IDFConnect SSOCloud (SSORest) for CA SiteMinder:
A suite of products to provide a universal REST-based solution for SSO-enablement of Cloud-based applications. Now you can protect applications deployed on public Cloud infrastructure using SiteMinder exactly the same as your on-premise applications.
SSOCloud Product Suite Modules
The SSOCloud Product Suite is comprised of the following products:
SSORest provides a simple, HTTP-based RESTFul interface to SiteMinder session functionality. It is used to provide easy session awareness and integration in a variety of use cases, such as rich browser engines (AJAX, Flex, HTML5), server-side integration such as J2EE or .Net applications, mobile clients or cloud-based applications.
- A set of simple RESTFul web services which can be safely exposed on the Internet to provide session lifecycle awareness and management capabilities to rich browser or mobile applications.
- In addition to the Internet-facing web services, SSORest also exposes a separate set of services to be used within the boundaries of the enterprise to provide easy SiteMinder-to-application integration on the server side.
- SSORest employs a flexible infrastructure, using standards-based components and technologies.
- SSORest can be deployed in any J2EE servlet container (Tomcat, JBoss, WebLogic, Websphere) running Java 6.0.
- SSORest uses JAXB and JAX-RS annotations and has been tested with Jersey 1.x and Apache CXF 2.x web service engines.
- SSORest supports plain text, JSON, and XML response payloads.
- It also supports the most current versions of SiteMinder, simplifying deployment of the solution. SSORest has been tested with SiteMinder 6 SP6, R12, and R12.5
Value Add for CA/SiteMinder SSORest:
SSORest extends SiteMinder support to Web 2.0 technologies and enhances its protection of Web 2.0 applications.
- For example, an AJAX-based interface can query how much time the user has left in their session, and provide a pop-up dialog to warn the user near the end of their session, or to prompt the user to re-authenticate. These actions all occur with the AJAX app maintaining control – the browser is never “redirected” away from the application.
- SSORest also provides ‘internal-facing’ services which meet the needs of server-side applications needing a tight SSO integration.
- Demonstrating this point: IDF Connect's PingFederate SiteMinder Adapter uses SSORest to enable PingFederate to interface with SiteMinder without needing any SiteMinder libraries. The integration is entirely HTTP based via SSORest.
- SSORest is easy to deploy and easy to use
Tomcat Agent for SSORest:
The Tomcat Agent for SSORest enables you to bring your Tomcat applications into your Single Sign-On and Authentication/Access Control solution. It directly integrates the Tomcat container with SiteMinder via SSORest, allowing you to define authentication and access policies in SiteMinder that are enforced within Tomcat. Your application can use J2EE native security in the Tomcat container — such as isUserInRole and getUserPrincipal — and the results will be based upon the identity authenticated by SiteMinder. Declarative security can also be utilized within your deployment descriptor, and whether a user meets your role definitions are determined by the SiteMinder identity.
The Tomcat Agent is implemented at the container, so it is automatically available to all applications deployed on the Tomcat server.
- Single Sign-On with many different web servers supported by SiteMinder
- Standalone SSORest agent plugs directly into the Tomcat container — no front-end web agent is required
- URL-based authorization
- Session management
- Various supported authentication schemes
- Native J2EE integration
JBoss Agent for SSORest:
The JBoss Agent for SSORest builds upon the functionality of the Tomcat Agent, and adds identity propagation into the JBoss EJB container. Your application can use all of the features of native J2EE security in both the Servlet container (isUserInRole and getUserPrincipal) and the EJB container (isCallerInRole and getCallerPrincipal), and the results will based upon the identity authenticated by SiteMinder. You can further use declarative security within your web and EJB deployment descriptors, and when the server needs to determine if a user meets your role definitions, it will leverage the SiteMinder identity asserted by the JBoss agent. The JBoss Agent is implemented using the JBoss server security APIs, so it is automatically available to all applications deployed on the JBoss server.
Mac OS X Apache Agent for SSORest:
If you have Mac OS X servers integrated into your SiteMinder infrastructure, you have needed to implement additional infrastructure — such as reverse proxies — to integrate Apache HTTP Server on Mac OS X with CA SiteMinder. This is because CA does not offer out-of-the-box functionality for a SiteMinder Agent on Mac OS X server. With the Mac OS X Apache Agent for SSORest, you won’t need to deploy additional hardware and software to integrate your Mac OS X server in your SiteMinder infrastructure. The Mac OS X Apache Agent easily installs directly onto your Mac OS X servers to provide SSO with SiteMinder via SSORest.
- Seamless integration with your existing Single Sign-On infrastructure
- Ability to use Mac OS X servers directly as part of Single Sign-On infrastructure without any additional server infrastructure, e.g. without reverse proxy servers
- Plug-and-play functionality with your existing SiteMinder infrastructure
Servlet Filter Agent for SSORest:
The Servlet Filter Agent for SSORest is a standard Servlet 2.x or 3.0 filter implementation of our SSORest agent. It can be added to any Servlet-based Java web application. This agent is a single self-contained Java archive (jar) file which can be easily added to any application archive. It is especially useful when deploying on Cloud-based application platforms such as Amazon Beanstalk or VMWare CloudFoundry, where the application is directly deployed to the cloud container (as opposed to a cloud-based server where you deploy your own container such a Tomcat or JBoss).
SSORest — Extending SiteMinder Support to Web 2.0 Technologies
CA SiteMinder is designed to support traditional synchronous Web applications, with a discrete request/response cycle prompted by the user through page interaction. The user navigates through the application by clicking links and receiving HTML responses. SiteMinder is well designed to provide security and authentication in this user-driven environment. However, Web 2.0 technologies introduce an additional layer of interaction, driven by the application itself.
SSORest provides SiteMinder session functionality in a simple, HTTP-based, RESTFul interface. It is used to provide easy session awareness and integration in a variety of use cases, such as rich browser engines, server-side integration such as J2EE or .Net applications, mobile clients, or cloud-based applications. SSORest supports plain text, JSON, and XML payloads.
The IDFC SSORest application provides a set of services for creating, querying, and updating SSO sessions. These can be used by AJAX‐based applications, and other similar Web 2.0 technologies (Adobe, Flex, Microsoft Silverlight), to keep track of the end user’s SiteMinder session, and react in an “application‐friendly” fashion to session events. Some examples would be:
- Determining if a user has been idle, and if so, providing a dialog that their session may expire due to inactivity
- Determining if a user’s session is approaching the maximum timeout, and if so, providing a dialog asking them if they wish to log in again
- If a user’s session has expired, providing a login dialog within the framework of the application, without redirecting the browser away
There are 10 separate web services exposed, divided into 2 groups – public and internal. The public resources will be available from the internet and can be invoked directly from AJAX components, and the internal‐facing resources are for system‐to‐system integration (i.e. to be invoked by server‐side Applications).
SSORest presents SiteMinder session functionality with a simple HTTP-based RESTFul interface, which safely supports AJAX, Adobe Flex, Microsoft Silverlight, and other browser-based rich content engines. SSORest comes with comprehensive documentation, identifying how to deploy and use.
IDFConnect’s SSORest leverages SiteMinder’s native clustering and failover capabilities. All components, including policy servers, Web agents, and the SSORest Web services can be deployed in a load-balanced and failover mode. Furthermore, SSORest does not store information locally, creating a flexible and user-friendly solution on a cloud-based platform.
- SiteMinder: Version 188.8.131.52 or higher
- Servlet Engines: J2EE 1.5 compliant servlet engines, such as Tomcat, JBoss, and WebLogic
- Operating Systems: Any that support Java 6.0 and a J2EE servlet engine