Single Sign On Integration with SDL Tridion and CA Siteminder

In today’s world most of the products, be it a financial product like credit  card, media or electronics item,  do not come from just one vendor but from collaboration between different partner companies. All partners play  a unique role in marketing of such product and need access to related data.

Practically, it is not possible to provide access to all the partners to the Active Directory or LDAP and here comes SSO for the rescue which enables all the partners to use a common policy server to authenticate themselves.
SDL Tridion can be easily integrated with SSO servers like CA Siteminder and IBM Tivoli.

Following figures describes SSO flow till authentication.

Fig: Flow Chart of SSO Request

Installation & Configuration: Setting up SSO requires lots of configurationThe first step for configuring SSO for Tridion is installing Site Minder agent on CM server which intercepts all the request coming to Tridion CMS and authorize the user

The web agent interacts with Policy Server in order to authorize user based on the credential provided by user. Once authenticated, unique user id is set in header variable of each request which is then used by Tridion to identify the user if SSO is configured.
Authorization can be done at Tridion CMS security level where based on business requirement different access and permissions can be given to users on CMS items like publication etc.

Installing CA Siteminder agent on CMS server 

1. Execute ca-wa-12.5-cr02-win64.exe.
2. Follow the instructions according to installation wizard
3. In the Host Registration dialog box, select ‘Yes’ to register a host and click Next.
4. Complete the following fields in the Admin Registration dialog box, then click Next- Provide the required admin credentials
5. Admin User Name
6. Admin Password
7. Confirm Admin Password 
8. Enabled Shared Secret Rollover – Unchecked
9. In the Trusted Host Name and Configuration Object dialog box, enter webserver name as trusted host name. 
10. In the Policy Server IP Address dialog box enter the IP or  policy server VIP:
11. Choose FIPS Compatibility Mode (Default) and click Next.
12. Accept the default location of the host configuration file, SmHost.conf or click Choose to select a different location. Click Next.
13. In the Select Web server(s) dialog box, select the option for the Microsoft IIS 7.5 and click Next.
14. Select the virtual sites(SDL Tridion 2011) that need to be configured with this web agent and click Next.
15. Enter the ACO name <webserver>_agent_config and click Next:
16. In the WebAgent Enable Option, check the YES box and click Next.
17. In the Web Server Configuration Summary dialog box. Confirm that the configuration settings are correct, then click Install.
18. Click done when the installation is complete. The system restarts

Permission to user to modify encrypted configuration sections

1. Open command prompt and go to where PSTools is located
2. Run:    psexec -i -s cmd.exe
3. This should open another new command prompt window
4. In the new command prompt window, navigate to where aspnet_regiis is (should be in c:\Windows\Microsoft.Net\Framework64\v4.0.30319  
5. Run:   aspnet_regiis -pa "TridionRsaKeyContainer" "Domain\UserName"
6. Follow the same steps for user NT AUTHORITY\IUSR

Configuration Console:

Fig: SSO Configuration in CMS

Set header name which will be used to retrieve user name after authentication.

Some Useful links:

• http://docs.sdl.com/LiveContent/content/en-US/SDL%20Tridion%202011%20SP1%20full%20documentation-v1/GUID-407B4F89-B8D0-4799-A16B-147D89B044F6
• https://support.ca.com/cadocs/0/CA%20SiteMinder%20r6%200%20SP6-ENU/Bookshelf_Files/PDF/siteminder_wa_config_enu.pdf

Issues and Trouble shooting

In my previous experience with SSO the unique user GUID that is set by Siteminder in the header of response was not getting persisted and hence SSO was not working fine with Tridion. To resolve this issue one can try putting a custom HTTP Module in request pipeline and check if the GUID is getting persisted, and in case it is not you will have to explicitly set the header variable.

NOTE: One important point to take care of (especially in case you are making entries manually in web.config)  make sure that HTTP module entry in web.config for your custom http module comes after the entry of CA Siteminder.

<add name="CASiteMinderWebagentModule" preCondition="integratedMode,bitness64" />

<add name="customhttpmodule" type="<>, Version=1.1.0.0, Culture=neutral, PublicKeyToken=<>" />

Some point worth noting is that we were not able to run the Tridion Client applications like Template Builder and Content porting using SSO and hence it was explicitly set on windows authentication.