Delegated Authenitcation usage in Siteminder SAML2 IDP partnership

Products

SITEMINDER

Issue/Introduction

How Delegated Authenitcation is used through the SAML2 IDP partnership in Siteminder

Environment

Any supported Siteminder Release

Resolution

############## Delegated Authentication ###########

Below the details for Delegated Authentication through the SAML2.0 IDP partnership from Siteminder :

**** How does the SAML2.0 IDP partnership delegated authentication works?

- Specifies whether third-party authentication is accomplished by passing an open-format cookie or a query string with the user login ID and other information.

NOTE --> Do not use the query string method in a production environment. The query string redirection method is only for a testing environment as a proof of concept.
The query string option does not produce a FIPS-compliant partnership.

- The Flow can be initiated at the Siteminder IDP partnership or at the Third party WAM.

For example

1) user triggers a siteminder IDP initiated SAML request through https://myexample.com/affwebservices/public/saml2sso?SPID=testfed

2) If no SMSESSION on request, siteminder will call the configured authentication method in this case DELEGATED auth and redirect the user to the Third party WAM for authentication.

3) After successful authentication on the Third party WAM side, an open format cookie will be created on the Third party WAM with cookie domain set to the Siteminder one with a redirect back to Siteminder

NOTE : The open format cookie can be created using the Siteminder Federation SDK OR manually created open format cookie.

4) Siteminder decodes the open format cookie, extracts the user identity and performs a search in the user directory associated with the partnership. If search is successful user

will be considered authenticated, a session will be generated and an assertion will be generated on the Siteminder side and sent to the SP.

**** Where Can i find the details in Siteminder documents ?

- Details about the Delegated Authentication can be found here -->

12.9 --> https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-9/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp.html#concept.dita_af5f60d57f714c2b57448dc2598ce98720f5b442_AuthenticationSAML20IdP

12.8 --> https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/federation-partnerships-reference/sso-and-slo-dialog-saml-2-0-idp.html#concept.dita_af5f60d57f714c2b57448dc2598ce98720f5b442_AuthenticationSAML20IdP

**** How to Generate Open Format cookie using Siteminder Federation SDK

NOTE : To use an SDK-created open-format cookie, the third party must install a SiteMinder Federation SDK. The SDK is a separately installed component from SiteMinder. The installation kit contains the documentation that describes how to use the SDK for delegated authentication.

- Follow the steps below from 12.9 (not in 12.8 guide but it is the same) on how to use the Siteminder SDK to generate the open format cookie

--> https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-9/programming/sdks/federation-programming/federation-java-sdk/using-the-federation-java-sdk.html