SiteMinder Components
- A SiteMinder environment consists of two core component types
– PolicyServer
– Agents
o Web
o Radius
o Affiliate
o ApplicationServer
o Custom
• NetegrityPolicy Server - Provides policy management, authentication, authorization,accounting, and health monitoring services.
• SiteMinderAgents - Integrated with a standard Web server or application server,SiteMinder Agents enable SiteMinder to manage access to Web applications andcontent according to predefined security policies. Other types of SiteMinderAgents allow SiteMinder to control access to non-Web entities. For example, aSiteMinder RADIUS Agent manages access to RADIUS devices, while a SiteMinderAffiliate Agent manages information passed to an affiliate’s Web site from aportal site.
SiteMinder Databases
- A SiteMinder environment utilizes the following databases
– PolicyStore
– AccountingLogs
– KeyStore
– Token Data
– SessionServer
Depending on whatfeatures of SiteMinder you are using, one or more databases are required.
The policy storedatabase stores policy objects. This database is required in your environment.The other databases are optional.
The key store storesthe encryption keys used to implement single sign-on. You can use the policystore as the key store, in which case a separate database is not required.
Accounting logsstore user and administrator access information.
The token databaseis used to support authentication via hardware tokens.
The session serverdatabase is used to support persistent sessions.
The diagram aboveillustrates a simple implementation of a Netegrity Policy Server in aSiteMinder environment that includes a single SiteMinder Web Agent.
To enforce accesscontrol, the Web Agent interacts with the Policy Server, where allauthentication and authorization decisions actually take place. The Web Agentintercepts all user requests for resources and checks with the Policy Serverwhether the requested resource is protected. If the resource is unprotected,the request proceeds directly to the Web server. If the resource is protected,the Web Agent is informed which authentication method is required to access therequested resource. The Web Agent challenges the user for their credentialsaccording to the authentication method. The user then responds with theappropriate credentials. The Web Agent passes these credentials back to thePolicy Server, which uses them to authenticate the user against a userdirectory. If the user authenticates successfully, the next step is todetermine if the user is authorized to access the resource. When the PolicyServer determines that a user is authorized, the Web Agent allows the accessrequest to proceed to the Web server.
The policy logicthat determines what resources are protected, how they are protected, and whois authorized is represented by a set of policy objects stored in a policystore database.
The Policy Server can recorduser activity (who accessed what) in an accounting database.