How to Integrate Identity Manager/Single Sign-On and avoid problems.


Article ID: 108573


Updated On:


CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On


The integration of Identity Manager and Single Sign-On is a difficult undertaking with many manual steps.

This document provides the most comprehensive approach to integrating the two products, while providing steps to avoid the most common problems.


Identity Manager 14.x
Single Sign-On Policy Server 12.x


00. Backup IM databases / SM policy store using database tools/directory tools & XPSExport -xb (all) & -xa (env)

0. View IM database tables in the object store to capture/record current SMOID number for UserStores and IME. This will be used to validate that IM was updated with new SMOID #s. 

Capture IMCD (Corporate Directory) SMOID: 32-XXXXXXXX-XXXX-XXXX-XXXX-XXXXddb00000 
Capture IMPD ( Provisioning Directory) SMOID: 32-*********-XXXX-XXXX-XXXX-XXXXddb00000 

1. Configure the SiteMinder Policy Store for CA IdentityMinder. 

2. Import the CA IdentityMinder Schema into the Policy Store. 

2a. Install/Verify the CA Single Sign-On Extension

3. Create a SiteMinder 4.X agent object. 

4a.Export the CA IdentityMinder directories and environments, via the /immanage console

4b. Open the ENV_environment_roles.xml with NotePad++/TextPad;

search for object=""UNKNOWN"" to see if any issues will occur upon re-importing of this file.

These issues appear if there are missing custom java jar files. Replace missing java jar files; then re-export IME.

4c Shutdown all but one SM Policy Server (This is to prevent potential problems with replication race conditions)

4d Shutdown all but one IDM J2EE (Jboss/Weblogic/WebSphere) server running 

5. Delete all directory and environment definitions from the /immanage console

5a. Use XPSExplorer to check for objects of type IMSEnvironment, IMSDirectory or IMSAdditionalProperties. Delete any objects of these type manually.

5b. Run ""XPSweeper""

6. Enable the SiteMinder Policy Server Resource Adapter. 

7. Disable the native CA IdentityMinder Framework Authentication Filter. 

7.1 Run XPSExport -xa / -xb to keep a clean copy (on Policy Server that is still running.).

8. Restart the application server that is still running.

9. Configure a data source for SiteMinder.  (Only if using RDB user stores)

10. Import the directory definitions.

10a. Create a empty IME to make sure we can re-create objects 

11. Update and import environment definitions.
- manual import settings.xml (with NO custom components).
- restart J2EE (Jboss/Weblogic/WebSphere)
- manual create custom components: EventListener, WFParticipantResolver, LAH, restart J2EE (Jboss/Weblogic/WebSphere)

12. Restart the application server. [Restart only ONE server.] 

13. Install the web proxy server plug-in.

14. Associate the SiteMinder Agent with an CA IdentityMinder domain. 

15. Configure SiteMinder LogOffUrl Parameter. 

16. Restart all other application servers of the IM cluster. 

17. Restart all other SM Policy Servers 

18. Manually Rebuild IM Realms Objects/Update AuthSchema/Rules in SiteMinder to match prior state. Any object under default IME domain has been rebuilt with defaults. 

Additional Information