return a valid (SAML) token to ADFS. ADFS accepts this token and in turn provides an valid (SAML) token to CP. When ADFS authenticates an internal user (user1) it will return a valid (SAML) token to CP as well.

Questions:

• How can this be achieved?
• Should this be done by defining a partnership federation?

There must be a kind of trust relation created between CA SSO and ADFS.

Within CA SSO you can create the following partnership relations:

SAML2 IDP ->SP;

SAML2 SP ->IDP;

SAML1.1 Producer -> Consumer

SAML1.1 Consumer -> Producer

WSFED IP -> RP

WSFED RP -> IP

OAUTH Client -> Authz Server;

Which of the above is the correct partnership?

In case of user2 CA SSO is the identity provider (IdP), so is ADFS the service provider?

• Within SSO 12.8 we also have OpenID Connect. Can this be used for the use case above.

You are correct CA SSO will be IdP / IP and ADFS will be SP / AP.

We can use either one of the below, Depending on what ADFS Supports.

SAML2 IDP ->SP

or

WSFED IP -> RP

 In the past I've used "WSFED IP -> RP"

Hubert, thanks for the quick reply. Do you have a runbook for the WSFED IP -> RP configuration with ADFS?

Regards, Edwin Scheffer

Edwin scheffer

Here it is

SAP Portal Services 

Thanx.

Is this run book based on Web Agent Option pack? Or, can we use Access Gateway also?

Where is affwebservices/public in this case?

Regards, Edwin

This run book is product agnostic (i.e. it is same for waop and AG)

<sps_home>/Tomcat/webapps/affwebservices.

url remains the same (i.e. it is same for waop and AG)

I’m new to Access Gateway so maybe you can help me to configure the Authentication URL properly.

Access Gateway is installed on server SSD-GTW01.SSD-ONT.OTA.

I created an ACO ssd-gtw01-agent object (which is a copy of object SPSDefaultSettings)

The DefaultAgentName I used id AccessGatewayAgent

I think that the base  URL in the Local Entity will be https://www.idp.company.nl

So the Authentication URL I must specify in the SSO and SLO will be https://www.idp.company.nl/affwebservices/redirectjsp/redirect.jsp

Within the CA SSO Admin UI I must define a realm for the Authentication URL. Is this realm protected by AccessGatewayAgent also?

This Agent is now only used for protecting the Access gateway Admin UI (Windows Authentication)

Also I need to know how to configure within the proxyrules.xml the www.idp.company.nl ?

I hope you can help me on this also.

scheffer

Regards

Hubert

Hi Hubert,

Thanks again.

I need some more info on your first answer:

In FederationWebServicesAgentGroup I have added the AGAgent object (created by installation of AG)

The shipped FederationWebServicesDomain contains the following realms FederationWebservicesRealm and public realm, with resource filters /affwebservices and /affwebservices/public

Should I create the new realm here for /affwebservices/redirectjsp ? With a get,post rule and the authentication scheme we wanted, using the agent group FederationWebServicesAgentGroup to protected the resources there?

Shipped are under Domain policies the following 3 policies

FederationWSAssertionRetrievalServicePolicy

FederationWSNotificationServicePolicy

FederationWSSessionServicePolicy

Can I use one of these? Or should I create a new one?

Regards,

Edwin

scheffer