Siteminder portal  implemementation

Hi Portal Gurus,
We are in process of implementing site minder sso with sap portal for EFP . I have configured it in such a way that when the users access portal first  it takes to siteminder logon page and authenticates there once its authenticated then it  will  take  you in to portal.
once I configured site minder on portal I cannot login with administrator as site minder could not find user administrator  user in respective LDAP Server. So how do we resolve this problem? This LDAP is being used by all portal servers (dev,quality ,prod).If I create a user ADMINISTRATOR user in  LDAP  ,does it effect for all other  portal servers.? and what about sap* ,if you want to login in portal  with sap* as emegency user ?
If anybody has any idea how to resolve this problem?
Regards
Tag

Tag,
Since Siteminder is only configured to go against the LDAP Directory it can not authenticate users that are stored in the Portal Database UME.  
The only way that I know to get around this issue would be to remove siteminder authentication whenever you need to use one of those ids.
Hope it helps.
Keith

Similar Messages

  • Integrating portal/identity server with netegrity siteminder?

    Has anyone integrated identity server/portal server with Netegrity Siteminder for single sign on?
    Both products seem to support SAML and the Liberty Alliance project. Can a new auth module in the identity server just exchange the appropriate messages to create a single sign on token in netegrity and then validate the token on each request?

    We are running Identity Server 6.1 on Solaris.
    The logs are in /var/opt/SUNWam/debug/
    The most useful one is amAuth. You might also want to look at amAuthInternal, amSession, amAuthLDAP, and amAuthContext.
    If you are seeing these, checkout AMConfig.properties (in /opt/SUNWam/lib). It should have the log level set to warning or message for you to get all these logs. Here's the setting from my AMConfig.properties:
    com.iplanet.services.debug.level=warningPS Sorry for the unix paths, but hopefully they map closely to the windows directories.

  • SiteMinder integration with the internal and external facing portals

    Hi ,
    We are in development phase for SiteMinder integration with the internal and external facing portals.The proposed dual authentication scheme which requires both SiteMinder for External facing portal (EFP) and LDAP for Internal portal .is it possible?
    and is it possible to main to diff LDAP directories one is external users and one is for internal users.?
    If you maintain  2 diff(external & internal) LDAP Directories in Siteminder Policy Server  what about  external users which are  not exit in portal data source .
    I appreciate if anyone  can help me for my above query .
    Regards
    Tag

    Hey Tag,
    We do have a physical external Portal and a physical internal portal.  The both the external and internal are connected to 2 LDAP directories.
    For example the External Portal is connected to the Employee LDAP Direcotry and the Customer LDAP Directory.  The Internal Portal is connected to the US Employee LDAP Direcotry and the EMEA LDAP Directory.
    So each one of them is connected to 2 different LDAP Directories.
    I believe that the Siteminder Policy is setup such that the Internal portal has a policy and the External portal has a seperate policy on the same Siteminder Server.  Then each of the Policies is configured to connect to the approiate LDAP Directories.
    You have to maintain the LDAP Directory information in both the portal and Siteminder Policy Server.  It is required in the policy server so that it can authenticate the user and it is required in the Portal server so that it can authorize the user and display content based on thier assigned roles.
    Hope that helps.
    Regards,
    Keith

  • Siteminder 6, Apache 2.0.4.2, Enterprise Portal 6- SP15, AIX

    Enterprise portal server front ended with apache reverse proxy server which hosts Siteminder web agent 6.0.  Enterprise portal server and backend SAP application servers all configured to use sap logon tickets.  Enterprise portal server "ticket" login module stack configured to accept "HeaderVariableLoginModule" as optional criteria.  We verified that Siteminder web agent is indeed sending "HTTP_LDAP_UID" (LDAP userid header variable).  However, Enterprise portal is not accepting header variable as authentication and still challenged for basic UID password authentication even through reverse proxy.  I will gladly provide screenshots as needed.  Has anyone made this setup work, we need your assistance.  Thanks in advance.

    Hi Sasha ,
    we have got this working .
    Follow the instructions in
    http://help.sap.com/saphelp_nw04/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm EXACTLY ...particularly make sure you add them to the ticket template in the J2EE engine (not the SAPJ2EE template) .
    Make absolutely sure the header variable is what you think it is ( we used a perl script running in Apache to verify this as Apache can append HTTP_... to the header or not depending on the level and OS )..Do all that and it will work !
    Regards
    Daniel

  • Does anyone integrate siteminder with iPlanet Portal Server

    I am trying to integrate iPlanet and Siteminder using the secure access pack. Has anyone successfully integrated the two?

    yes,
    we did basic integration where the authentication will be done using siteminder. The trick is to protect the portal server web server and not the gateway. You also need to add a new authentication module for siteminder in the portal using ipsadmin. We are protecting the login html page only. We couldn't protect the desktop because it's built using servlets.

  • Can Oblix or Siteminder provide Portal authorization as well?

    In our implementation we have portal in the DMZ, which is protected by Obllix (which works very similar to Siteminder).  The LDAP (AD) is in the secure intranet, as is the Oblix policy server.  Using this scheme works ok for authentication with Oblix, so Oblix can pass userID to the portal in header variable.  I understand that once the portal receives UserID from Oblix (or Siteminder), the portal subsequently reads LDAP to find group membership information. 
    Our security team is concerned about opening access to LDAP from the portal which is in the DMZ.  Is there a way to bypass LDAP connectivity altogether?  Can portal read group info from Oblix instead?  Can anyone point me to such a documentation?

    I have learnt that Portal does need to talk to AD (no getting around using just Oblix or Siteminder).  Whereas Oblix or Siteminder can be used for authentication, portal does need LDAP for authorization.  Otherwise authorization becomes very difficult.
    Let me know if anyone lese has a different opinion.

  • SiteMinder Authentication with Portal

    Hi,
    We are implementing CA's SiteMinder Login Module for Portal Authentication. In the Login Modules configurations, if I assign
    SiteMinder Login Module - REQUISITE
    CreateTicket Login Module - REQUIRED
    we are able to authenticate through Site Minder Policy server.
    What I want is,
    if I use reverse proxy of SiteMinder; login through SiteMinder.
    If I use direct link of the portal; login through BasicPasword Login Module.
    I tried :
    SiteMinder Login Module - OPTIONAL
    CreateTicket Login Module - SUFFICIENT
    Basic Password Login Module - REQUISITE
    CreateTicket Login Module - OPTIONAL
    In this configuration if I use Site Minder authentication, it is ok but if I use direk link to portal it gives error.
    I want to be sure that above configuration is ok or not
    Thanks in advance
    Abdul.

    Hi Shobit,
    Check this link:
    Cookies Problem with 3 tiered SSO
    Thanks and Regards,
    Shyam.

  • Bea Portal 7.x and Siteminder integration

    Hi All,
    Does anyone know if the integration kit supplied by BEA for the above
    product versions which uses delegate realm solution, works with RDBMS Realm
    Any extra configuration to be done for it to work ?
    By default the examples are in LDAP v2 realms
    Thanks.
    Regards,
    Leonard.

    Yes, it saves a lot of grief, providing all servers are equally secure of
    course...
    On Mon, 8 Dec 2003 18:43:29 -0800, "Carl" <[email protected]> wrote:
    Very cool. How does it work under the covers? The two WLS domain talk with
    each other? So, the following would work:
    o We have a WLS 7 domain
    o The domain uses RDBMSRealm
    o We created a new WLS 8 domain
    o We set-up the trust
    o Now, we login in to app on 8 domain, and it checks the 7's realm?Not quite - 8 still needs its own realm. The subjects (users and groups)
    have to exist in both realms - 8 will just be taking 7's word for it that
    "fred" has been authenticated but will still need to check fred's group
    and/or role mappings.
    The same realm data needs to exist for both systems. In LDAP it would be
    easy enough to point them both at the same directory but.for a database
    there is less control over the mappings - any differences between RDBMSRealm
    and 8's RDBMSAuthenticator (unless you want to run compatibility security)
    schemas might cause problems. I believe running the latter on both should
    work but in principle the schema could change in a later version of the
    product.
    >
    "Alex Thomas" <[email protected]> wrote in message
    news:[email protected]..
    See "Enabling Trust Between WebLogic Server Domains" section in
    http://e-docs.bea.com/wls/docs81/secmanage/domain.html#1140940
    This works between 7 and 8 (and, using the system account, on 6.1).
    cheers
    Alex
    On Fri, 5 Dec 2003 10:22:29 -0800, "Carl" <[email protected]> wrote:
    You can make the 7 domain trust the 8 domain so users don't have to log
    in
    twice, but you can't run the two versions in the same domain (not agreat
    deal of benefit in doing so, once trust is sorted).How we do make 7 domain trust the 8 domain?

  • SSO to a Siteminder application

    Hi,
    I need to integrate a web application into the portal that uses siteminder for authentication. I have looked through all the available details and have not been able to find a solution to this problem.
    There is no possibility of either changing the external application or siteminder.
    Your help would be greatly appreciated.
    Regards,
    Vibhu

    Vibhu,
    How is your portal authentication done? Does that also uses SSO (Netegrity)?  One of my implementation I did use Netegrity to setup SSO (single sign on)for Portal. Authentication was done by Microsoft ADS.
    -NE
    www.sapecc.com

  • SSO for  non sap applications in EP on which siteminder sso is integrated

    Hi ,
    we have implemented Siteminder SSO on   SAP PORTAL 6 SP16  for authentication.I would like integrate non sap application in Portal.I could not find any documentaion for setting up non sap application's in portal on which siteminder sso external authentication is implemented.
    can anybody help for getting  step by step document.
    Thanks
    Tag

    Hi ,
    we have implemented Siteminder SSO on SAP PORTAL 6 SP16 for authentication.I would like to integrate non sap application in Portal.I could not find any documentaion for setting up non sap application's in portal on which siteminder sso external authentication is implemented.
    can anybody help for getting step by step document.
    diff rewards to be given...
    Thanks
    Tag

  • Integrating WebLogic Server with CA SiteMinder Web Agent R6

    Hi I have searched on the topic of integrating WebLogic Server with the CA SiteMinder Web Agent R6 to provide single sign on services, and have been unable to find anything. Does anyone have any experience with this that could provide some tips, or could direct me to some documentation?

    It definitely can work. We have done the same thing in several installations. The question is "How secure does it need to be?" You will be using SM to do authentication. You will configure SSO to trust the SM header variable. If you really want to be secure you need to configure your boxes so that the http server on you SUSE box (for Portal) can only be accessed from the Reverse Proxy. If another machine can access it someone could spoof the header variable and log in as anyone they want.
    Hope this is helpful.
    Anton

  • SiteMinder Authentication Realm has NOT been correctly configured and...

    Hi All,
    When I set the realm (associated with the authentication provider) as UNPROTECTED, I see the following in my AUWebAgent.log (authentication web agent log):
    [31 Aug 2006 16:19:07,050] [main] [INFO] Configuration: Support for TP cookies is : ENABLED.
    [31 Aug 2006 16:19:07,050] [main] [INFO] Configuration: DefaultAgentName: bppttest.micron.com.
    [31 Aug 2006 16:19:07,051] [main] [INFO] Configuration: FilterDomainName: DISABLED
    [31 Aug 2006 16:19:07,051] [main] [DEBUG] Creating caches ..
    [31 Aug 2006 16:19:07,051] [main] [DEBUG] Configuration: No Cache Timeout specified. Default is 600 seconds
    [31 Aug 2006 16:19:07,051] [main] [DEBUG] Configuration: No Resource Cache Size specified. Default is: 0
    [31 Aug 2006 16:19:07,051] [main] [DEBUG] Configuration: No Authentication Cache Size specified. Default is: 0
    [31 Aug 2006 16:19:07,051] [main] [DEBUG] Configuration: No Authorization Cache size specified. Default is: 0
    [31 Aug 2006 16:19:07,051] [main] [DEBUG] Configuration: Auditing is DISABLED
    [31 Aug 2006 16:19:07,051] [main] [DEBUG] Configuration: Caching for anonymous users is DISABLED
    [31 Aug 2006 16:19:07,053] [main] [DEBUG] The SiteMinder Resource Manager is checking if resource "/smauthenticationrealm" is Protected.
    [31 Aug 2006 16:19:07,129] [main] [INFO] Resource "/smauthenticationrealm" is NOT Protected.
    [31 Aug 2006 16:19:07,129] [main] [ERROR] The SiteMinder Authentication Realm has NOT been correctly configured and is unavailable.
    Additional info:
    Using SiteMinder 5.5 on WebLogic 8.1 sp5
    When & if I set all my realms as protected then I am unable to startup my servers and get the folowing error:
    We are trying to setup (as in intergrate SiteMinder with Savvion) SiteMinder v2 with weblogic 8.1 sp 5. We have appropriately included the references to variours siteminder related jars as per Netegrity's ASA document. We aren't using any webserver, instead wewould be using launching page (which be a protected resource). The following is the installation, configuration, and testing information related to various siteminder components:
    SiteMinder Identity Asserter (IA) - installed, configured & tested successfully.
    SiteMinder Authentication Provider - installed, configured & test result -> Unsuccessful.
    SiteMinder Authorziation provider - installed, configured & test result -> Unsuccessful.
    Has anyone seen anything similar to the following? My guess on the above is that it looks like it is trying initialise siteminder stuff every time we start each of the servers(admin, ejb and portal). Since the initialisation happens for the 1st time) when the admin server is started, an error is thrown complaining about not being to initialise when we start either portal or ejb after that. If this is true then is there a way around this problem?
    The Admin Server starts fine. But when we try to start either of the ejb or portal server, we get the following error:
    <Aug 16, 2006 4:03:01 PM MDT> <Critical> <WebLogicServer> <BEA-000364> <Server failed during initialization. Exception:weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.rmi.extensions.RemoteRuntimeException: Unexpected Exception - with nested exception:
    [java.rmi.MarshalException: failed to marshal invoke(Ljavax.management.ObjectName;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String ;); nested exception is:
            java.io.NotSerializableException: com.netegrity.siteminder.weblogic.sspi.auth.a9]
    weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.rmi.extensions.RemoteRuntimeException: Unexpected Exception - with nested exception:
    [java.rmi.MarshalException: failed to marshal invoke(Ljavax.management.ObjectName;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String ;); nested exception is:
            java.io.NotSerializableException: com.netegrity.siteminder.weblogic.sspi.auth.a9]
    at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:225)
    at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:283)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java :581)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm (SecurityServiceManagerDelegateImpl.java:700)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize (SecurityServiceManagerDelegateImpl.java:876)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
    at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:821)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:669)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:343)
    at weblogic.Server.main(Server.java:32)
    >
    <Aug 16, 2006 4:03:01 PM MDT> <Emergency> <WebLogicServer> <BEA-000342> <Unable to initialize the server: weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.rmi.extensions.RemoteRuntimeException: Unexpected Exception - with nested exception:
    [java.rmi.MarshalException : failed to marshal invoke(Ljavax.management.ObjectName;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String;); nested exception is:
            java.io.NotSerializableException: com.netegrity.siteminder.weblogic.sspi.auth.a9 ]>
    The WebLogic Server did not start up properly.
    weblogic.security.service.SecurityServiceRuntimeException: [Security:090371]Problem instantiating Authentication Provider weblogic.rmi.extensions.RemoteRuntimeException: Unexpected Exception - with nested exception:
    [java.rmi.MarshalException: failed to marshal invoke(Ljavax.management.ObjectName;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String ;); nested exception is:
            java.io.NotSerializableException: com.netegrity.siteminder.weblogic.sspi.auth.a9]
    at weblogic.security.service.PrincipalAuthenticator.initialize(PrincipalAuthenticator.java:225)
    at weblogic.security.service.PrincipalAuthenticator.<init>(PrincipalAuthenticator.java:283)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.doATN(SecurityServiceManagerDelegateImpl.java :581)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealm(SecurityServiceManagerDelegateImpl.java:420)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.loadRealm (SecurityServiceManagerDelegateImpl.java:700)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initializeRealms(SecurityServiceManagerDelegateImpl.java:733)
    at weblogic.security.service.SecurityServiceManagerDelegateImpl.initialize (SecurityServiceManagerDelegateImpl.java:876)
    at weblogic.security.service.SecurityServiceManager.initialize(SecurityServiceManager.java:734)
    at weblogic.t3.srvr.T3Srvr.initializeHere(T3Srvr.java:821)
    at weblogic.t3.srvr.T3Srvr.initialize(T3Srvr.java:669)
    at weblogic.t3.srvr.T3Srvr.run(T3Srvr.java:343)
    at weblogic.Server.main(Server.java:32)
    Reason: weblogic.security.service.SecurityServiceRuntimeException : [Security:090371]Problem instantiating Authentication Provider weblogic.rmi.extensions.RemoteRuntimeException: Unexpected Exception - with nested exception:
    [java.rmi.MarshalException: failed to marshal invoke(Ljavax.management.ObjectName ;Ljava.lang.String;[Ljava.lang.Object;[Ljava.lang.String;); nested exception is:
            java.io.NotSerializableException: com.netegrity.siteminder.weblogic.sspi.auth.a9]
    Any help would be appreciated.
    Regards,
    Prashant

    but it just says it cannot repair due to another program being installed.
    I'd like to have a closer look at that error message please.
    Generate the error message again. While the error message box is open, hold down the Alt key and hit the PrtSc key. Paste the screenshot into an image file (using a program like Paint), and save the file.
    Start a reply here and click the wee camera icon at the top of the reply window. Click "Choose file", browse to the image file, select the file and click "Open". Now click "Insert file" to insert the screenshot into the reply.

  • Netegrity - Portal 7 integration

    I have a requirement where the WLP 7 is behind a Netergrity SSO enabled IPlanet
    WebServer. Need to automatically log the users in to WLP 7.
    BEA Portal support mentioned CCE has developed a beta BEA supported integration
    between WLP 7.0 and Siteminder. This integration currently allow users who authenticate
    via Siteminder to also be authenticated in WLP 7.0.
    Do you know if this is available.

    From Peter Laird:
    Yes, the login framework can handle this. Attached is sample
    code on how to
    link Login Framework and Siteminder. It doesn't have instructions, but
    hopefully by reading the LF docs about "implicit" (perimeter)
    login they can
    piece the parts together.>
    Regards,
    PJL"Joe Alex" <[email protected]> wrote in message
    news:3f58b67b$[email protected]..
    >
    I have a requirement where the WLP 7 is behind a Netergrity SSO enabledIPlanet
    WebServer. Need to automatically log the users in to WLP 7.
    BEA Portal support mentioned CCE has developed a beta BEA supportedintegration
    between WLP 7.0 and Siteminder. This integration currently allow users whoauthenticate
    via Siteminder to also be authenticated in WLP 7.0.
    Do you know if this is available.
    [nete_rdbms_loginFramework.zip]

  • Identifying the Portals based on the URL's

    HI All,
    We are planning to integrate Enterprise Portal with Site minder.
    There are two kinds of Portal users 1.Citizens 2. Doctors
    Idea is when citizen logs in siteminder direacts a URL based on this URL he'will be abel to see Citizen desktop.
    similerly when Doctor Logs in to siteminder he will be directed to another URL and Doctor Desktop.
    Question is:
    is it possible to point out different portal desktops based on the different URL's in siteminder. if so how can we acchive this?
    Regards,
    Manohar

    Hi Haydn,
    Thanks for your quick replay,
    can we implement this practically if so how can we do that.
    where can i map a URL and a Master display rule.
    so i need two display rules for each one i have to set a URL alias, can we do this if so how can we do this.
    Regards,
    Manohar

  • Siteminder and KM Access

    Hello,
    We use Siteminder for authentication to our Portal.  When a user is sent a link to a document in KM they are prompted by Siteminder and then they are prompted again by KM. 
    Does anyone know how to remove the second prompt?
    If the user logs into the portal and navigates to the documnet through the KM Content navigation the second prompt is not displayed.
    Any ideas?
    Thanks,
    Keith

    Hi Keith,
    Perhaps, it can help you.
    /people/john.mittendorf/blog/2005/07/29/disabling-secondary-popup-when-accessing-office-2003-documents-through-km
    Patricio.

Maybe you are looking for