1

I know site minder does authentication. I have a scenario where based on “user associated groups, need to direct user to specific site”.

I have a.com , b.com , c.com . User will be directed to any one site, based on logged in user associated group.

I am suggesting team to check for an authorization software that can be integrated at login sso check, rather doing this check on one of our default web application landing page.

Any insights appreciated.

Thanks.

Sri
  • 1,205
  • 2
  • 21
  • 52
  • Simply put, for SSO authentication there's only one provider. But for authorization it depends. Authorization can be multi-level, e.g. you may want to implement resource based authorization which rather depends on the user-data than on a specific claim. A resource may look at different authorization providers, which means that claims don't have to be part of an access token. It's possible for the resource to request the authorization at an authorization provider when needed. –  Aug 25 '19 at 21:39
  • Also take a look at my answer [here](https://stackoverflow.com/questions/52079466/is-claims-based-authorization-appropriate-for-individual-resources/52100609#52100609). –  Aug 25 '19 at 21:40

1 Answers1

0

There are ways SiteMinder (and other federation systems) can be extended to provide finer-grained authorization. In SiteMinder, you have the concept of ActivePolicy and ActiveRule which are handlers that can implement any kind of logic including calling out to an external authorization service. This is exactly what the Axiomatics Plugin for CA SSO does (disclaimer: I work at Axiomatics).

The plugin calls out from SiteMinder (CA SSO) to Axiomatics which is an attribute-based access control authorization engine. Axiomatics provides finer-grained decisions on more attributes than just the user identity.

Extend CA SSO with Axiomatics

David Brossard
  • 13,584
  • 6
  • 55
  • 88