Requirements for SSO Across Disparate Policy Servers

SSO across disparate SiteMinder policy-store environment requires the following:

1. Same Encryption Key on all policy servers.

2. Same Agent and Session Keys or, better yet, same keystore, on all policy servers.

3. Same User Directory SiteMinder object names and same User DN’s, in all policy stores.

This case concerns the “key” side of the question, which should be satisfied as follows:

- Policy Store encryption keys must be the same. These are set at installation.

- Agent keys on each policy server should be rolled statically on all policy servers – or, if some policy stores are not configured for agent key rollover per smconsole, then at least on all those that are configured for rollover. This is set through the “Enable Agent Key Generation” checkbox on smconsole for each policy server.

Using the SiteMinder Administrative UI’s “SiteMinder Key Management” dialog, accessed through the “Tools” menu’s “Manage Keys” option:

In the Agent Key tab, type in and confirm the same “Static Key” on all policy servers, and click “Rollover Now.” Ensure that “Use static Agent key” is checked at the top of this tab.

Subsequently, in the Session Ticket Key tab, enter an identical string in the “Session Ticket Key”and “Confirm” fields under “Specify a Session Ticket Key” – identical across all policy servers – and click the “Rollover Now” button.