Introduction

SiteMinder is a platform for secure portal, extranet, and intranet management. It meets key authentication, authorization, and personalization requirements for building and managing secure Web sites. A SiteMinder installation consists of two main components: the SiteMinder Policy Server and the SiteMinder Agent. The Policy Server manages the access control policies established by an administrator. These policies define which resources are protected and which users or user groups are allowed access to resources. Using policies, an administrator can set time constraints on resource availability and IP address constraints on the client attempting access. The Policy Server runs on an NT or UNIX system and performs key security and portal management operations. To meet the security needs of each environment, the Policy Server supports a range of authentication methods and uses existing directory services to authenticate users. By supporting a wide range of authentication methods, the Policy Server provides flexibility and security for a diverse set of users. A SiteMinder Agent integrates with a Web server, a Web application server, or a custom application to enforce access control based on pre-defined policies.

Figure 1 illustrates a simple implementation of a SiteMinder Policy Server in a SiteMinder environment (that includes a single SiteMinder Web Agent).

Figure 1 : SiteMinder system overview

In a Web implementation, a user requests a resource through a browser. That request is received by the Web Server and intercepted by the SiteMinder Web Agent. The Web Agent determines whether or not the resource is protected, and if so, gathers the user’s credentials and passes them to the Policy Server. The Policy Server authenticates the user against native user directories, then verifies if the authenticated user is authorized for the requested resource based on rules and policies contained in the Policy Store. Once a user is authenticated and authorized, the Policy Server grants access to protected resources and delivers privilege and entitlement information.

A problem in even a single step of this process could expose web sites to malicious virus attacks. It is therefore imperative that the SiteMinder environment is continuously monitored for security leaks. This is where eG Enterprise helps administrators.