Symantec™ Validation & ID Protection

Service (VIP)

Integration Guide for CA SiteMinder®

2

Symantec VIP Integration Guide for CA SiteMinder

The software described in this book is furnished under a license agreement and may be used only in
accordance with the terms of the agreement.

Last Updated: 12/7/12

Legal Notice

Copyright © 2012 Symantec Corporation. All rights reserved.

Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of
Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign, VeriSign Trust, and
other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or
subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. Other names may
be trademarks of their respective owners. The product described in this document is distributed
under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No
part of this document may be reproduced in any form by any means without prior written
authorization of Symantec Corporation and its licensors, if any.

THIS DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE
DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY
INVALID, SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR
CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE
OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS
SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as
defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19
"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. “Commercial
Computer Software and Commercial Computer Software Documentation”, as applicable, and any
successor regulations. Any use, modification, reproduction release, performance, display or
disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in
accordance with the terms of this Agreement.

This document may describe features and/or functionality not present in your software or your
service agreement. Contact your account representative to learn more about what is available with
this Symantec product.

Symantec Corporation
350 Ellis Street
Mountain View, CA 94043 USA

http://www.symantec.com
http://www.verisign.com/support/contact/index.html
 Contents

Chapter 1 Introduction
Partner Information ................................................................................................................. 3
Integration Overview ................................................................................................................ 3
Remote Access Integration Architecture .............................................................................. 4
Authentication Method: User Name – Password – Security Code .............................. 4

Chapter 2 Installation and Configuration

Integration Summary ............................................................................................................... 5
Install and Configure VIP Enterprise Gateway .............................................................. 5
Configure CA SiteMinder with VIP Enterprise Gateway .............................................. 5
Test an End User ............................................................................................................... 11
2 Contents
 Chapter 1
Introduction
This chapter includes the following topics:
 “Partner Information” on page 3
 “Integration Overview” on page 3
 “Remote Access Integration Architecture” on page 4
VIP Integration Guide for CA SiteMinder describes how to integrate CA SiteMinder with VIP Enterprise
Gateway to allow the User Name - Password - Security Code authentication method. In this authentication
method, VIP Enterprise Gateway does both the first and the second factor authentications.

Partner Information

Table 1-1 Partner Information

Partner Name CA® Technologies

Product Name CA SiteMinder®

Integration Overview

Table 1-2 Integration Overview

Authentication Methods Supported User Name - Password - Security Code

Client Integration VIP Enterprise Gateway 8.x or higher

4 Introduction

Remote Access Integration Architecture

Authentication Method: User Name – Password – Security Code

The following diagram illustrates how the User Name – Password – Security Code authentication method is
configured for CA SiteMinder and VIP Enterprise Gateway.

Figure 1-1 Authentication Process

1 The user accesses a resource protected by CA SiteMinder and sends a user name, password, and a
security code to the SiteMinder Web Agent/Policy Server.
2 CA SiteMinder sends the user name, password, and the security code to the validation server.
3 As the first part of the two-factor authentication process, Validation Service authenticates the user
name and the password against User Store (AD/LDAP).
4 As the second part of the two-factor authentication process, Validation Service authenticates the user
name and the security code with VIP Authentication Service.
5 After the successful authentication of the user name and the security code, Validation Service returns
an Access-Accept Authentication response to CA SiteMinder. Based on this response, the user is allowed
access to the CA SiteMinder protected resources.
 Chapter 2
Installation and Configuration
This chapter includes the following topics:
 “Integration Summary” on page 5

Integration Summary
The following procedures describe how to configure CA SiteMinder for two–factor authentication through
VIP Enterprise Gateway.
 Step 1: “Install and Configure VIP Enterprise Gateway” on page 5
 Step 2: “Configure CA SiteMinder with VIP Enterprise Gateway” on page 5
 Step 3: “Test an End User” on page 11

Install and Configure VIP Enterprise Gateway

You must do the following:
 Install and Configure VIP Enterprise Gateway.
 Add the Validation Server in the User Name - Password - Security Code mode.
 Configure the RADIUS–LDAP group mapping in the Validation Server.
Optionally, you can configure the RADIUS-LDAP mapping only if you want to authorize the user
according to the LDAP or User Store configuration.
For more information on these tasks, refer to VIP Enterprise Gateway Installation and Configuration Guide.

Configure CA SiteMinder with VIP Enterprise Gateway

Complete the following procedures to configure CA SiteMinder:

Note: The screen examples within these procedures have been captured from CA SiteMinder 6.0 SP2
version. Refer to the product documentation provided for your version of CA SiteMinder for specific screen
captures and procedures.

1 Install and configure the CA SiteMinder Web Agent on the appropriate Web server(s) that will provide
access to resources managed by CA SiteMinder.
2 Copy the XAuthRADIUS dll to the <install dir>\bin directory of the CA SiteMinder Policy Server.
3 Within the CA SiteMinder Policy Server, create a Policy Domain. A policy domain is a logical grouping
of resources associated with one or more User Stores, Policy Domain administrator, and Realms.
4 Create the XAuthRADIUS Authentication Scheme (Figure 2-1). When a user attempts to access a
protected resource, CA SiteMinder uses the Authentication Scheme associated with the resource’s
realm to authenticate and identify the user.
6 Installation and Configuration

Configure the XAuthRADIUS Authentication scheme for your implementation according to the vendor
instructions, with the following guidelines:
a In the Secret field, enter the RADIUS shared secret used for the VIP Validation server.
b The Parameters field, include the IP address and the port of the VIP Enterprise Gateway
server, and the name of the user directory attribute.

Note: XAuthRADIUS is an optional solution that needs to be separately licensed in addition to the core
Policy Server.

Figure 2-1 Authentication scheme properties

5 Create a Realm (Figure 2-2), and set the Authentication scheme to XAuthRADIUS. A Realm is a cluster of
resources within a policy domain grouped together according to common security requirements. The
contents of a Realm are protected by Agents. When a user requests resources within a Realm, the
associated Agent handles authentication and authorization of the user.
 Installation and Configuration 7

Figure 2-2 Realm properties

6 Create a policy (Figure 2-3). Policies define how users interact with resources. The CA SiteMinder policy
allows you to associate different CA SiteMinder objects that identify users, resources, and actions
associated with the resources.
8 Installation and Configuration

Figure 2-3 Policy properties

Policies are stored in policy domains. After you create the policy, you need to select users and groups
from the User Stores available in the policy domain.
7 Create rules with resources and associate the rules with the new policy (Figure 2-4). This configures CA
SiteMinder for strong two–factor authentication using VIP Enterprise Gateway.
 Installation and Configuration 9

Figure 2-4 Rules tab – Policy properties

Create rules within a Realm to protect various resources within that Realm. In this example (Figure 2-
5), the AccessMarketingDomain rule applies to all resources (files) in /marketing/. This rule is
triggered by the highlighted actions on any URL matching the Realm and the rule.
10 Installation and Configuration

Figure 2-5 AccessMarketingDomain in rules properties

 Installation and Configuration 11

Test an End User

1 Test the integration by attempting to access the protected resource. You should be prompted for
authentication information (Figure 2-6).

Figure 2-6 Login screen

2 Enter user name in the User name field and password + security code in the Password field. Click OK.
After successful authentication, user allowed to access the resources protected by CA SiteMinder.
12 Installation and Configuration