Configuring Authentication with a SiteMinder Server

You are here: Pulse Connect Secure > Pulse Connect Secure Administration Guide > Access Management Framework > Authentication and Directory Servers > Using a SiteMinder Server > Configuring the Back End SiteMinder > Configuring Authentication_9

You are here: Pulse Connect Secure > Access Management Framework > Authentication and Directory Servers > Using a SiteMinder Server > Configuring Authentication_9

Configuring Authentication with a SiteMinder Server

To configure authentication with SiteMinder server:

Select Authentication > Auth. Servers.
Select SiteMinder Server and click New Server.
Complete the configuration as described in Table 32.
Save the configuration.
After you have saved the configuration, the page that is redisplayed includes an Advanced tab.

Click the Advanced tab to display the configuration page.
Complete the configuration as described in Table 33.
Save the configuration.

Table 32: SiteMinder Server Settings

Settings	Guidelines
Name	Specify a name to identify the server within the system.
Policy Server	Specify name or IP address of the policy server.
Backup Server(s)	(Optional) Specify a comma-delimited list of backup policy servers.
Failover Mode?	Select one of the following failover mode options: Yes–The device uses the main policy server unless it fails. No–The device does the load balancing among all the specified policy servers.
Agent Name	Specify the agent name configured on the policy server.
Secret	Specify the shared secret configured on the policy server. The value is case sensitive.
Compatible with	Select a SiteMinder server version. 5.5 Policy Servers–Supports version 5.5 and version 6.0. This is the default. 6.0 Policy Servers–Supports only version 6.0 of the SiteMinder server API. 12.0 Policy Servers–Supports only version 12.0.
On logout, redirect to	Specify a URL to which users are redirected when they sign out of the device (optional). If you leave this field empty, users see the default sign-in page. The On logout, redirect to setting is included in the product release for backwards-compatibility. We strongly recommend that you use the customizable sign-in pages feature instead.
Protected Resource	Specify a default protected resource. If you do not create sign-in policies, the system uses this default URL to set the user’s protection level for the session. The system also uses this default URL if you select the Automatic Sign-In option. If your users are signing in to the “*” URL (default device sign-in page), enter any URL (“/ive-authentication” is the default) to set the protection level to the default value. If you do create sign-in policies, the device uses those sign-in policies instead of this default URL. You must enter a forward slash (/) at the beginning of the resource. For example, enter /local-authentication.
Resource Action	Displays the resource action configured on the back-end SiteMinder server.
Users authenticate using tokens or one-time passwords	Select this option if you want the device to prompt the user for a token instead of a password; that is, if users submit tokens or one-time use passwords to the device. For example, you can use this option to dynamically prompt for a password or token based on sign-in policies by configuring two instances of the same authentication server. You can use one instance for wireless users who have this option enabled and it prompts the user for a token, and another instance for wired users who have this option disabled and it prompts the user for a password. This feature is available only on Policy Secure.
Server Catalog	Use the Server Catalog button to display the Server Catalog in a new window. Add the SiteMinder user attributes (such as the cookiename) that you want to use for role mapping.
SMSESSION cookie settings
When sending cookies to the end-user’s browser	Specify the cookie domain for either the end user or the device. A cookie domain is a domain in which the user’s cookies are active. For example, the system sends cookies to the user’s browser in this domain. Multiple domains should use a leading period and be comma-separated. For example, .sales.myorg.com, .marketing.myorg.com. Domain names are case-sensitive. You cannot use wildcard characters. For example, if you define “.pulsesecure.net” the user must access the device as “http://ive.pulsesecure.net” to ensure that his SMSESSION cookie is sent back to the device.
	Select HTTPS to send cookies securely if other Web agents are set up to accept secure cookies, or HTTP to send cookies nonsecurely.
Cookie Domain and Protocol When the Cookie is Set on the Device	Enter the valid Internet domain for the cookie and where the browser of the user sends cookie contents. This cookie domain should be the same as the host domain. For example, .jnpr.net
	Select HTTPS to send cookies securely if other Web agents are set up to accept secure cookies, or HTTP to send cookies non-securely.
SiteMinder authentication settings
Automatic Sign In	Select this option to automatically sign in users with a valid SMSESSION cookie. Then, select the authentication realm to which the users are mapped. If you select this option, note that: If the protection level associated with a user’s SMSESSION cookie is different from the protection level of the realm, the protection level associated with the cookie is used. This option uses SMSESSION cookie, which is already present in the browser to enable single sign-on. This option provides a single sign-on experience for users. This option enables users to sign in using a standard Siteminder Web Agent that generates an SMSESSION cookie. When you select this option, you must also configure the following suboptions: To assign user roles, use this user authentication realm–Select an authentication realm for automatically signed-in users. The users are mapped to a role based on the role mapping rules defined in the selected realm. If Automatic Sign In fails, redirect to–Enter an alternative URL for users who sign in through the automatic sign-In mechanism. The users are redirected to the specified URL if the authentication fails and if there is no redirect response from the SiteMinder policy server. If you leave this field empty, users are prompted to sign back in.
Authenticate using custom agent	Select this option if you want to authenticate using the custom Web agent. Using this option, the system generates the SMSESSION cookie, just like any other Web agent configured within the organization.
Authenticate using HTML form post	Select this option if you want to post user credentials to a standard Web agent that you have already configured rather than contacting the SiteMinder policy server directly. If you select this option, the Web agent contacts the policy server to determine the appropriate sign-in page to display to the user. To configure the system to “act like a browser” that posts credentials to the standard Web agent, you must enter the following information. Target–Specify the target URL. Protocol–Specify the protocol for communication between the system and the specified Web agent. Select HTTP for non-secure communication. Select HTTPS for secure communication. Webagent–Specify the name of the Web agent to obtain SMSESSION cookies. An IP address is not allowed for this field. (Specifying the IP address as the Web agent prevents some browsers from accepting cookies.) Port– Specify the port for the protocol. Enter port 80 for HTTP or port 443 for HTTPS. Path–Specify the path of the Web agent’s sign-in page. The path must start with a backslash (/) character. In the Web agent sign-in page URL, the path appears after the Web agent. Parameters– Specify the post parameters to be sent when a user signs in. Common SiteMinder variables that you can use include _ _USER_ _, _ _PASS_ _, and _ _TARGET_ _. These variables are replaced by the username and password entered by the user on the Web agent’s sign-in page and by the value specified in the Target field. These are the default parameters for login.fcc—if you have made customizations, you may need to change these parameters.
Delegate authentication to a standard agent	Select this option to delegate authentication to a standard agent. When the user accesses the system sign-in page, the FCC URL associated with the protected resource’s authentication scheme is determined. The system redirects the user to that URL, setting the system sign-in URL as the target. After successfully authenticating with the standard agent, an SMSESSION cookie is set in the user’s browser and the user is redirected back. The system then automatically signs in the user and establishes a session. You must enable the Automatic Sign-In option to use this feature. If you enable this option and a user already has a valid SMSESSION cookie when trying to access a resource, the system tries to automatically sign in using the existing SMSESSION cookie. If the cookie is invalid, the SMSESSION cookie and corresponding system cookies are cleared and a “timeout” page is displayed. The system successfully delegates authentication when the user clicks the sign back in option. If you select this option, your authentication scheme must have an associated FCC URL.
SiteMinder authorization settings	This feature is available only on Connect Secure.
Authorize requests against SiteMinder policy server	Use SiteMinder policy server rules to authorize user Web resource requests. If you select this option, make sure that you create the appropriate rules in SiteMinder that start with the server name followed by a forward slash, such as: www.yahoo.com/, www.yahoo.com/*, and www.yahoo.com/r/f1.
If authorization fails, redirect to	Specify an alternative URL that users are redirected to if the device fails to authorize and no redirect response is received from the SiteMinder policy server. If you leave this field empty, users are prompted to sign back into the device. If you are using an authorization-only access policy , you must enter an alternative URL in this field regardless of whether the Authorize requests against SiteMinder policy server option is selected. Users are redirected to this URL when an access denied error occurs.
Resource for insufficient protection level	Specify a resource on the Web agent to which the users are redirected when they do not have the appropriate permissions.
Ignore authorization for files with extensions	Specify the file extensions corresponding to file types that do not require authorization. Enter the extensions of each file type that you want to ignore, separating each with a comma. For example, enter .gif, .jpeg, .jpg, .bmp to ignore various image types. You cannot use wildcard characters (such as , ., or .) to ignore a range of file types.
User Record Synchronization	This feature is available only on Connect Secure.
Enable User Record Synchronization	Select this option to retain the bookmarks and individual preferences regardless of which system you log in to.
Logical Auth Server Name	Specify a logical authentication server name.

Table 33: SiteMinder Advanced Configuration Options

Settings	Guidelines
Poll Interval (seconds)	Specify the interval at which the system polls the SiteMinder policy server to check for a new key.
Max. Connections	Control the maximum number of simultaneous connections that the system is allowed to make to the policy server. The default setting is 20.
Max. Requests/ Agent	Control the maximum number of requests that the policy server connection handles before the system ends the connection. If necessary, tune to increase performance. The default setting is 1000.
Idle Timeout (minutes)	Control the maximum number of minutes a connection to the policy server may remain idle (the connection is not handling requests) before the system ends the connection. The default setting of “none” indicates no time limit.
Authorize while Authenticating	Specify that the system should look up user attributes on the policy server immediately after authentication to determine if the user is truly authenticated. For example, if your SiteMinder server authenticates users based on an LDAP server setting, you can select this option to indicate that the system should authenticate users through the SiteMinder server and then authorize them through the LDAP server before granting them access. If the user fails authentication or authorization, the user is redirected to the page configured on the policy server.
Enable Session Grace Period	Eliminate the overhead of verifying a user’s SMSESSION cookie each time the user requests the same resource by indicating that the system should consider the cookie valid for a certain period of time. If you do not select this option, the system checks the user’s SMSESSION cookie on each request. Note that the value entered here does not affect session or idle timeout checking.
Validate cookie every N seconds (seconds)	Specify the time period for the system to eliminate the overhead of verifying a user’s SMSESSION cookie each time the user requests the same resource by indicating that the system should consider the cookie valid for a certain period of time.
Ignore Query Data	Specify that the system does not cache the query parameter in its URLs. Therefore, if a user requests the same resource as is specified in the cached URL, the request should not fail.
Accounting Port	Specify that the value entered in this field must match the accounting port value entered through the Policy Server Management Console in the Web UI. By default, this field matches the policy server’s default setting of 44441.
Authentication Port	Specify that the value entered in this field must match the authentication port value entered through the Policy Server Management Console. By default, this field matches the policy server’s default setting of 44442.
Authorization Port	Specifies that the value entered in this field must match the authorization port value entered through the Policy Server Management Console. By default, this field matches the policy server’s default setting of 44443.
Agent Configuration Settings
Overlook Session for Methods	Compare the request method to the methods listed in this parameter. If a match is found, Web Agent does not create a new or update an existing SMSESSION cookie, nor will it make any updates to the cookie provider for that request. You can enter multiple methods; use a comma to separate method names. If Overlook Session for Methods parameter is set but not Overlook Session for URLs, then all requests that match the methods defined in this parameter are processed (SMSESSION cookie creation/update is blocked). If both Overlook Session for Methods and Overlook Session for URLsparameters are set, both the method and the URL of the request are matched before proceeding. Then, all URLs with specified methods are processed (SMSESSION cookie creation/update is blocked).
Overlook Session for URLs	Compare the request URL to the URLs listed in this parameter. If a match is found, Web Agent does not create a new or update an existing SMSESSION cookie, nor will it make any updates to the cookie provider for that request. Specify a relative URL. For example: If the URL is http://fqdn.host/MyDocuments/index.html, enter /MyDocuments/index.html If Overlook Session for URLs is set but not Overlook Session for Methods, then all requests, regardless of the methods, matching the URLs defined in this parameter are processed (SMSESSION cookie creation/update is blocked). If both Overlook Session for Methods and Overlook Session for URLsparameters are defined, both the method and the URL of the request are matched before proceeding. Then, all URLs with specified methods are processed (SMSESSION cookie creation/update is blocked).
SiteMinder caching
Flush Cache	Select this option to delete the resource cache, which caches resource authorization information for 10 minutes.

	Technical Publications \| https://www.pulsesecure.net/techpubs/
	Forums \| https://forums.pulsesecure.net/
	Knowledge Base \| https://kb.pulsesecure.net/
	Report a Bug \| https://my.pulsesecure.net/members/redirect/?application=casecenter
	Technical Support \| https://www.pulsesecure.net/support/

	Pulse Connect Secure Administration Guide
	Pulse Connect Secure Supported Platforms Guide