What’s New in SiteMinder 6.0?
- Single process policy server
- Policy server performance improvements
- Unattended installations
- Error Logging and Policy Profiler
- Agent to Policy Server Dynamic Load Balancing and Cluster-to-Cluster Failover
- Automated trusted host key rollover
- Global Policies, Rules, and Responses
- Impersonation
Single process policy server – The four policy serverservices, authentication, authorization, auditing, and administration, aredelivered through a single, multi-threaded process. The resulting benefitsinclude:
• Reduced system management
• More efficient use of OS resources, including threadsand memory
Policy server performance improvements – The runtimeperformance of the Policy Server is improved in the following areas:
• Policy evaluation for very large policies
• IsProtected and IsAuthorized evaluations
• Scalability with large SMP machines
• Updates to the Policy Server's audit log facility, toperform bulk loads of audit log records to the audit log database
• Reduction of the time to start the Policy Server,through the use of bulk reads to the policy store
• Additional counters in the OneView performance monitorto facilitate tuning the Policy Server's runtime performance
Unattended installations – The Policy Server installis updated to support installation templates, so that site administrators canpredefine the options and values for use during an installation. Once defined,the templates can be used during a reinstall or modified and used to automateother installations.
Error logging and profiling - The Policy Server'serror logging and tracing is significantly revised, to facilitate maintenanceand problem diagnosis.
• The Policy Server error (and informational) log is nowseparate from the tracing log.
• The Policy Server error log supports automaticrollover, based on a number of configurable criteria.
• The policy profiler (formerly "debug trace")provides a highly configurable tracing facility for diagnosing Policy Serverproblems. Fine-grained tracing can be configured across Policy Servercomponents. The tracing output can be highly customized and filtered. Profilersettings can be saved and reused.
• Agent and Policy Server logs can be correlated via theuse of a common transaction ID.
• The Web Agent error (and informational) log is alsoseparate from the tracing log.
• The Web Agent provides a configurable tracing facilityfor diagnosing problems. The tracing output can be highly customized andfiltered. Trace configuration settings can be saved and reused.
• Changes to the Policy Server error log and policyprofiler automatically take effect and do not require a restart of the PolicyServer.
Dynamic Load Balancing and Clusters - SiteMinder v6.0introduces the concept of Policy Server "clusters" to provide forincreased availability and ease of configuration. Once clusters are defined, anAgent can transparently fail over from one cluster of Policy Servers toanother, when pre-configured failover criteria are met. Dynamic Agent to PolicyServer load balancing provides for maximum system throughput, at the same timeallowing for Policy Server clusters to be assembled from a heterogeneous mix ofsystem hardware.
Automated trusted host key rollover - Administratorscan define a centralized policy for the generation and automatic rollover ofthe shared secret (key) that is used to encrypt communication between trustedhosts and the Policy Server. A trusted host can obtain the new key withoutre-installation or restart.
Global Policies, Rules, and Responses - Rules andresponses can be globally defined to apply to all domains protected by aparticular agent or agent group. This can significantly reduce theconfiguration and maintenance costs of policies.
Impersonation - SiteMinder v6.0 provides a newauthentication scheme for the development of impersonation style applications,such as those required by CSRs (Customer Service Representatives). Customerscan set up access control policies to define who (CSRs) can impersonate whom(customers) to access specified resources. Full audit logging of allimpersonation activity is supported.
What’s New in SiteMinder 6.0?
- SAML consumer support
- Web Services variables
- Logout reason code support
- API access to password attributes
- SAML producer policy management APIs
- Java Authentication and Authorization APIs
- Microsoft LDAP SDK support for Active Directory
SAML Consumer Support - To facilitatecross-enterprise federated security services, SiteMinder is able to consume astandard SAML assertion generated by SiteMinder or by a third party securitysolution. SiteMinder can handle a request from a browser with a standard SAMLartifact by obtaining the SAML assertion for the artifact from the producingsite. SiteMinder will then authenticate the user, by validating the SAMLassertion, disambiguate the user, by mapping data in the SAML Assertion to alocal user store entry, and issue a SiteMinder session cookie to the user.
Web Services Variables - SiteMinder v6.0 includes anew "Web Services Variable" type. The variables can be bound toSiteMinder policies to make authorization decisions, and be resolved throughWeb services calls to local or remote data sources. They can return theirvalues with SiteMinder responses.
API access to password attributes - The C PolicyManagement API, Perl Policy Management API and DMS API are extended to supportthe setting and retrieval of a user's password state information (oftenreferred to as the "Password Blob"). The password attributes in thepassword data blob include current login failure, last login timestamp,previous login timestamp, disabled timestamp, password history, last passwordchange timestamp.
Logout reason code support - The SiteMinder v6.0 SDKprovides specific reason codes for user logout scenarios, such as idle timeout,session time out, and user explicit log off. The appropriate logout reason codewill be passed by the agent to the Policy Server and will be included in thecorresponding event so that event providers may examine the reason code.
SAML producer policy management APIs - APIs to accessand manage SAML producer objects.
Java Auth and AZ APIs - The APIs for developingcustom authentication schemes and active policies/rules/ responses areavailable in Java. Previously these APIs were available only in C.
Microsoft LDAP SDK support - SiteMinder 6.0 provides support for the MicrosoftLDAP SDK, to leverage Microsoft Active Directory features for user stores.
