Integrate CA Single Sign-On with CA Service Catalog

This article contains the following topics:
casm1401
This article contains the following topics:
By default, CA Service Catalog uses CA EEM to authenticate  the requests. You can optionally use CA Single Sign-On to provide Web based single sign-on (SSO) and enhanced authentication to CA Service Catalog users.
CA SiteMinder is now known as CA Single Sign-On.
 
Options to Authenticate Users
This section explains the two possible authentication flows for authenticating CA Service Catalog users. The first authentication flow uses CA EEM alone. The second authentication flow uses CA EEM with CA Single Sign-On, enabling single sign-on and providing enhanced security.
Authentication Flow Using CA EEM
By default, CA Service Catalog uses CA EEM to authenticate users. In this example of the basic authentication flow, requests from CA Service Catalog users first pass through Tomcat. The requests then pass through the MDB, and end at your authentication server, for example, Active Directory. The following diagram illustrates the basic authentication flow with CA EEM and Active Directory:
CA Service Catalog Authentication Flow Using CA EEM
CA Service Catalog Authentication Flow Using CA EEM
 
Authentication Flow Using CA Single Sign-On
In this authentication flow with CA Single Sign-On, requests from CA Service Catalog users go to CA Single Sign-On for authentication. If the request is authorized, then the requests are forwarded to the Tomcat instance of Catalog Component by the web server hosting CA Single Sign-On. Thus, in this flow, CA Single Sign-On validates the authentication requests from CA Service Catalog users. The following diagram illustrates the enhanced authentication flow with CA Single Sign-On.
CA Service Catalog Authentication Flow Using CA SiteMinder
CA Service Catalog Authentication Flow Using CA SiteMinder
Set Up Web Single Sign-on
To implement web-based (SSO) and enhanced authentication to CA Service Catalog users, complete the following tasks:
  1. Install and configure CA Single Sign-On, including its Policy Server and CA Single Sign-On Web Agent.
    For more information, see your CA Single Sign-On documentation.
  2. Redirect the authentication requests from your web server to Tomcat. Here, your web server (such as Apache or Microsoft Internet Information Server [IIS]) has the CA Single Sign-On web agent installed.
    For more information, see your web server documentation.
  3. In the CA Single Sign-On Administration GUI, configure CA Single Sign-On to protect CA Service Catalog resources by performing the following tasks. For more information, see your CA Single Sign-On documentation.
    1. Open the policy server UI.
    2. Create an agent object for CA Service Catalog; do
      not
      check support 4.x Agents”.
    3. Create an agent configuration object for the agent you just created.
    4. Create a host configuration object.
    5. Optionally, create an authentication scheme.
    6. Create a realm and a rule with the resource filter as usm/*.
    7. Create a CA Service Catalog domain and add the user directories, administrator, and realm to the domain.
    8. Create a policy and add the rule that you just created to the policy.
  4. In the Administration, Configuration section of the CA Service Catalog GUI, configure the single sign-on authentication parameters to match CA Single Sign-On.