ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Use of Secure Proxy Server to implement a Federation flow with SAML 2


Article ID: 97695


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


We need to configure an Initiate Single Sign-on from the IdP or SP between the last version of CA Single Sign On (12.7 as IDP) and the our actual infrastructure that use CA SiteMinder 12.52 sp1 (as SP). 

We'd like to know :

1. Is Web Agent Option Pack included in your license for CA SiteMinder
   12.52 ?

2. Is CA Access Gateway (SPS) included in your license for CA
   SiteMinder 12.52 ?

3. If it's mandatory/best practice install the SPS in a dedicated server
   or if it's possible install it on the same server of a Policy
   Server ?



Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP


At first glance, you should note that the latest version of CA Single
Sign-On (SiteMinder) is 12.8.

Here are the answers to your questions :

1. Quickly, to see if you have the license to download and use the Web
   Agent Option Pack and CA Access Gateway (SPS), you can try to
   download them :

   Web Agent Option Pack 12.52SP1CR08 :
   Solution Document: RS98380


   CA Access Gateway (SPS) 12.52SP1CR08 :

   Solution Document: RS98376

For 1. and 2., we suggest you to contact also our Custom Care service to verify your license and rights :

  Need help with the new CA Support Portal?  Ask us!

3. According to our documentation, you should run CA Access Gateway
   (SPS) as standalone only, without any other component on it.

   Product Limitations

   More, having the Policy Server on the same machine of the CA Access
   Gateway might bring security concerns. As per best practice, the
   Policy Server should be isolated from Internet Access as it holds
   the company security data.

The main advantage of using SPS, you'll have an all in one Federation
Component. SPS is also available to the latest version 12.8, and in
included Session Linker, and all the new functionalities of the
Federation Side as OpenID Connect and others.

Further readings :

Using CA Access Gateway as a Web Agent Replacement

Web Agent Option pack to SPS plans, approches