Siteminder Authentication

Siteminder Authentication:

The following steps occur when a user tries to access a protected resource on a web server configured to use SiteMinder authentication:

1. The user requests a resource on the server, either through a web browser or in a program using an HTTP request.
2. The request is received by the web server and is intercepted by the SiteMinder web agent.
3. The web agent determines whether or not the resource is protected, and if so, gathers the user’s credentials and passes them to the Policy server.
4. The Policy server authenticates the user and verifies whether or not the authenticated user is authorized for the requested resource, based on rules and policies contained in the Policy store.
5. After the user is authenticated and authorized, the Policy server grants access to the protected resources.

In step 3 above, if no SiteMinder session exists, users are redirected to a login page where they are prompted to enter their credentials. Once the user is authenticated, a cookie is added to the response headers, creating a SiteMinder session. When this cookie is included on subsequent requests, the user is directed to the original URL without further prompting. More detail is presented in Figure 1 below.

Figure 1 - SiteMinder Agent Integration.

Authentication, Authorization  Events and Rules in Siteminder

Authentication Events

Authentication events occur when a user accesses a resource protected by a rule that includes an On-Auth event. Unlike Web Agent actions or authorization events, authentication events always apply to the entire realm. We can’t create an On-Auth rule that applies to a portion of a realm.

Authentication events include the following:

• On-Auth-Accept: Occurs if authentication was successful. This event may be used to redirect a user after a successful authentication.
• On-Auth-Reject: Occurs if authentication failed for a user that is bound to a policy containing an On-Auth-Reject rule. This event may be used to redirect the user after a failed authentication.
• On-Auth-Attempt: Occurs if the user was rejected because Siteminder does not know this user (an unregistered user, for example, can be redirected to register first).
• On-Auth-Challenge: Occurs when custom challenge-response authentication schemes are activated (for example, a token code).

 Authorization Events

Authorization events will occur as Siteminder verifies whether or not a user is authorized to access a resource. As a rule action, an authorization event causes the Policy Server to fire a rule at a particular point in the authorization process.

Authorization events include the following:

• On-Access-Accept: Occurs when Siteminder successfully authorizes a user to access the resource.
• On-Access-Reject: Occurs when Siteminder rejects a user because the user is not authorized to access the resource.

 Four rules that we configure are:

1. Allow Access Rule: Get Post Action
2. Auth Attempt Rule: On Auth Attempt Action
3. Auth Reject Rule: On Auth Reject Action
4. Access Reject Rule: On Access Reject Action

	User Name	Password	Scenario
On Auth Accept	Correct	Correct.	Used to redirect a user after a successful authentication.
On Auth Reject	Correct	Wrong	Used to redirect the user after a failed authentication.
On Auth Attempt	Wrong	Wrong	Occurs if the user was rejected because SiteMinder does not know this user (an unregistered user, for example, can be redirected to register first).
On Access Accept	The Credentials provided exists in the User Group attached to the requested resource.		Used to redirect users who are authorized to access a resource.
On Access Reject	The Credentials provided does not exist in the User Group attached to the requested resource.		Used to redirect users who are not authorized to access a resource.