RE: [saml-dev] SAML and Siteminder question

[<Michael.Mccormick@wellsfargo.com>]

Calling the SiteMinder API to decrypt smsession cookies would require
your IT folks give you a shared secret and configure your application to
act as a SiteMinder agent.  It would also weaken the overall security of
the university imho.  Don't go there.

It would be easier to just install the SiteMinder agent on your web
server yourself instead of paying your IT group $8K to do it for you.  A
SM agent is very easy to install, anyone with basic web server skills
can do it if you follow the instructions.  From a licensing perspective
there's usually no cost to add agents, but there is to add new users.

Michael McCormick
Lead Security Architect
"THESE OPINIONS ARE STRICTLY MY OWN AND NOT NECESSARILY THOSE OF WELLS
FARGO"
This message may contain confidential and/or privileged information.  If
you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based on
this message or any information herein.  If you have received this
message in error, please advise the sender immediately by reply e-mail
and delete this message.  Thank you for your cooperation.

-----Original Message-----
From: Nathan Given [mailto:nathan.given.lists@gmail.com] 
Sent: Friday, September 09, 2005 10:59 AM
To: saml-dev@lists.oasis-open.org
Subject: [saml-dev] SAML and Siteminder question

Hello All,

Disclaimer: I'm a newbie at all of this so please forgive me if I use
the wrong language or don't describe things well.  Also, I'm not sure if
this is the right place to post this... right now I just don't know
where else to turn.

Short Summary:

My university uses Siteminder for their Single Sign-On solution.  I
built a webapp for the university, and now the university IT people are
telling me it is going to cost $8,000 to install an agent on the machine
so that it will meet the SSO guidelines.

I don't have $8,000 and I was wondering if there was a open source/free
way to get SSO to work.


Long Story:

Brigham Young University, BYU, has an intranet called "Route Y". 
Students login with their username and password, they get some cookies
(including a SMSESSION cookie), and then they are on the protected part
of the site.

Well, the portal of the protected part of the site contains a bunch of
links, and the IT people would like to include the Bookexchange that I
wrote in the list of links.

However, the bookexchange is running on a different server, and the IT
people said that in order to get the link, it needs to follow the SSO
requirements.  They then told me it would cost $8,000 to have an
engineer come over and install an agent on the machine.

I told them I didn't have that money.  They told me that if I could
figure out how to decrypt the SMSESSION cookie on my own then that would
be fine.  You see, the bookexchange is running within the same domain as
route y, and I have access to the SMSESSION cookie.  But I don't know
how to decrypt it (I'm using ColdFusion).

I searched google, "decrypt siteminder cookie" and I stumbled across
SAML.  However, my brain hurts and I'm having a tough time wrapping my
arms around all of this.

Is it possible to use SAML to get SSO to work with Siteminder?  Is there
anyone that has implemented something like this?  Is there a "HOWTO"
document somewhere?  (My problem right now is that I'm not a siteminder
expert or a SAML expert, so the documents I do read don't make much
sense to me because they assume I know about siteminder and/or saml).

THanks!
--
Nathan

PS  Here is my server information:

Windows 2000 Server
IIS
Coldfusion 6.1

---------------------------------------------------------------------
To unsubscribe, e-mail: saml-dev-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: saml-dev-help@lists.oasis-open.org