bcs tb der authentication

7/31/2019 BCS Tb der Authentication

1/22

1 Technical Brief

ProxySGTechBrief Configuring SiteMinder Authentication

What is Netegrity SiteMinder authentication?Netegrity Corporations SiteMinder provides a single sign-on solution for enterprises that havemultiple intranet Web servers all requiring authentication. The Netegrity SiteMinder solution relies onagents and a central policy server to provide seamless authentication. User credentials are generallycontained in the SMSESSIONcookie that is set by the agent on the client side.

How does Netegrity SiteMinder authentication work with the Blue CoatProxySG?Authentication with Netegrity SiteMinder is supported with the ProxySG version 3.2. The Blue CoatProxySG provides all configuration parameters to the agent. The agent then connects to the policyserver and retrieves the appropriate configuration and validates a users credentials. Additional

attributes can be returned to the agent in order to be forwarded to other Web servers to provide singlesign-on capability (e.g. HTTP_SM_USER header). The following diagram presents an overview of thecommunication process.

A session cookie is also set on the client side called SMSESSIONthat contains the SiteMinder usercredentials.

How to implement Netegrity SiteMinder authentication

There are five steps to implementing SiteMinder authentication services on the ProxySG

1. Create a Netegrity SiteMinder Realm on the ProxySG

2. Install the BCAAA agent

3. Configure the Netegrity SiteMinder Policy Server with the agent

4. Enable Netegrity SiteMinder authentication through the Blue Coat Visual Policy Manager andcreate an authentication policy based on user and group identification

5. Test the sequence policy

BCAAAAgent

PolicyServer

request

TCP 16101AuthenticationAuthorizationAccounting


2/22

2 Technical Brief

Step 1 Create a Netegrity SiteMinder Realm

Create a realm using the Blue Coat management console. Select the authentication option and thenselect the Netegrity SiteMinder tab.

1. Click the New button. The Add Realm dialog is displayed. Type in SiteMinderas the Realmname.


3/22

3 Technical Brief

2. Specify the IP address of the agent and the agent name. The name has to match theconfiguration on the Netegrity SiteMinder policy server

Click Apply to save your changes.

3. In the SiteMinder servers tab, specify the policy server(s) configuration parameters:


4/22

4 Technical Brief

You can specify multiple policy servers round robin load balancing or failover mechanism will beimplemented.

4. In the SiteMinder Server General tab, specify the protected resource name (this needs tostrictly match the resource name configured on the policy server).

Optionally, you can click on Add header Response header to forward any headers sent by thePolicy Server to upstream servers.


5/22

5 Technical Brief

5. In the SiteMinder General tab, specify the Display name of the virtual URL.

In a reverse proxy mode, the virtual URL needs to be in the same domain as the front-ended servers.


6/22

6 Technical Brief

Step 2 Install the BCAAA agentDownload the BCAAA agent from http://download.bluecoat.com and install on a Windows platform.Follow the installer instructions.


7/22

7 Technical Brief

Default port is 16101


8/22

8 Technical Brief


9/22

9 Technical Brief


10/22

10 Technical Brief


11/22

11 Technical Brief

The BCAAA agent is now installed.


12/22

12 Technical Brief

Step 3 Configure the Netegrity SiteMinder Policy Server

1. Create a new SiteMinder agent it needs to be a 4.x agent and the name of the agent needsto match the configuration on the ProxySG.

The IP address is the IP address of the domain where the BCAAA agent is installed.

Also, make sure to match the share secret.


13/22

13 Technical Brief

2. Create a domain


14/22

14 Technical Brief

Add the authentication schemes.


15/22

15 Technical Brief

3. Create a REALM under the domain:

Make sure the resource is protected and also the resource filter matches the protected resourcename in the configuration of the ProxySG.


16/22

16 Technical Brief

4. Create a rule under the REALM.

Youll need to create 3 rules for GET, OnAuthAccept and OnAccessAccept.


17/22

17 Technical Brief

5. Create the Response objects

Youll need to return at least the following variables:

a. BCSI_USER

b. BCSI_GROUPS

c. BCSI_LOGINNAME

Note:additional headers can be added to be forwarded to backend servers. The Attribute forBCSI_USERNAME needs to be whatever method they are using, whether it be UID, CN, orUserPrincipalName.


18/22

18 Technical Brief

6. Create a Policy


19/22

19 Technical Brief

Step 4 Install the authentication Policy using the VPM

7. From the Blue Coat Visual Policy Manager create a new Web authentication policy byselecting edit from the tool bar, and choosing Add Web Authentication Policy.

8. Name the new authentication, Authentication Policy. Click OK.


20/22

20 Technical Brief

9. On the Action field, right click and click on Set, then New, then Authenticate.

Select Origin-xx-redirect for forward proxy scenarios.

Select Origin-xx for reverse proxy scenarios.

10. Click on Install Policies to load Policy.


21/22

21 Technical Brief

Step 5 Test Netegrity SiteMinder authentication

When you attempt to open up your browser, you should now receive a logon pop-up windowrequesting your user credentials

Successful authentication will display the requested Web site in the browser window.


22/22

ConclusionIn this TechBrief we have discussed how to quickly install and configure Netegrity SiteMinderauthentication using the Blue Coat ProxySG. The first step is to create a Netegrity SiteMinder realmon the ProxySG and then install the Blue Coat Authentication and Authorization Agent (BCAAA).Next, youll configure the Netegrity SiteMinder Policy Server with the agent. The last step is toconfigure SiteMinder authentication using the Visual Policy Manager on the ProxySG.

yright 2004 Blue Coat Systems, Inc. All rights reserved worldwide. No part of this document may be reproduced by any means nor transelectronic medium without the written consent of Blue Coat Systems, Inc. Specifications are subject to change without notice. Informationained in this document is believed to be accurate and reliable, however, Blue Coat Systems, Inc. assumes no responsibility for its use. Bluegistered trademark of Blue Coat Systems, Inc. in the U.S. and worldwide. All other trademarks mentioned in this document are the propertyective owners.

Contact Blue Coat Systems 1 866 30BCOAT 408 220 2200 Direct 408 220 2250 Fax www bluecoat com

bcs tb der authentication

Documents