CoreBlox Blog Single Sign-On Between SiteMinder 12.8 & ForgeRock 6.5

This blog post describes how to integrate SiteMinder and ForgeRock. Bi-directional single-sign-on between SiteMinder and ForgeRock is achieved, so that both environments can co-exist during migration. Medium to large size businesses will find the ability for these two solutions to co-exist very useful. It reduces burden on application and operation teams, therefore providing flexibility during the application migration timeline. It also brings the least impact to end users.Solution DescriptionA request with a valid SiteMinder session to the ForgeRock environment will result in an automatic creation of a ForgeRock session. Conversely, if the request comes to the ForgeRock environment first, a post authentication plugin will create a SiteMinder session using a custom Authentication Scheme provided by ForgeRock. This Authentication Scheme uses the standard interfaces provided by SiteMinder. Hence, the ForgeRock-provided plugins ensure seamless single sign-on between the two environments. As a matter of fact, the end user doesn't really know which environment they are in.Solution ComponentsForgeRock Access Management 6.5.2ForgeRock Identity Gateway 6.5.1CA Single Sign-On / SiteMinder Policy Server 12.80CA Single Sign-On SDK 12.80Solution OverviewIn the SiteMinder environment:• ForgeRock Authentication Scheme: used by SiteMinder to validate ForgeRock OpenAM token• Sync App: a SiteMinder protected resource used to receive ForgeRock SSO tokenIn the ForgeRock environment:• SiteMinder Authentication Module: used by OpenAM to verify SiteMinder session• Post Authentication Plugin: sends OpenAM SSO token to SiteMinder upon successful authenticationUser requests to access FR protected application firstIG intercepts the request and redirects the browser to AM for authenticationAM authenticates the user, creates a FR SSO tokenPost authentication, AM sends FR SSO token to SiteMinderSiteMinder creates a SMSESSION cookie if FR SSO token is validSiteMinder sends back the SMSESSION cookie to AMAM sends back both of the FR and SM cookies to the userUser requests to access SM protected application firstSM creates a SM SSO token, and sends back to the userUser requests to access FR protected applicationSM Auth Module configured in the AM authentication chain detects the existence of a SMSESSION cookieSM Auth Module validates SMSESSION cookie with SiteMinder using standard SM APIIf the SMSESSION cookie is valid. Authentication completes. AM creates FR SSO tokenAM sends back both of the FR and SM cookies to the userConclusionThis blog post describes the technical details on co-existence between SiteMinder and ForgeRock. This type of solution can help your IAM modernization journey be seamless. It supports the latest ForgeRock AM version 6.5. Let Coreblox help catapult your business to the next generation of IAM platforms.Ref:1. Github OpenAM-Connector-for-SiteMinder Project for OpenAM version 9.5 & 11.0 https://github.com/ForgeRock/OpenAM-Connector-for-Siteminder2. ForgeRock Migration Guide: CA Single Sign-On (Siteminder SSO) to ForgeRock Identity Platform https://www.forgerock.com/resources/overview/migration-guide-ca-sso-forgerock3. The Top 3 Integration Approaches to Migration from Oracle Access Manager (OAM)