Can and how to only protect Identity Manager 12.5 with Sit e Minder without fully integrating the two products?

book

Article ID: 49021

calendar_today

Updated On:

Products

DIRECTORY CA Identity Manager CA Identity Governance CA Identity Portal CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On SECURITY MISC CODES SINGLE SIGN ON - LEGACY CA Data Protection (DataMinder) CA User Activity Reporting

Issue/Introduction

Description:

It is possible to use Site Minder to protect Identity Manager without fully integrating the two products. It is however, not recommended due to a potential security hole. Mainly you will need to ensure that IDM framework authentication is disabled, that SM is using same directory for authentication and authorization and that you disable IDM's check of the header variables.

Solution:

Identity Manager 12.5 and 12.6 do not require Site Minder. Identity Manager can run standalone.

Idnetity Manager integration offers a number of features. However, if not needed you might still want to protect Identity Manager with Site Minder and allow a single sign on with other protected apps.

In order to do that you will need to:

  1. Disable Identity Manager's framework authentication. Set 'FrameworkAuthFilter' to 'false' in the user_console.war\web-inf\web.xml. This will make Identity Manager not attempt to authenticate the user, as it will expect it to authenticate from Site Minder.

  2. The Site Minder User Directory needs to be the same like Identity Manager's corporate store. In other words, Site Minder's directory mapping feature is not allowed when only protecting Identity Manager. The reason is that Identity Manager will need to authorize the user (to get its admin roles) based on the Site Minder header variables which are created by the authentication directory.

  3. Disable the ValidateSMHeadersWithPS variable. This variable is in the iam_im.ear/policyserver.rar/META-INF/ra.xml . Set this variable value to 'false' (by default it's true). This variable makes Identity Manager double check with Site Minder policy server that the http header variables (such as user name, user DN, etc...) were indeed created by Site Minder. This works through the tunnel agent configuration. However, that configuration is not available in a protection-only mode which is why that variable needs to be set to 'false'. Please keep in mind that CA is not recommending to bypass this check. Therefore, it is not recommended to only protect Identity Manager with Site Minder without full integration.

Environment

Release:
Component: IDMGR