| Siteminder
Settings > Basic Settings tab |
|
Policy Server
|
Specifies the name or IP address of the SiteMinder policy
server.
|
Enter a name or IP address.
|
Backup Server(s)
|
Specifies a list of backup policy servers (optional).
|
Enter a comma-delimited list of backup policy servers
(optional).
|
Failover Mode?
|
Allows the Secure Access device to use the main policy
server unless it fails.
|
- Select Yes — Secure Access
device uses the main policy server unless it fails.
- Select No— Secure Access
device load balances among all the specified policy servers.
|
Agent Name
|
Specifies the SiteMinder agent name.
|
Enter an agent name.
Note:
Shared secret and agent name are case-sensitive.
|
Secret
|
Specifies the shared secret.
|
Enter a shared secret name.
Note:
Shared secret and agent name are case-sensitive.
|
Compatible with
|
Specifies a SiteMinder server version. Version 5.5 supports
5.5 and 6.0. Version 6.0 supports only 6.0 of the SiteMinder server
API. The default value is 5.5 policy servers.
|
Select the server version from the drop-down list.
|
On logout, redirect to
|
Specifies a URL to which users are redirected when they
sign out of the Secure Access device (optional). If you leave this
field empty, users see the default Secure Access device sign-in page.
|
Enter a URL.
|
Protected Resource
|
Specifies a default protected resource. If you do not
create sign-in policies for SiteMinder, the Secure Access device uses
this default URL to set the user’s protection level for the
session. The Secure Access device also uses this default URL if you
select the Automatic Sign-In option.
|
Enter a URL.
Note:
You must enter a forward slash (/) at the beginning of
the resource (for example, enter “/ive-authentication”).
|
| Siteminder Settings > SMSESSION cookie settings tab |
Cookie Domain
|
Specifies the cookie domain of the Secure Access device.
|
Enter a URL for the cookie domain.
- Multiple domains should use a leading period and be comma
separated. For example: .sales.myorg.com, .marketing.myorg.com.
- Domain names are case-sensitive.
- You cannot use wildcard characters.
For example, if you define “.juniper.net”, the user must access the Secure Access device as “http://secure access device.juniper.net” to
ensure that his SMSESSION cookie is sent back to the Secure Access
device.
|
IVE Cookie Domain
|
Specifies the internet domain(s) to which the Secure
Access device sends the SMSESSION cookie using the same guidelines
outlined for the Cookie Domain field.
|
Enter a URL.
|
Protocol
|
Sends cookies securely and non securely.
|
Select the protocol from the drop-down list:
- HTTPS—Sends cookies securely
if other Web agents are set up to accept secure cookies.
- HTTP—Sends cookies non
securely.
|
| Siteminder
Settings > Authentication tab |
|
Automatic Sign-In
|
Allows users with a
valid SMSESSION to automatically sign in
to the Secure Access device.
|
Select the Automatic Sign-In option to enable this feature.
|
Automatic Sign In realm to use
|
Specifies an authentication realm for automatically signed-in
users. The Secure Access device maps the user to a role based on the
role mapping rules defined in the selected realm.
|
Select an authentication realm from the drop-down list.
|
If Automatic Sign In fails, redirect to
|
Specifies an alternate URL for users who sign into the
Secure Access device through the Automatic Sign-In mechanism. The
Secure Access device redirects users to the specified URL if the Secure
Access device fails to authenticate and no redirect response is received
from the SiteMinder policy server. If you leave this field empty,
users are prompted to sign back in to the Secure Access device.
Note:
Users who sign in through the sign-in page are always
redirected back to the Secure Access device sign-in page if authentication
fails.
|
Enter a URL.
|
Authentication Type
> Custom Agent
|
Authenticates using
the Secure Access device custom Web agent.
|
Select Siteminder Settings > Authentication > Authentication Type > Custom
Agent option from the Authentication Type drop-down
list.
|
Authentication Type
> Form POST
|
Posts user credentials
to a standard Web agent that you have already configured rather than
contacting the SiteMinder policy server directly.
|
Select Siteminder Settings > Authentication > Authentication Type > Form
POST option from the Authentication Type drop-down list to allow the Web agent to contact the policy server
to determine the appropriate sign-in page to display to the user.
|
Form POST Target
|
Specifies the target
URL.
Note:
The form post target, form post protocol, form post Webagent,
form post port, form post path, and form post parameters field are
displayed only when you select Form POST option from the Authentication type drop
down list.
|
Enter the target URL.
|
Form POST Protocol
|
Allows you to specify
the protocol for communication between IVE and the specified Web agent.
Note:
This field is displayed only when you select the Form POST option from the Authentication Type drop-down
list.
|
Select the protocol
from the drop-down list:
- HTTP—For non secure communication.
- HTTPS—For secure communication.
|
Form POST Webagent
|
Specifies the name of
the Web agent from which the Secure Access device is to obtain SMSESSION
cookies.
Note:
This field is displayed only when you select Form POST option from the Authentication Type drop-down
list.
|
Enter the name of the
web agent.
|
Form POST Port
|
Specifies the port for
the protocol.
Note:
This field is displayed only when you select the Form POST option from the Authentication Type drop-down
list.
|
Enter port 80 for HTTP or port 443 for
HTTPS.
|
Form POST Path
|
Specifies the path of
the sign-in page.
Note:
This field is displayed only when you select the Form POST option from the Authentication Type drop-down
list.
|
Enter the path of the
Web agent’s sign-in page.
Note:
The path must start with a backslash (/) character. In
the Web agent sign-in page URL, the path appears after the Web agent.
|
Form POST Parameters
|
Specifies the post parameters
to be sent when a user signs in.
Note:
This field is displayed only when you select the Form POST option from the Authentication Type drop-down
list.
|
Enter the post parameters.
Common SiteMinder variables that you can use include _ _USER_ _, _ _PASS_ _, and
_ _TARGET_ _. These variables are replaced
by the username and password entered by the user on the Web agent’s
sign-in page and by the value specified in the Target field. These
are the default parameters for login.fcc—if you have made customizations,
you may need to change these parameters.
|
Authentication Type
> Delegate to a Standard Agent
|
Delegates authentication
to a standard agent. When the user accesses the Secure Access device
sign-in page, the Secure Access device determines the FCC URL associated
with the protected resource’s authentication scheme. The Secure
Access device redirects the user to that URL, setting the Secure Access
device sign-in URL as the target. After successfully authenticating
with the standard agent, an SMSESSION cookie is set in the user’s
browser and the user is redirected back to the Secure Access device.
The Secure Access device then automatically signs in the user and
establishes a Secure Access session.
|
Select Siteminder Settings > Authentication > Authentication Type > Delegate
to a Standard Agent option from the Authentication Type
drop-down list.
|
| Siteminder
Settings > Authorization tab |
|
Authorize requests against SiteMinder policy server
|
Uses SiteMinder policy server rules to authorize user
Web resource requests. If you select this option, make sure that you
create the appropriate rules in SiteMinder that start with the server
name followed by a forward slash, such as: "www.yahoo.com/", "www.yahoo.com/*", and "www.yahoo.com/r/f1".
|
Select Siteminder Settings > Authorization
>Authorize requests against SiteMinder policy server.
|
If authorization fails, redirect to
|
Specifies an alternative URL that users are redirected
to if the Secure Access device fails to authorize and no redirect
response is received from the SiteMinder policy server. If you leave
this field empty, users are prompted to sign back in to the Secure
Access device.
Note:
If you are using an authorization-only access policy ,
you must enter an alternative URL in this field regardless of whether
the Authorize requests against SiteMinder policy server option is selected. Users are redirected to this URL when an access
denied error occurs. See “Defining authorization-only access
policies.”
|
Enter a URL.
|
Resource for insufficient protection level
|
Specifies a resource on the Web agent to which the Secure
Access device redirects users when they do not have the appropriate
permissions.
|
Enter a URL.
|
Ignore authorization for files with extensions
|
Specifies file extensions corresponding to file types
that do not require authorization.
|
Enter the extensions of each file type that you want
to ignore, separating each with a comma. For example, enter .gif, .jpeg, .jpg, .bmp to ignore various image types.
You cannot use wildcard characters (such as *, *.*, or .*) to ignore
a range of file types.
|
| Server Catalog > Expressions tab |
Name
|
Specifies a name for the user expression in the SiteMinder
user directory.
|
Enter a name.
|
Value
|
Specifies a value for the user expression in the SiteMinder
user directory.
|
Enter a value.
|
| Server Catalog > Attributes tab |
Name
|
Specifies the name of the user attribute cookie in the
SiteMinder user directory.
|
Enter a name.
|
