Query regarding Open ID connect with SiteMinder


Article ID: 210396


Updated On:


SITEMINDER CA Single Sign On Federation (SiteMinder)



When running a Policy Server 12.7, one might ask if Policy Server and
Siteminder can can handle token generation and mangement like standard
OIDC server ?




At first glance, yes indeed, SiteMinder can act as OIDC Provider (1).

Siteminder can produce access token too. Note that Policy Server and
CA Access Gateway (SPS) 12.7 are out of support as per our EOS-EOL

Finally, Siteminder delivers OpenID Authentication Scheme, which has
limited scope as many providers are now deprecated (3).


Additional Information



  Use SiteMinder as OpenID Connect Provider

    You can use SiteMinder as an OpenID Connect Provider (OP) that uses
    the OpenID Connect 1.0 protocol. The protocol allows clients to verify
    the identity of the users that are authenticated by the authorization
    server, and obtain basic profile information. You can configure
    SiteMinder to authenticate users and generate token for native and web
    applications in the following flows:

    - Authorization Code Flow that returns the tokens from Token
      Endpoint. Use Authorization Code Flow for Clients that can secure
      their communication with Authorization Server.

    - Implicit Flow that returns the tokens from Authorization
      Endpoint. Use Implicit Flow for Clients that are browser-based, use
      a scripting language, and are Single-Page Applications.




  Symantec SiteMinder Release and Support Lifecycle Dates

    | Product                                  | Release | Service Pack/Genlevel | End of Service (EOS)   |
    |                                          |         |                       | End of Life (EOL)      |
    |                                          |         |                       | or Stabilization Date  |
    | Symantec Site Minder (CA Single Sign-On) |    12.7 |                    02 | October 31, 2020 - EOS |



  OpenID Authentication Scheme


      Most of the providers (including Yahoo) that are listed in the default
      forms credential collector (FCC) have deprecated the support for
      OpenID 1.1 and OpenID 2.0. Before you use a provider, verify that
      OpenID is still supported by the provider. If a provider does not
      support OpenID, modify the FCC file to remove the provider.

    The OpenID authentication scheme lets users submit credentials through
    an OpenID provider. The OpenID provider authenticates the user and
    sends an authentication response to the Policy Server. The Policy
    Server verifies the response, completes the authentication process,
    and authorizes access to the resource.