CA Single Sign-On Integration

When integrates with CA Single Sign-On (CA SSO, formerly known as CA SiteMinder), CA SSO adds the following functionality to a environment:
cim140
When sharing a User Store between Identity Manager and SiteMinder (CA SSO), the Password Services of each product maintains a User’s password history data
in the same User attribute
and encrypts the data using
different
keys.
Enabling the Identity Manager integration with SiteMinder delegates
all
Password Services to SiteMinder, including reading and writing the password history of Users. Toggling the integration on or off can lead to lost password history due to the use of different encryption keys by each product.
When
Identity Manager
integrates with CA Single Sign-On (CA SSO, formerly known as CA SiteMinder), CA SSO adds the following functionality to a
Identity Manager
environment:
  • Advanced Authentication
    By default,
    Identity Manager
    includes native authentication for its environments. An administrator enters a valid user name and password to log in to a
    Identity Manager
    environment. The user name and password are authenticated against the user store that
    Identity Manager
    manages.
    When
    Identity Manager
    integrates with CA SSO, CA SSO basic authentication is used to protect the environment. When you create a
    Identity Manager
    environment, a policy domain and an authentication scheme are created in CA SSO to protect that environment. With this integration, you can also use CA SSO authentication to protect the Management Console.
  • Directory Mapping
    An administrator possibly manages users whose profiles exist in a different user store from the one that is used for authenticating the administrator. An identity manager administrator log in authentication is checked using one directory, and a different directory is used to authorize if an administrator can manage users.
    When
    Identity Manager
    integrates with CA SSO, you can configure a
    Identity Manager
    environment to use different directories for authentication and authorization.
  • Locale Preferences for a Localized Environment
    When
    Identity Manager
    integrates with CA SSO, you can define locale preference for a user using an
    imlanguage
    HTTP header. In the CA SSO Policy Server, you set this header within a CA SSO response and specify a user attribute as value of the header. The
    imlanguage
    header acts as the highest priority locale preference for a user.
    Note:
    For more information, see User Console Design.
How Resources are Protected
Advanced authentication requires you to use a CA SSO Policy Server in your implementation. The application server hosting the
Identity Manager
server is on a different operating environment from Web Server. To provide forwarding services, the Web Server requires,
  • An application server vendor provided plug-in.
  • A CA SSO agent to protect the
    Identity Manager
    resources, such as the User Console, Self Registration, and the Forgotten Password feature.
The Web Agent controls the access of users who request
Identity Manager
resources. Once the users are authenticated and authorized, the Web Agent allows the Web Server to process the requests.
When the Web Server receives the request, the application server plug-in forwards it to the application server hosting the
Identity Manager
Server.
The Web Agent protects
Identity Manager
resources that are exposed to users and administrators.