SiteMinder is an authentication system that acts as a proxy server between your users and your application- or webserver. It detects if a user is authenticated and if not require the user to log in. If the user is authenticated, the user is let through to access the application and the credentials of the authenticated user are exposed to the underlying application through an HTTP header. SiteMinder/CA SSO is a preauthentication scenario in which the iGrafx Platform does not perform any authentication work and simply expects the user to be authenticated when the request reaches the application. It is important to ensure that in such a setup there is no way to access the iGrafx Platform without going through the SiteMinder proxy first.
How to set up SiteMinder security
Once your SiteMinder service is configured correctly and protects the application, make sure your users are available and simply set the sitemindersecurity authentication scheme as described in the article Configuring Authentication and restart your application server. If a user that can authenticate does not exist in the iGrafx Platform, he will not be able to access the application.
Customizing the setup
By default, the HTTP header name for SiteMinder is SM_USER. The header name expected to contain this information on the iGrafx Platform can be changed by setting the following property in the igrafx.properties file in the base directory:
This example would make the application expect the username in the HTTP header SM_CUSTOM_NAME instead of SM_USER
SiteMinder and Desktop Client
If you use Siteminder to authenticate your users this will only work in the browser. The iGrafx Desktop Client has no means of communicating properly with the SiteMinder architecture.
For the iGrafx Desktop Client to be able to continue working, you will have to allow certain requests through your SiteMinder Application Server Agent (ASA). All HTTP requests made from the iGrafx Desktop Client will have the Flow-Client-Request HTTP header set to a non-empty value. You can use this to distinguish regular web-based requests from Client requests.
Another option is to allow requests from the client on a specific port to go through SiteMinder, but the security impact is slightly higher.