SSO deployment architecture - 3 - 3.12

Data360 Analyze Server Help

Product type
Software
Portfolio
Verify
Product family
Data360
Product
Data360 Analyze
Version
3.12
Language
English
Product name
Data360 Analyze
Title
Data360 Analyze Server Help
Copyright
2023
First publish date
2016

The recommended deployment architecture when integrating Data360 Analyze with CA Single Sign-On is as follows:

  • Data360 Analyze should be deployed on a machine that sits behind a firewall, which will control access to the application.
  • A SiteMinder Access Gateway (or SiteMinder Secure Proxy Server, if using an older version of SiteMinder) should be deployed in a DMZ, and firewall settings should restrict access to Data360 Analyze to the Gateway only.
  • Selecting Siteminder SSO as your Authentication Type (see Configuring external authentication) performs the necessary setup to allow Data360 Analyze to consume the SM_USER header.
  • It is recommended that you enable HTTPS access to Data360 Analyze (see Enabling HTTPS).

Note: Data360 Analyze has been developed and tested against CA Single Sign-On v12.6 using the SiteMinder Access Gateway method.

The following diagram shows the supported deployment architecture when integrating Data360 Analyze with CA Single Sign-On:

  1. User requests access to Data360 Analyze. Access is via the Gateway, for example, https://examplegateway.com.
  2. The Gateway checks for a user session based on any active cookies stored in the user's browser.
  3. If there is no active session, the Gateway requests the user's credentials and a login form is displayed to the user.
  4. The user enters their credentials and submits the form back to the Gateway.
  5. The Gateway sends an authentication request to the SiteMinder Policy Server.
  6. SiteMinder Policy Server communicates with the Policy Store to authenticate the user. Depending on the SiteMinder setup, it may be backed by a user directory, such as Active Directory.
  7. On completion of the authentication request, the Policy Server communicates back to the Access Gateway. If the user is not authenticated, the Gateway should prevent access to Data360 Analyze.

  8. If the user is authenticated, the Access Gateway requests the Data360 Analyze web application and passes the SM_USER header, which the Data360 Analyze application consumes. Depending on the configuration within Data360 Analyze, Data360 Analyze will check to see if the user defined by the SM_USER header exists in the application.

    If the user does not exist, Data360 Analyze will create the user on demand and allow or deny access.

    If LDAP/AD integration is configured and the user does not exist in Data360 Analyze, Data360 Analyze will look up the user in LDAP/AD, then create the user on demand and allow access. If the user cannot be found in LDAP/AD, access is denied.

  9. If the user exists, access to Data360 Analyze is granted.
  10. Access to the Data360 Analyze application is served to the user.

Applications can be integrated into CA Single Sign-On in a number of ways. Note that the following integration methods are not supported with Data360 Analyze:

  • Direct install of a SiteMinder WebAgent onto the Tomcat web container that is deployed during server installation.
  • Use of the SiteMinder SDK within Data360 Analyze, to directly integrate to a SiteMinder Policy Server.