Authentication and Authorization Services

CA SiteMinder

SiteMinder is the new Web Access Management system used by the University of Illinois. This system provides the following Identity and Access Management functions:

  • Authentication (AuthN): Authentication or logon is the process by which users are challenged to prove their credentials to the system or application they are trying to access. This process can be as simple as providing a user ID and password, or by using multi-factor authentication such as using certificates as well as user ID and password
  • Authorization (AuthZ): Authorization is the process of ensuring that authenticated users have the right privileges (the minimum amount of access required to carry out their assigned duties) to access University resources. SiteMinder may leverage the following methods for authorization: LDAP/AD groups, different user stores and user attributes (data about users).
  • Single Sign-On (SSO): SSO is the process by which users are challenged to authenticate once and access multiple applications and systems without being challenged again during the same session.
  • Multi-factor Authentication: This process is the combination of more than one type of authentication. This type of authentication may include some thing you know combined with something you have. For instance, the something you know is your user id/password and the something you have is a certificate or a code stored on your device. Although this feature is available in SiteMinder, it will not be used until later stages of the IAM project.
  • Federation: In the simplest terms, federation is the ability to leverage users credentials from other institutions to access resources protected by SiteMinder and/or leverage University of Illinois credentials to access external resources. Currently the University of Illinois uses Shibboleth for federation, which will be integrated with SiteMinder authentication.

SITEMINDER INSTALLATION PROCESS
Required Items to Request an Agent Installation

To request a web agent installation, you will need to provide the following information:

  1. Name of department requesting the installation
  2. IP addresses of the server(s) being protected
  3. Host Name(s) of the servers
  4. URL(s) being protected
  5. Operating system of the web/application server being protected. Give the specific version of Windows, Linux, or UNIX. Specify whether 32/64-bit
  6. Type of Web/Application server (Apache, Tomcat, IIS, etc.)

How to Request Agent Installation
To request an agent installation over the web, go to http://web.uillinois.edu/iam/siteminder/siteminder_requests.

To request an agent installation over email, send an email to siteminder@uillinois.edu. Please include the required items listed in the section above (Department, Server IP Addresses, OS Platform, etc.)

How Applications Use SiteMinder
When an application is protected by a SiteMinder agent, it will require the user to authenticate before accessing the protected application. SiteMinder will also identify the authenticated user to the protected application. This identification occurs by providing HTTP headers that can be read by the protected application.

The following are a list of standard headers that will be provided to all protected applications as well as a supplemental list of headers that can be provide upon request to legacy Bluestem applications.
Standard HTTP Headers

  • SM_USER: jsmith
  • SM_USERDN: uid=jsmith,ou=Production, ou=People, dc=uillinois, dc=edu
  • DISPLAY_NAME1: John Smith
  • DISPLAY_NAME2: Smith, John
  • UIN: 111111111
  • LAST_NAME: Smith
  • FIRST_NAME: John
  • REMOTE_USER: jsmith

Supplemental Bluestem HTTP Headers (Available upon request)

  • BLUESTEM_ID: jsmith
  • BLUESTEM_USER: jsmith
  • DOMAIN: illinois.edu
  • AUTH_METHOD: AD

For access problems, questions, or comments, contact the AITS Help Desk at 217-333-3102 (Urbana/Springfield) or 312-996-4806 (Chicago). You can also e-mail the AITS Service Desk at servicedeskaits@uillinois.edu.

Hours of Availability

This service is available to customers 24/7, excluding planned outages, maintenance windows and unavoidable events. Maintenance windows are used only when needed for planned changes that have gone through the AITS Change Control Process. In addition to the standard AITS maintenance windows, site-specific and service-specific changes may be coordinated with customers at non-standard times.

Standard maintenance windows are defined as:

  •  6 a.m. to 12 p.m. each Sunday when application usage is at its lowest
  • After 5 p.m. every Tuesday and Thursday, unless business needs to make a change during business hours
  • The second Wednesday of the month from 5 p.m. to 8 p.m. for patching Microsoft servers
  • 6 a.m. to 6 p.m. three Sundays a year for routine Solaris and Linux maintenance

Customer Responsibilities

  • Submit an appropriate work request or template to gain access to SiteMinder
  • Deploy and learn the SiteMinder service definition, messages, and APIs
  • Obtain access to the University’s ESB infrastructure
  • Develop and test applications that invoke SiteMinder
  • Participate in SiteMinder testing and maintenance events as needed

For access problems, questions, or comments, contact the AITS Help Desk at 217-333-3102 (Urbana/Springfield) or 312-996-4806 (Chicago). You can also e-mail the AITS Service Desk at servicedeskaits@uillinois.edu.

How Do We Charge?

This service is offered through the Work Request and ITPC Project request processes. For more information on requesting work or submitting a project, please see the ITPC Project Submissions page on the ITPC website. Currently, AITS does not charge for this service.