All About Identity and Access Management

An open forum to share views about Identity Management, Access Management and Access Governance.

Siteminder Best Practices 

• Firewall Considerations – For Secure Environment, placing the Web Server in the De-Militarized Zone (DMZ) behind a firewall is recommended. It is also recommended to place the application, database and SiteMinder Policy Servers behind a second firewall.

• Policy store and Key Store considerations – For faster access to stored data, LDAP is advised as the policy and key store. However, Oracle and SQLServer Databases are also highly scalable, powerful and secure.

• Storing User Profile Information – There are several advantages of using LDAP as the user information store compared to ODBC or Windows NTDomain. LDAP provides faster access to user Information than ODBC data sources or WinNT Domain. If the schema needs to be extended to add additional attributes then WinNT Domain cannot be used. LDAP can be configured for Load Balancing and Fail-Over for better performance, however, using ODBC data sources you can only configure Fail-Over.

• Audit log storage – For better security, storing Audit log in ODBC databases is preferred.

• Replicating policy stores and configuring failover – For providing uninterrupted access to the policy store, it is recommended that we replicate the policy store onto a secondary server and enable failover mechanism using the policy server interface.

Implementing Authentication Schemes – SiteMinder provides schemes like Basic, Basic over SSL, Forms, and Forms over SSL, x509 certificates etc. For the better grouping of resources, we can create realms nested within other realms. Each nested realm shares the same Agent, however, a realm nested under another (parent) realm can have a higher protection level than its parent for better security considerations. While the user accesses the parent realm, he is authenticated by a particular Authentication Scheme say basic. Later when he accesses some resource, which is protected by the child realm, he needs to authenticate using a different authentication scheme with greater confidentiality level say X509certificate scheme.

• Single Sign-On Considerations – The protection level rules need to be maintained such that when a user moves from one Web server to another in the same domain, the protection level of the resource in the second web server must be equal to that of or less than the previously encountered protection level.

• Clustering with Application Server Agents – If you do not use a shared file system, you must install the Application Server Agent on every server in the cluster. The Application Server Agent can support a multi-tier clustering architecture.

I hope these points may prove helpful , next time you consider Siteminder for your rescue.

Thanks...


Identity & Access Management

Access Management CA SiteMinder fail over Key Store Policy Store Single Sign-On SiteMinder Best Practices