A relatively new offering from CA is the SiteMinder Agent for SharePoint 2010. I’ve had the “privilege” of working with this product and while I’m impressed with its integration and what it does, be warned, you will need some patience and to be well versed in working on multiple web platforms.
I say this because the installation and configuration is a mashup of vanilla Apache, TomCat, mutliple different SSL tools, some proprietary CA configurations (that are not yet well documented), and all of the usual SharePoint tools (IIS/PowerShell/Claims Based authentication).
From my own experience with SiteMinder, it is very much a Unix targeted product. As such it is not surprising that it relies on Unix’s web server heavy hitters, Apache and tomcat. Tomcat is capable of running as an independent web server, or can have traffic routed to it from another webserver such as Apache. In the case of the Siteminder Agent, it is doing double duty as it uses both modes.
For this reason, if you are a SharePoint administrator seeking to implement the SiteMinder agent, its time to get very familiar with these technologies as well. Important things to pay attention to if you are a straight IIS admin:
1) Configuration files are case sensitive. If in doubt, copy and paste your paths.
2) Paths may either require forward slashes where backslashes are usually used in Windows, or they may need to be escaped backslashes. This depends on which configuration file you’re editing so pay attention.
3) Get comfortable with a command prompt and Notepad (I highly suggest choosing powershell over the vanilla command prompt for authcomplete goodness)
We decided to implement SSL which doubled our complexity. Additional skill needed here:
1) Familiarty with openssl command line tools. These will handle your certificates for the Siteminder Apache httpd server
2) Familiarity with Java’s keytool. This will handle your certificates for the Tomcat server.
3) Windows certificates, and SharePoint’s Trust store.
4) A good understanding of SSL/TLS, the handshake and client authentication for troubleshooting.
Quick note about #3, any SSL service that SharePoint is going to connect to, must have the destination’s SSL certificate (or it’s CA) added to the SharePoint trust store. It does not use the Windows certificate store to trust remote servers. But, you’ll still need to be comfortable with working with the Window’s certificate store in order to install and grant your IIS apps access to SSL certificates. This is to identify your servers to remote machines. Why they moved the trust store within SharePoint while still requiring knowledge of the Windows Certificate store for its own identification is beyond me.
Quick note about #4, out of the box, one of the services that comes with the Agent for SharePoint requires client SSL authentication. That is, any server (WFE) attempting to connect to the agent must submit it’s own SSL certificate and the agent must trust and handshake with it. You can turn this off on the agent side, but it is an added level of security to prevent unauthorized access to your directory of users.
At the end of the day, the CA SiteMinder Agent for SharePoint 2010 is not a small undertaking, so be sure you are familiar with the tools that will need to be used.