Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Siteminder AEM Webserver Integration

Avatar

Avatar
Validate 1
Level 2
kartheekd203042
Level 2

Likes

3 likes

Total Posts

19 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Ignite 1
Give Back 3
Give Back
Boost 3
View profile

Avatar
Validate 1
Level 2
kartheekd203042
Level 2

Likes

3 likes

Total Posts

19 posts

Correct Reply

1 solution
Top badges earned
Validate 1
Ignite 1
Give Back 3
Give Back
Boost 3
View profile
kartheekd203042
Level 2

07-10-2017

Hi all,

Ours is a multi-tenant application and only one tenant needs Siteminder protection for a few content hierarchies.

Installed the siteminder web agent and configured the dispatcher with required siteminder modules.

While the site protection happens for the required paths and login is also working as expected with the client's corporate user directory,I see 2 major issues

a)The siteminder agent is scanning ALL urls for all the tenants though the configuration is there in tenant-specific vhost.How can I restrict this to only one tenant's host?

b)We are using user-friendly URLs without having /content/tenant path but since the Siteminder agent processes an actual resource path,upon logging in the target url is changed to /content/tenant/<path of the protected resource>

Please note that the LDAP access to validate credentials is not in our application scope and is on client directory.

The Siteminder webagent installed on the dispatcher takes care of communicating with policy servers and authentication hosted in a different network outside the AEM cloud.(firewall ports have been opened which is managed entirely by the client's network team)

In case any one here experience these issues in your application,can you please let me know what has been done to resolve this or any other inputs?

Version using is AEM6.1 SP2

View Entire Topic

Avatar

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,113 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile

Avatar
Coach
Employee
Jörg_Hoh
Employee

Likes

1,113 likes

Total Posts

3,145 posts

Correct Reply

1,072 solutions
Top badges earned
Coach
Give back 600
Ignite 5
Ignite 3
Ignite 1
View profile
Jörg_Hoh
Employee

08-10-2017

Hi,

Regarding 1: If I understood you right, the siteminder agent is scanning all requests coming into that Apache instance, not only the ones which are hitting the vhost the agent is configured in. That looks like an issue with the siteminder agent and should be solved on the siteminder side. I don't see a way how this can be solved on httpd or dispatcher side;

Regarding 2: Also I don't see a chance to handle this outside of the siteminder agent. If you were able to limit the agent to a single vhost, this doesn't seem to be a problem any more; but obviously this is not possible (see 1).

I don't know if siteminder allows to get limited to a certain vhost. If you need to solve the issue only by the means of httpd features and using dispatcher, you could setup a chain of webservers/proxies; in the first step you rewrite the path from short urls ("/en.html") to long urls ("/content/tenant1/en.html") and then forward it to a second instance; there the same vhosts exist as well, but in that httpd instance you configure the siteminder as well. Then siteminder only sees "long" URLs and can handle appropriatly.

Jörg