A SiteMinder Agent is a software component residing with the Web Server or Application Server hosting the resource to be protected and communicates with the Policy Server in order to enforce policies for user access to generic resources. There are several types of Agents that can be used with SiteMinder:
- It intercepts all requests for resources (URLs), and determines whether SiteMinder protects a resource. If not, the request is passed through to the Web server for regular processing.
- The Web Agent interacts with the Policy Server to authenticate the user, and to determine if access to the specific resource should be allowed.
- The Web Agent also passes to the application (through the Web server) a “Response” that allows page content to be personalized to the needs and entitlements of each user.
- The Web agent also passes any information to the web application and redirects the user to specific web pages with custom error messages.
Application Server Agent
- Application Server Agents provide more fine-grained access control for objects such as Servlets, JSPs and EJBs.
- SiteMinder Application Server Agents (ASA) is a set of servlets that communicate with the SiteMinder Policy Server via the SiteMinder Agent API.
- These Agents are designed to protect resources hosted in an application server, such as servlets, JavaServer Pages, and EJB components.
- The SiteMinder Application Server Agent protects resources on Java application servers that follow the Java 2 Enterprise Edition standard. These resources can be Java servlets, JavaServer Pages (JSPs), and Enterprise JavaBeans (EJBs).
- When a user requests a resource from an application server, the Agent intercepts the request and determines whether the resource is protected by SiteMinder.
- The SiteMinder Application Server Agent consists of two components:
- Java Servlet Agent — a collection of servlets that communicates with the Policy Server via the SiteMinder Agent API.
- EJB Agent — a component that integrates with the application server and communicates with the Policy Server like the servlet Agent. The EJB Agent protects only EJBs.
- In the absence of an Application Server Agent, you can use a Web Agent to protect application server resources; however, the Application Server Agent can protect resources at a more fine-grained level than a Web Agent.
Differences Between SiteMinder Web Agents and Application Server Agents:
|SiteMinder Web Agent For HTTP Server||SiteMinder Application Server Agent For Application Servers|
|Will not protect WAS directly||Protects WAS directly|
|No support for WebSphere SSO||Bi-directional support for WebSphere SSO|
|No protection for EJB container and Web container||SiteMinder AppServer Agent protects WebSphere Web container and EJB container|
|No integration with WebSphere Application Server||Integrates with WebSphere Application Server Security Mechanism|
|Supportability is easy||Supporting WebSphere Application Server Agent is difficult when compared to the Web Agent|
|Security Integration is loosely coupled between Web Server and Application Server||Provides tight security integration for WebSphere Application Server|
|Provides advanced Authentication mechanisms – Form based, Certificate based, RSA token authentication etc||Provides basic Authentication scheme only|
|Provides advanced Authentication mechanisms – Form based, Certificate based, RSA token authentication etc||Provides basic Authentication scheme only; Needs another Web Server with SiteMinder Web Agent for Advanced Authentication Schemes|
|No Audit/logs are generated for WebSphere Application Server. Logs are generated only at IBM HTTP Server||Audit/Logs are generated at WebSphere Application Server level|
|Easy to troubleshoot||Support and troubleshoot needs higher level of experience with SiteMinder Application Server Agent and WebSphere Application Server|
|No need to restart Application Server when changes are made to SiteMinder Web Agent; The Web Server needs a restart||Application Server needs a restart when changes are made to the SiteMinder Application Server Agent|
Custom agents together with the SiteMinder Policy Server can provide access control for a wide range of resources that extend beyond Web resources. The Agent API provided by SiteMinder enables creation of a custom Agent that can implement security for any type of resource.
A SiteMinder Affiliate Agent provides a seamless connection from a main portal to an affiliate site without requiring a user to re-identify or provide additional information about them. The affiliate site can determine that the user has been registered at the main portal, and optionally, that the user has an active SiteMinder session. Based on policies configured at the portal for the affiliate, information can be passed to the affiliate and set as cookies or header variables for applications at the affiliate Web server.
- Web Agents are SiteMinder Agents that operate with Web servers.
- Affiliate agents are used for Federation Security Services solution. Federation Security Services enables business to share security information across multiple domains.
- EJB agent and Servlet agent comes under Application server agents for securing WebLogic and WebSphere application server resources. The Application Server Agent integrates SiteMinder with the J2EE platform.
- RADIUS agent (Remote Authentication Dial-In User Service) is used for Network Access Control.
- Siteminder web agent is used for Web Access Control.