SAML Configuration Example: SiteMinder
This configuration example illustrates how to configure SiteMinder version of R12 SP3 CR5 as an IdP for the Zscaler service. If you are using SiteMinder r12.0 SP2 or the initial release of r12.0 SP3 (prior to CR1), download and deploy an assertion generator plug-in (AGP).
There are 3 considerations for deploying Zscaler with SiteMinder:
- You may not be able to use the default SiteMinder SAML portal URL. A critical piece of information (RelayState) is dropped from the URL and the functionality fails. This is resolved by using the “Redirect script”.
- There is a bug in SiteMinder where it provides the multiple values Group data in an invalid format/syntax that Zscaler cannot use. This is resolved by using the latest release/patches from SiteMinder and a special formatting function that was introduced in the latest release/patches (see SiteMinder support link above).
- Zscaler expects a POST Binding which is not the default for SiteMinder.
Ensure that you have the following before you start configuring SiteMinder:
- Zscaler – SiteMinder redirect JSP
There are several versions of this script but they all have the basic function of redirecting the request and appending the “RelayState”. Some scripts also include more error handling but therefore may require more customization/changes to match the specific environment.
The simplest version of the JSP is:
<% String msg = (String)request.getParameter("RelayState"); String redirectURL = "http://original.example.com/affwebservices/public/saml2sso?SPID=staging.zcaler.saml2&ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST&RelayState="+msg; response.sendRedirect(redirectURL); %>
Ensure that this file is included in the WAR file so that it is included in any reboot/reload/restart.
- Original SiteMinder URL of the SAML portal to which users are sent for authentication.
- Edit the Zscaler provided redirect script. Replace the URL in the “redirectURL” attribute with the original URL from SiteMinder. Leave all the additional variables in the string.
“&RelayState=”+msg;”. String redirectURL = “http://securenet.example.com/affwebservices/public/ saml2sso?SPID=staging.<cloudname>. saml2&ProtocolBinding=urn:oasis:names:tc:SAML: 2.0:bindings:HTTP-POST&RelayState="+msg;
- Save the JSP file.
- Deploy this file to the company website where the current SAML SSO URL is hosted.
Configure the SiteMinder SAML Service Provider Properties
The service requires the user name (BSmith@zscaler.com), given name (Bill Smith) and member-of-Groups (Browsing-group1, Browsing-Group2). The AD attributes will be samaccountname or email, givenname and memberOf. The key to handling Groups is to use the FMATTR function (shown in the following figure).
Configuring the Zscaler Service
When you configure the Zscaler service, go to Administration > Authentication > Authentication Settings, click Configure SAML, and enter the redirection script in the SAML Portal URL field. The other attributes must match those defined in the SiteMinder Service Provider Properties.
Ensure that you add the redirected URL to the bypass list in the PAC files; otherwise, authentication will fail. This is due to the browser trying to reach the authentication URL via the Zscaler service but the current user is not yet authorized to use the service so the request never passes through the Zscaler node.
If (dnsDomainIs(host, "securenet.com") ) return "DIRECT";