Quantcast
Channel: Blog - CoreBlox
Viewing all articles
Browse latest Browse all 85

Single Sign-On Between SiteMinder 12.8 & ForgeRock 6.5

May 19, 2020, 10:04 am
$
0
0

This blog post describes how to integrate SiteMinder and ForgeRock. Bi-directional single-sign-on between SiteMinder and ForgeRock is achieved, so that both environments can co-exist during migration. Medium to large size businesses will find the ability for these two solutions to co-exist very useful. It reduces burden on application and operation teams, therefore providing flexibility during the application migration timeline. It also brings the least impact to end users.

Solution Description

A request with a valid SiteMinder session to the ForgeRock environment will result in an automatic creation of a ForgeRock session. Conversely, if the request comes to the ForgeRock environment first, a post authentication plugin will create a SiteMinder session using a custom Authentication Scheme provided by ForgeRock. This Authentication Scheme uses the standard interfaces provided by SiteMinder. Hence, the ForgeRock-provided plugins ensure seamless single sign-on between the two environments. As a matter of fact, the end user doesn't really know which environment they are in.

Solution Components

  • ForgeRock Access Management 6.5.2

  • ForgeRock Identity Gateway 6.5.1

  • CA Single Sign-On / SiteMinder Policy Server 12.80

  • CA Single Sign-On SDK 12.80

Solution Overview

Solution Overview

In the SiteMinder environment:

• ForgeRock Authentication Scheme: used by SiteMinder to validate ForgeRock OpenAM token

• Sync App: a SiteMinder protected resource used to receive ForgeRock SSO token

In the ForgeRock environment:

• SiteMinder Authentication Module: used by OpenAM to verify SiteMinder session

• Post Authentication Plugin: sends OpenAM SSO token to SiteMinder upon successful authentication

forgerock_to_siteminder.png

  1. User requests to access FR protected application first

  2. IG intercepts the request and redirects the browser to AM for authentication

  3. AM authenticates the user, creates a FR SSO token

  4. Post authentication, AM sends FR SSO token to SiteMinder

  5. SiteMinder creates a SMSESSION cookie if FR SSO token is valid

  6. SiteMinder sends back the SMSESSION cookie to AM

  7. AM sends back both of the FR and SM cookies to the user

siteminder_to_forgerock.png

  1. User requests to access SM protected application first

  2. SM creates a SM SSO token, and sends back to the user

  3. User requests to access FR protected application

  4. SM Auth Module configured in the AM authentication chain detects the existence of a SMSESSION cookie

  5. SM Auth Module validates SMSESSION cookie with SiteMinder using standard SM API

  6. If the SMSESSION cookie is valid. Authentication completes. AM creates FR SSO token

  7. AM sends back both of the FR and SM cookies to the user

Conclusion

This blog post describes the technical details on co-existence between SiteMinder and ForgeRock. This type of solution can help your IAM modernization journey be seamless. It supports the latest ForgeRock AM version 6.5. Let Coreblox help catapult your business to the next generation of IAM platforms.

Ref:

1. Github OpenAM-Connector-for-SiteMinder Project for OpenAM version 9.5 & 11.0 https://github.com/ForgeRock/OpenAM-Connector-for-Siteminder

2. ForgeRock Migration Guide: CA Single Sign-On (Siteminder SSO) to ForgeRock Identity Platform https://www.forgerock.com/resources/overview/migration-guide-ca-sso-forgerock

3. The Top 3 Integration Approaches to Migration from Oracle Access Manager (OAM)

Search
Viewing all articles
Browse latest Browse all 85
Search