Expand my Community achievements bar.

Adobe Summit 2025: AEM Session Recordings Are Live! Missed a session or want to revisit your favorites? Watch the latest recordings now.
Watch Now!

Mark Solution

This conversation has been locked due to inactivity. Please create a new post.

SOLVED

Siteminder AEM Webserver Integration

Avatar

Level 3
Level 3
10/7/17 6:30:22 AM

Hi all,

Ours is a multi-tenant application and only one tenant needs Siteminder protection for a few content hierarchies.

Installed the siteminder web agent and configured the dispatcher with required siteminder modules.

While the site protection happens for the required paths and login is also working as expected with the client's corporate user directory,I see 2 major issues

a)The siteminder agent is scanning ALL urls for all the tenants though the configuration is there in tenant-specific vhost.How can I restrict this to only one tenant's host?

b)We are using user-friendly URLs without having /content/tenant path but since the Siteminder agent processes an actual resource path,upon logging in the target url is changed to /content/tenant/<path of the protected resource>

Please note that the LDAP access to validate credentials is not in our application scope and is on client directory.

The Siteminder webagent installed on the dispatcher takes care of communicating with policy servers and authentication hosted in a different network outside the AEM cloud.(firewall ports have been opened which is managed entirely by the client's network team)

In case any one here experience these issues in your application,can you please let me know what has been done to resolve this or any other inputs?

Version using is AEM6.1 SP2

Views

1.5K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/8/17 12:03:32 PM

Hi,

Regarding 1: If I understood you right, the siteminder agent is scanning all requests coming into that Apache instance, not only the ones which are hitting the vhost the agent is configured in. That looks like an issue with the siteminder agent and should be solved on the siteminder side. I don't see a way how this can be solved on httpd or dispatcher side;

Regarding 2: Also I don't see a chance to handle this outside of the siteminder agent. If you were able to limit the agent to a single vhost, this doesn't seem to be a problem any more; but obviously this is not possible (see 1).

I don't know if siteminder allows to get limited to a certain vhost. If you need to solve the issue only by the means of httpd features and using dispatcher, you could setup a chain of webservers/proxies; in the first step you rewrite the path from short urls ("/en.html") to long urls ("/content/tenant1/en.html") and then forward it to a second instance; there the same vhosts exist as well, but in that httpd instance you configure the siteminder as well. Then siteminder only sees "long" URLs and can handle appropriatly.

Jörg

View solution in original post

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
1 Reply

Avatar

Correct answer by
Employee Advisor
Employee Advisor
10/8/17 12:03:32 PM

Hi,

Regarding 1: If I understood you right, the siteminder agent is scanning all requests coming into that Apache instance, not only the ones which are hitting the vhost the agent is configured in. That looks like an issue with the siteminder agent and should be solved on the siteminder side. I don't see a way how this can be solved on httpd or dispatcher side;

Regarding 2: Also I don't see a chance to handle this outside of the siteminder agent. If you were able to limit the agent to a single vhost, this doesn't seem to be a problem any more; but obviously this is not possible (see 1).

I don't know if siteminder allows to get limited to a certain vhost. If you need to solve the issue only by the means of httpd features and using dispatcher, you could setup a chain of webservers/proxies; in the first step you rewrite the path from short urls ("/en.html") to long urls ("/content/tenant1/en.html") and then forward it to a second instance; there the same vhosts exist as well, but in that httpd instance you configure the siteminder as well. Then siteminder only sees "long" URLs and can handle appropriatly.

Jörg

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
Related Conversations
Droits utilisateurs depuis Admin console : utilisateurs n'apparaissent pas dans AEM

Views

12

Likes

0

Replies

0
Feasible Way to Share Token Across All Publishers in AEM as a Cloud Service?

Views

89

Likes

0

Replies

3
Content transfer from AEM on-prem to 3rd party tool like azure

Views

63

Likes

0

Replies

1
Error cloneing the aem-guides-wknd repository

Views

67

Likes

0

Replies

1
Monitoring Copy-Paste Operations in AEM Toolbar

Views

126

Likes

0

Replies

2