How Siteminder Works ?

Web Server 12 If user is not authorized, the Web Site returns an Access Denied error 7 2 1 17 3 Web Agent 16 Web Site 6 8

Firewall

5 If page is not protected, the Web Agent allows the Web Site to process and return the page to the user

Policy Server 4 5 Site Minder 11 9 10 13 14 12

LDAP Server

Policy Info

15

User Info

Users Browser

1 User requests a web page 2 SiteMinder Web Agent intercepts the request 3 Web Agent asks the Policy Server Is Page Protected? 4 Policy Server checks for applicable Policy and Rule information 5 Protection information and Authentication method are returned. 6 Policy Server asks the Web Agent for the users credentials 7 Browser returns the credentials (e.g. user enters username/password) 8 Web Agent asks the Policy Server Is User Authenticated?

10 Credential information is returned and verified against credentials supplied 11 Policy Server checks the Policies and Rules to answer Is User Authorized? 12 Authorization information and Response requirements are returned 13 Policy Server polls user information to satisfy Response requirements 14 User data are returned 15 Policy Server tells Web Agent user is authorized and passes Response data 16 Web Agent allows Web Site to process users request and provides Response data 17 Web page is processed and returned to the user Note: Once the user is authenticated, steps 7-10 are not done

9 Policy Server checks the users credential against the one stored in LDAP server