If you use SiteMinder version 5.5 or higher to administer single sign-on authentication for multiple applications, Reflection for the Web can be integrated with your SiteMinder installation. This technical note describes the steps to install and configure SiteMinder and Reflection for the Web so that they will work together to provide user authentication.
Note: To integrate SiteMinder with Reflection for the Web 2011, see Technical Note 2591.
When Reflection for the Web and SiteMinder are configured to work together, users are authenticated using the single sign-on capability of SiteMinder. If preferred, you can configure additional authorization in Reflection for the Web to restrict access to sessions.
To integrate Reflection for the Web and SiteMinder, follow the steps in each of these sections:
Install SiteMinder, including the Policy Server and necessary web agents. Refer to the SiteMinder Installation Guides for detailed information about the policy server or the web agents.
Install Reflection for the Web management server. Automated installers are available for Windows, Solaris, HP-UX, and Linux systems. Follow the steps in the Reflection for the Web Installation Guide, which is available from these locations:
Reflection for the Web: http://support.attachmate.com/manuals/wthdocs.html
Reflection for the Web 2008: http://support.attachmate.com/manuals/rweb2008.html
Your next step is dependent on the operating system on which you installed Reflection for the Web.
If you used the automated installer for Solaris, Linux, or HP-UX or did a manual installation to any of these platforms or to AIX using tomcat.zip, continue with step 3. Set the Path to the SiteMinder Libraries.
Follow these steps if you used the Windows automated installer or did a manual installation on Windows using tomcat.zip.
You must set the path to the SiteMinder libraries if you performed a non-automated (manual) installation on Solaris, Linux, AIX, or HP-UX using tomcat.zip.
Follow the procedure for your operating system. Note: The examples use the default path to the jakarta folder.
The path to the SiteMinder libraries is set in the setenv.sh file, located in the <install path>/Reflection Server/jakarta-tomcat/bin directory.
# Set environment variables for SiteMinder integration
The path is already set when you install Reflection for the Web to a Windows platform. Continue with step 4. Configure SiteMinder.
Once the products are installed and the path to the SiteMinder libraries is set, you are ready to configure SiteMinder.
If you have SiteMinder version 6.x, you must create a new security realm for Reflection for the Web content.
Use the Administrative WebStation to configure authentication.
SiteMinder Agent Version: The configuration options differ according to the version you select, 4 or 5. Note: If you select 5, it applies to Agent versions 5 or higher.
Agent name: The name of the agent that is used by Reflection. This is the Name you noted in the SiteMinder Administration window under Agents in section 4. Configure SiteMinder.
Shared secret (Version 4 option): The secret used by the policy server to verify the agent. This is the shared secret you entered in the SiteMinder Administration window in section 4. Configure SiteMinder.
SiteMinder configuration file (Version 5 or higher option): Provide a full path to the SiteMinder host configuration file. This is typically SmHost.conf and resides in the installation directory of the standard SiteMinder web agent.
If no SiteMinder web agent is installed on the Reflection Management server, copy this from a machine running a standard web agent. Use the smreghost command from the SiteMinder Web Agent home's bin directory to do this:
smreghost.exe -i<Policy Server Address:[Port]> -u<Admin Name> -p<Admin Password>
-hn<Reflection Management Server Address> -hc<Host Config Object> -f<Host Config Path>
|Policy Server Address
||DNS name or IP address of the SiteMinder policy server
||Optional port number of the policy server
||Name of the administrative account on the policy server
||Password of the administrative account on the policy server
|Reflection Management Server Address
||DNS name or IP address of the Reflection Management server
|Host Config Object
||Name of the preconfigured host configuration object on the policy server
|Host Config Path
||Full path to the host configuration file to be created (typically SmHost.conf)
Policy server host: The IP address (preferred) or DNS name of the host on which the SiteMinder policy server is installed.
Authentication port: The default authentication port number for the policy server is 4442. If the default port was changed during the SiteMinder installation, check the port setting in the Policy Server Management Console and enter that port number here.
Note: To check the port number, open the Policy Server Management Console, click the Settings tab, and look for the Authentication port number under Agent Configuration. If other SiteMinder port numbers were changed from their defaults during setup, you must reset the corresponding port numbers in the Reflection for the Web PropertyDS.xml file, located in the ReflectionData folder.
After you enter the required information, click Next.
If you receive an error while configuring authentication, "Failed to initialize SiteMinder libraries," it may be due to a .dll version conflict. To resolve this issue, you must manually upgrade the smjavaagentapi.jar and smjavaagentapi.dll files. Locate these file in your SiteMinder installation, and copy them to the following Reflection locations:
<Tomcat installation home>/misc/siteminder/bin/<OS specific>/smjavaagentapi.dll
<RWeb webapp home>/WEB-INF/lib/smjavaagentapi.jar
Once the files have been copied, restart the Reflection for the Web Management Server.
Once SiteMinder authentication is configured, you can choose to restrict Reflection access to specific users. Follow these steps to configure your authorization preferences.
The methods are described in the following sections.
Allow authenticated users to access published sessions. This method grants access to Reflection using SiteMinder alone, and no additional authorization is performed when users access sessions.
Use LDAP to restrict access to sessions. Because this method uses both SiteMinder authentication and LDAP authorization, you have an additional layer of control over session access. To use SiteMinder authentication with LDAP authorization, the LDAP server that you configure in Reflection must be the same LDAP server used by SiteMinder.
If you did not select LDAP authorization, skip to step C.
If you selected LDAP authorization, you will see the Configure Reflection for your LDAP Server page. The LDAP server configured here must be the same LDAP server used with SiteMinder. (For more information, click Help.)
When all of the information is entered, click Next.
Use the tools in the Administrative WebStation to define and publish sessions.
If you selected LDAP authorization, search for users or groups and map the session to them. Click the Save Settings button in the Access Mapper.
Note: Users must first authenticate using SiteMinder before they can access Reflection for the Web sessions. The SiteMinder web agent downloads a cookie to each user's browser memory, which authenticates them for that browser session only.