[OpenAM] Integration of CA Identity Manager with OpenAM

Jari Ahonen jah at progress.com
Tue May 1 13:46:00 BST 2012

Hi Nick,

We have implemented SSO between OpenAM and CA SiteMinder and that took some custom development to get working as we wanted. The SiteMinder integration code that ships with OpenAM had some notable shortcomings in our deployment scenario (in other words it didn't work) so we decided to so some significant changes to the code.

To me it seems Identity Manager is quite a different thing than SiteMinder so I'm not sure how relevant the SiteMinder integration code might be with Identity Manager. From a quick glance of the document you linked to it would seem that the role of SiteMinder when used together with Identity Manager is somewhat analogous to having an OpenAM agent on the servlet container that runs Identity Manager. This is not really the same thing as integrating SiteMinder and OpenAM together as cross-platform SSO system.
- Jari

-----Original Message-----
From: openam-bounces at forgerock.org [mailto:openam-bounces at forgerock.org] On Behalf Of Nick Belaevski
Sent: Sunday, April 29, 2012 1:09 AM
To: openam at forgerock.org
Subject: [OpenAM] Integration of CA Identity Manager with OpenAM

Hello all,

Does anybody have experience of integrating CA Identity Manager with 
OpenAM? To be sure about the context, below is the concrete explanation 
of what I am looking for. CA IdM has some advanced features that are 
available only when CA IdM is integrated with CA SiteMinder. And the 
goal is to provide such level of integration between IdM and OpenAM, 
that those features are supported, but without SiteMinder being used.

The list of advanced features:

- Advanced Authentication
- Access Roles and Tasks
- Directory Mapping
- Advanced Password Policies
- Skins for Different Sets of Users
- Locale Preferences for a Localized Environment

Detailed information is available at CA IdM implementation guide: 

The most important features that we need are: Advanced Authentication 
and Advanced Password Policies in the first place; Access Roles and 
Tasks in the second.

Talking about integration efforts, here is my vision:

1) Advanced Authentication feature is pretty basic and involves 
enablement of SSO by developing authentication module for IdM that will 
translate OpenAM token into something that IdM understands. There is an 
example of such module for SiteMinder in the OpenAM distribution. 
Hopefully, IdM module won't be much more complicated.

2) Advanced Password Policies feature can be tricky. IdM uses 
proprietary (AFAIK undocumented) format for password field that includes 
not only password information, but additional data, such as passwords 
previously used and password expiration criteria. As type of password 
field is specified as binary in the CA documentation, I see this as an 
additional risk.

For this feature, it would be good to have capability of managing those 
policies via existing IdM UI.

3) Access Roles and Tasks feature. After discussion with local CA gurus, 
it appears that development of IdM authorization policies store based on 
OpenAM entitlements would be the most straightforward way. But right 
now, this area is a complete terra incognita for me.

Thanks for reading this letter! Looking forward to advices, thoughts and 
experience sharing (even negative experience) you could provide on the 
topic of CA IdM + OpenAM.

P.S. More information about CA IdM (both user guides and API docs) is 
available at 

Best regards,
   Nick Belaevski

OpenAM mailing list
OpenAM at forgerock.org

More information about the OpenAM mailing list