Expand my Community achievements bar.

SOLVED

Siteminder AEM Webserver Integration

Avatar

Level 3

Hi all,

Ours is a multi-tenant application and only one tenant needs Siteminder protection for a few content hierarchies.

Installed the siteminder web agent and configured the dispatcher with required siteminder modules.

While the site protection happens for the required paths and login is also working as expected with the client's corporate user directory,I see 2 major issues

a)The siteminder agent is scanning ALL urls for all the tenants though the configuration is there in tenant-specific vhost.How can I restrict this to only one tenant's host?

b)We are using user-friendly URLs without having /content/tenant path but since the Siteminder agent processes an actual resource path,upon logging in the target url is changed to /content/tenant/<path of the protected resource>

Please note that the LDAP access to validate credentials is not in our application scope and is on client directory.

The Siteminder webagent installed on the dispatcher takes care of communicating with policy servers and authentication hosted in a different network outside the AEM cloud.(firewall ports have been opened which is managed entirely by the client's network team)

In case any one here experience these issues in your application,can you please let me know what has been done to resolve this or any other inputs?

Version using is AEM6.1 SP2

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

Hi,

Regarding 1: If I understood you right, the siteminder agent is scanning all requests coming into that Apache instance, not only the ones which are hitting the vhost the agent is configured in. That looks like an issue with the siteminder agent and should be solved on the siteminder side. I don't see a way how this can be solved on httpd or dispatcher side;

Regarding 2: Also I don't see a chance to handle this outside of the siteminder agent. If you were able to limit the agent to a single vhost, this doesn't seem to be a problem any more; but obviously this is not possible (see 1).

I don't know if siteminder allows to get limited to a certain vhost. If you need to solve the issue only by the means of httpd features and using dispatcher, you could setup a chain of webservers/proxies; in the first step you rewrite the path from short urls ("/en.html") to long urls ("/content/tenant1/en.html") and then forward it to a second instance; there the same vhosts exist as well, but in that httpd instance you configure the siteminder as well. Then siteminder only sees "long" URLs and can handle appropriatly.

Jörg

View solution in original post

1 Reply

Avatar

Correct answer by
Employee Advisor

Hi,

Regarding 1: If I understood you right, the siteminder agent is scanning all requests coming into that Apache instance, not only the ones which are hitting the vhost the agent is configured in. That looks like an issue with the siteminder agent and should be solved on the siteminder side. I don't see a way how this can be solved on httpd or dispatcher side;

Regarding 2: Also I don't see a chance to handle this outside of the siteminder agent. If you were able to limit the agent to a single vhost, this doesn't seem to be a problem any more; but obviously this is not possible (see 1).

I don't know if siteminder allows to get limited to a certain vhost. If you need to solve the issue only by the means of httpd features and using dispatcher, you could setup a chain of webservers/proxies; in the first step you rewrite the path from short urls ("/en.html") to long urls ("/content/tenant1/en.html") and then forward it to a second instance; there the same vhosts exist as well, but in that httpd instance you configure the siteminder as well. Then siteminder only sees "long" URLs and can handle appropriatly.

Jörg