Configure SiteMinder for integration with PPM

Before you configure SiteMinder for use with PPM, make sure that the Policy Server is working correctly and that the User Directory to be used for PPM authentication is correctly configured. The SiteMinder Test Tool is useful for verifying that the installation is functioning correctly.

Configuring SiteMinder for PPM is the same as configuring any other type of protected resource in SiteMinder. Use the SiteMinder Policy Server User Interface to update the SiteMinder configuration entities as necessary. For both mixed and SSO modes, four standard SiteMinder configurations should exist: Host Configuration Object, User Directory, Policy Domain, and Policy.

To configure SiteMinder for integration with PPM, perform the following steps.

1. Create a new Web agent.

2. (Mixed mode only) If you plan to use mixed-mode authentication, then after you create a new Web agent, do the following:

   1. Make sure that the 4.x compatibility flag is set.

   2. Specify the name of the PPM Server, and a secret password.

   3. In the siteminder.conf file, set the following parameters:

      • Set the SM_AGENT_NAME parameter value to the PPM Server name.

      • Set the SM_SHARED_SECRET parameter value to the secret password you specified.

3. Create a new Web Agent Conf object.

4. Double-click the new Agent Conf Object to open the Properties window.

5. Add the new property value LogOffUri to /itg/web/knta/global/Logout.jsp.

   Note: PPM uses the LogoffUri property to log off users correctly when they log off of the PPM standard interface.

6. Create a realm for PPM to protect resource /itg/*, and specify the name of the agent you created in step 3 for this realm.

7. Configure and enable two rules for the realm (one to enable HTTP on GET, POST, PUT, and DELETE actions, and another to enable OnAuthAccept action as the authentication event) with the following settings:

   • Rule 1. Set the Name field to AllowHTTP, the Resource field to /itg/*, and the Action field to GET,POST,PUT, DELETE.

   • Rule 2. Set the Name field to OnAuthAccept, the Resource field to /itg/*, and the Action field to OnAuthAccept.

8. Specify URLs for the CookieDomain and CookieProvider parameters in the agent configuration object for the SiteMinder Web Agent that is to authenticate PPM Web requests.

   Note: Cookies are used to track session and idle timeouts.

   The format used to specify the value for CookieProvider depends upon the external Web server you use:

   • For Microsoft IIS, Sun ONE, and Sun Java System Web servers, use the following format.

   http://<Server_Domain>:<Port>/siteminderagent/SmMakeCookie.ccc

   represents the host name or IP address where your PPM instance is accessed.

   • For Apache, use the following format.

   http://<Server_Domain>:<Port>/SmMakeCookie.ccc

It is important to understand that PPM reads the information that SiteMinder automatically injects into the HTTP Request header.

PPM relies on the following user attributes:

• SM_USER. For an authenticated user, this parameter specifies the user distinguished name (DN). For an unauthenticated user, this is the user ID as specified by the user at logon.

• SM_SERVERSESSIONID. This parameter specifies the session ID of a user who has already authenticated, or the session ID that is to be assigned to the user upon successful authentication.

• SM_SERVERSESSIONSPEC. This parameter specifies the user's session ticket.