Skip to main content
Skip table of contents

SiteMinder / CA SSO authentication

Profile: sitemindersecurity

What is SiteMinder/CA SSO

SiteMinder is an authentication system that acts as a proxy server between your users and your application- or webserver. It detects if a user is authenticated and if not require the user to log in. If the user is authenticated, the user is let through to access the application and the credentials of the authenticated user are exposed to the underlying application through an HTTP header. SiteMinder/CA SSO is a preauthentication scenario in which the iGrafx Platform does not perform any authentication work and simply expects the user to be authenticated when the request reaches the application. It is important to ensure that in such a setup there is no way to access the iGrafx Platform without going through the SiteMinder proxy first.

How to set up SiteMinder security

Once your SiteMinder service is configured correctly and protects the application, make sure your users are available and simply set the sitemindersecurity authentication scheme as described in the article Configuring Authentication and restart your application server. If a user that can authenticate does not exist in the iGrafx Platform, he will not be able to access the application.

Customizing the setup

By default, the HTTP header name for SiteMinder is SM_USER. The header name expected to contain this information on the iGrafx Platform can be changed by setting the following property in the igrafx.properties file in the base directory:

CODE 
igrafx.usercentral.siteminder.requestheadername=SM_CUSTOM_NAME

This example would make the application expect the username in the HTTP header SM_CUSTOM_NAME instead of SM_USER

SiteMinder and Desktop Client

If you use Siteminder to authenticate your users this will only work in the browser. The iGrafx Desktop Client has no means of communicating properly with the SiteMinder architecture.

For the iGrafx Desktop Client to be able to continue working, you will have to allow certain requests through your SiteMinder Application Server Agent (ASA). All HTTP requests made from the iGrafx Desktop Client will have the Flow-Client-Request HTTP header set to a non-empty value. You can use this to distinguish regular web-based requests from Client requests.

Another option is to allow requests from the client on a specific port to go through SiteMinder, but the security impact is slightly higher.

See also: https://communities.ca.com/thread/241721739

 

This article contains


 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close