RE: [saml-dev] SAML and Siteminder question

["DeLoach, Darren" <Darren.DeLoach@thomson.com>]

Title: RE: [saml-dev] SAML and Siteminder question

Yes, it is certainly _possible_. We do it now for one of our clients in a commercial application running under Windows NT/IIS 6 (so I can't give you the source code ;), and SiteMinder supports SAML 1.0 beginning with version 5.X or so.  Version 6.X has considerably better SAML support, however, FWIW.

In our case we hand-coded a generic SAML-based SSO to work with any SAML provider, including SiteMinder, without running any agents on the server. At least for SAML 1.x, using the "browser artifact" profile you'll find in the protocol docs, this is not terribly difficult code to write.  What I can tell you about SiteMinder in particular is that it does take a great deal of configuration on the SiteMinder side to get it to generate SAML assertions and the associated artifacts you need to get things going, and the folks who run your SiteMinder installation would have quite a bit of work to do which in your case sounds like you may have a tough time convincing them unless they already have SAML enabled and running on their system.  Getting the _first_ SAML process going on SiteMinder is very expensive (it requires web servers and storage on the SiteMinder side); once that infrastructure is in place, it is easy to add additional protected resources that generate SAML assertions.

I would ask your SM admin if they already have Federated Services installed and running in their SiteMinder installation, and are already using it to do SAML with any other service providers.  If so, with a little code you can get things going.  If not, forget it... The $8K for the agent is much cheaper than getting a full-blown SAML setup going, if it's not already there.

-----Original Message-----
From: Nathan Given [mailto:nathan.given.lists@gmail.com]
Sent: Friday, September 09, 2005 7:59 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] SAML and Siteminder question

Hello All,

Disclaimer: I'm a newbie at all of this so please forgive me if I use the wrong language or don't describe things well.  Also, I'm not sure if this is the right place to post this... right now I just don't know where else to turn.

Short Summary:

My university uses Siteminder for their Single Sign-On solution.  I built a webapp for the university, and now the university IT people are telling me it is going to cost $8,000 to install an agent on the machine so that it will meet the SSO guidelines.

I don't have $8,000 and I was wondering if there was a open source/free way to get SSO to work.

Long Story:

Brigham Young University, BYU, has an intranet called "Route Y".
Students login with their username and password, they get some cookies (including a SMSESSION cookie), and then they are on the protected part of the site.

Well, the portal of the protected part of the site contains a bunch of links, and the IT people would like to include the Bookexchange that I wrote in the list of links.

However, the bookexchange is running on a different server, and the IT people said that in order to get the link, it needs to follow the SSO requirements.  They then told me it would cost $8,000 to have an engineer come over and install an agent on the machine.

I told them I didn't have that money.  They told me that if I could figure out how to decrypt the SMSESSION cookie on my own then that would be fine.  You see, the bookexchange is running within the same domain as route y, and I have access to the SMSESSION cookie.  But I don't know how to decrypt it (I'm using ColdFusion).

I searched google, "decrypt siteminder cookie" and I stumbled across SAML.  However, my brain hurts and I'm having a tough time wrapping my arms around all of this.

Is it possible to use SAML to get SSO to work with Siteminder?  Is there anyone that has implemented something like this?  Is there a "HOWTO" document somewhere?  (My problem right now is that I'm not a siteminder expert or a SAML expert, so the documents I do read don't make much sense to me because they assume I know about siteminder and/or saml).

THanks!
--
Nathan

PS  Here is my server information:

Windows 2000 Server
IIS
Coldfusion 6.1

---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org