Vaibhav Tripathi

August 11, 2012

SiteMinder Web Agents and Application Server Agents

A SiteMinder Agent is a software component residing with the Web Server or Application Server hosting the resource to be protected and communicates with the Policy Server in order to enforce policies for user access to generic resources. There are several types of Agents that can be used with SiteMinder:

Web Agent

  • It intercepts all requests for resources (URLs), and determines whether SiteMinder protects a resource. If not, the request is passed through to the Web server for regular processing.
  • The Web Agent interacts with the Policy Server to authenticate the user, and to determine if access to the specific resource should be allowed.
  • The Web Agent also passes to the application (through the Web server) a “Response” that allows page content to be personalized to the needs and entitlements of each user.
  • The Web agent also passes any information to the web application and redirects the user to specific web pages with custom error messages.

Application Server Agent

  • Application Server Agents provide more fine-grained access control for objects such as Servlets, JSPs and EJBs.
  • SiteMinder Application Server Agents (ASA) is a set of servlets that communicate with the SiteMinder Policy Server via the SiteMinder Agent API.
  • These Agents are designed to protect resources hosted in an application server, such as servlets, JavaServer Pages, and EJB components.
  • The SiteMinder Application Server Agent protects resources on Java application servers that follow the Java 2 Enterprise Edition standard. These resources can be Java servlets, JavaServer Pages (JSPs), and Enterprise JavaBeans (EJBs).
  • When a user requests a resource from an application server, the Agent intercepts the request and determines whether the resource is protected by SiteMinder.
  • The SiteMinder Application Server Agent consists of two components:
    • Java Servlet Agent — a collection of servlets that communicates with the Policy Server via the SiteMinder Agent API.
    • EJB Agent — a component that integrates with the application server and communicates with the Policy Server like the servlet Agent. The EJB Agent protects only EJBs.
    • In the absence of an Application Server Agent, you can use a Web Agent to protect application server resources; however, the Application Server Agent can protect resources at a more fine-grained level than a Web Agent.

Differences Between SiteMinder Web Agents and Application Server Agents:

 SiteMinder Web Agent For HTTP Server                                                     SiteMinder Application Server Agent For Application Servers
Will not protect WAS directly Protects WAS directly
No support for WebSphere SSO Bi-directional support for WebSphere SSO
No protection for EJB container and Web container SiteMinder AppServer Agent protects WebSphere Web container and EJB container
No integration with WebSphere Application Server Integrates with WebSphere Application Server Security Mechanism
Supportability is easy Supporting WebSphere Application Server Agent is difficult when compared to the Web Agent
Security Integration is loosely coupled between Web Server and Application Server Provides tight security integration for WebSphere Application Server
Provides advanced Authentication mechanisms – Form based, Certificate based, RSA token authentication etc Provides basic Authentication scheme only
Provides advanced Authentication mechanisms – Form based, Certificate based, RSA token authentication etc Provides basic Authentication scheme only; Needs another Web Server with SiteMinder Web Agent for Advanced Authentication Schemes
No Audit/logs are generated for WebSphere Application Server. Logs are generated only at IBM HTTP Server Audit/Logs are generated at WebSphere Application Server level
Easy to troubleshoot Support and troubleshoot needs higher level of experience with SiteMinder Application Server Agent and WebSphere Application Server
No need to restart Application Server when changes are made to SiteMinder Web Agent; The Web Server needs a restart Application Server needs a restart when changes are made to the SiteMinder Application Server Agent

Custom Agents

Custom agents together with the SiteMinder Policy Server can provide access control for a wide range of resources that extend beyond Web resources. The Agent API provided by SiteMinder enables creation of a custom Agent that can implement security for any type of resource.

Affiliate Agents

A SiteMinder Affiliate Agent provides a seamless connection from a main portal to an affiliate site without requiring a user to re-identify or provide additional information about them. The affiliate site can determine that the user has been registered at the main portal, and optionally, that the user has an active SiteMinder session. Based on policies configured at the portal for the affiliate, information can be passed to the affiliate and set as cookies or header variables for applications at the affiliate Web server.


  1. Web Agents are SiteMinder Agents that operate with Web servers.
  2. Affiliate agents are used for Federation Security Services solution. Federation Security Services enables business to share security information across multiple domains.
  3. EJB agent and Servlet agent comes under Application server agents for securing WebLogic and WebSphere application server resources. The Application Server Agent integrates SiteMinder with the J2EE platform.
  4. RADIUS agent (Remote Authentication Dial-In User Service) is used for Network Access Control.
  5. Siteminder web agent is used for Web Access Control.
About these ads


  1. What are prequisites for Agent configuration? What are the objects required for agent configuration?

    Comment by chinna — September 14, 2012 @ 3:32 am | Reply

    • Before installing the Web Agent, you must have installed a Policy Server. Additionally, you must prepare and configure the Policy Server for the Web Agent Installation. To do this, you need to:
      1. Create a SiteMinder Administrator (optional)
      Note: The SiteMinder Super User has rights to install Web Agents, so you only need to perform this step if you want to create another user.
      2. Create a Host Configuration Object
      Edit the Host Configuration Object’s policyserver setting to configure it for a single or multiple policy servers.
      3. Create an Agent
      4. Create an Agent Configuration Object
      Edit the Agent Configuration Object to register the Agent name in either the DefaultAgentName or AgentName parameter.The Agent name must exactly match what is provided during ACO configuration.
      5. Create a web agent group (optional)

      Comment by Vaibhav — September 14, 2012 @ 4:42 pm | Reply

    • Thanks vaibhav..

      Comment by chinna — September 15, 2012 @ 4:55 pm | Reply

  2. how to move siteminder from one data center to another one, means bring back failover policy server in picture… how will you tackle replication between policy store ?

    Comment by chinna — September 15, 2012 @ 4:56 pm | Reply

  3. I’m new for IAM.

    Comment by chinna — September 15, 2012 @ 4:57 pm | Reply

  4. Hi Chinna,I have tried to answer your query in my new post.Please check

    Comment by Vaibhav — September 15, 2012 @ 7:35 pm | Reply

  5. Thanks vaibhav. i’m go through it . and get back to you

    Comment by chinna — September 16, 2012 @ 2:25 pm | Reply

  6. Hi vaibhav…i am new to siteminder…i have some basic doubts…how load balancing between multiple web agents happen….and can i install two or more web agents when i have multiple apache instances on single host…..hope u reply…thanks in advance.

    Comment by srujan — April 9, 2013 @ 7:40 pm | Reply

  7. for instance i have an application deployed in apache web server…and i have very heavy load which my web agent is unable to take…in this case can i install another apache and webagent on different physical server …..if i can install how to configure my sitminder in this case to protect my single application which resides on my first webserver…..if this case does not work then what i have to do to process huge number of requests….hope u understand my point….thanks in advance.

    Comment by srujan — April 9, 2013 @ 7:48 pm | Reply

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Create a free website or blog at


Get every new post delivered to your Inbox.

%d bloggers like this: