Blogs

Blogs

SiteMinder integration is here

You've been heard! Out of box SiteMinder integration is here.

Computer Associate’s (CA) SiteMinder is a centralized web access management system that enables user authentication and single sign-on, policy-based authorization, identity federation, and auditing of access to Web applications and portals.

Liferay has out of box SiteMinder integration as of recent Liferay 5.1.2 release. The integration is based on CAS integration and only supports authenticating with screenName. It also knows how to properly terminate SiteMinder session. SiteMinder is usually connected to a LDAP so this integration is also able to import users from LDAP.

You can enable it either throught portal-ext.properties or UI just like with CAS or OpenSSO.

Enabling from portal-ext.properties:

##
## SiteMinder
##

    #
    # Set this to true to enable CA SiteMinder single sign on. If set to true,
    # then the property "auto.login.hooks" must contain a reference to the class
    # com.liferay.portal.security.auth.SiteMinderAutoLogin and the
    # "logout.events.post" must have a reference to
    # com.liferay.portal.events.SiteMinderLogoutAction for logout to work.
    #
    siteminder.auth.enabled=true

    #
    # A user may be authenticated from SiteMinder and not yet exist in the
    # portal. Set this to true to automatically import users from LDAP if they
    # do not exist in the portal.
    #
    siteminder.import.from.ldap=true

    #
    # Set this to the name of the user header that SiteMinder passes to the
    # portal.
    #
    siteminder.user.header=SM_USER

Enabling from Liferay UI:

SiteMinder settings

Very nice, Mika!
BTW, could you make a wiki article out of this entry? That way it's easier to find for people digging in the documentation and also becomes a place to extend the info when support for email is added.
I've added it here http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/CA+SiteMinder+Integration should merge it with http://www.liferay.com/web/guest/community/wiki/-/wiki/Main/Integration+with+Siteminder+SSO
Very nice! Thank you, Mika.
Sorry to be a latecomer to this post, but this is exactly what I'm working on now. I'm not sure if I understand how this is supposed to work. We are standing up SiteMinder and Liferay right now and I don't see how those three settings are enough to get it to work with SiteMinder. Can someone help me? What am I missing, I see no documentation on how to tell Liferay anything about the SiteMinder installation and policy servers, etc.
Sorry Geoff I missed your comment somehow. Liferay does not do a deep integration with SiteMinder we only do SSO. The way you setup this is that you have the SiteMinder agent sitting in front of Liferay usually installed in Apache HTTPD. The agent takes care of connecting to policy servers and deciding whether the user is authenticated. The agent passes the request to Liferay and Liferay checks if this user is authenticated by SiteMinder if it is it does autologin with that user. The user information is usually retrieved from LDAP.

Hope this helps.
If I chose not to copy the user info from LDAP or if LDAP dont have the user's organization memebership etc., how can I build the complete user's profile with all the portal info like his organization mmebership, liferay role etc. I need this profile fully built/populated (just like the user logged in through the login portlet), because I want to display the users content/portlets based on his organization and roles. Should I do this manually using Liferay API?
I am new to LifeRay and would like to know where the Agent is? Do we get this from CA or is it in LifeRay?
The agent is part of SiteMinder.
BTW, could you make a wiki article out of this entry? That way it's easier to find for people digging in the documentation and also becomes a place to extend the info when support for email is added.