SiteMinder Services

The Connected Services BC SiteMinder Service is a centralized, policy-driven enterprise solution that provides Single Sign-On (SSO) for thousands of B.C. government-managed web applications hosted both on-premises and in the cloud.

Service overview

Web access management ensures secure access to an organization’s applications and content published online. This involves:

• Authentication – Verifying the user’s identity
• Authorization – Confirming the user is permitted to access the content
• Content Restriction – Limiting visibility of sensitive information outside the organization

The current solution uses Broadcom’s SiteMinder Web Access Management in conjunction with internally developed Common Logon Pages (CLP). It also restricts content through SiteMinder Agents and federation protocols such as SAML.

How SiteMinder works

SiteMinder Policy Servers

Policy Servers are the central “brain” of Broadcom’s SiteMinder, acting as the Policy Decision Point (PDP). They:

• Handle authentication, authorization, and enforce security policies
• Communicate with SiteMinder Agents (Policy Enforcement Points)
• Access user data from directories like LDAP
• Support multiple authentication methods (passwords, tokens)
• Maintain session information for SSO
• Log security events

Core functions include:

• Centralized policy management
• Authentication and authorization
• Policy enforcement
• Session management (SSO)
• Policy store and key store

SiteMinder Federation Services

Federation Services enable secure, seamless access across organizations using protocols like SAML 1.x and 2.0. They allow users to log in once and access multiple federated and SiteMinder Web Agent protected applications. They: 

• Support internal enterprise and external partner integrations
• Use components such as the Secure Proxy Server (SPS) as a federation gateway

SiteMinder Web Agents

Web Agents are security modules installed on web servers that:

• Intercept user requests for web resources
• Communicate with Policy Servers to enforce security policies
• Authenticate and authorize users before granting access
• Pass user attributes (e.g., name, GUID, group membership) via HTTP headers for personalized SSO

Reverse Proxy for SiteMinder

The Reverse Proxy hosts SiteMinder Web Agents for hundreds of B.C. government applications. It acts as an intermediary between client browsers and backend servers, forwarding requests and responses securely.

Common Logon Pages (CLP)

CLP collects credentials when authentication is required and:

• Redirects users to an HTML form for username and password
• Validates credentials via SiteMinder Policy Server
• Supports IDIR and BCeID LDAP directories
• Handles special conditions (e.g., password expired)

Integrated Windows Authentication (NTLM Quiet Logon) provides seamless login for IDIR users already authenticated on B.C. government devices.

SiteMinder and MFA

SiteMinder does not natively support MFA. Instead, it integrates with Microsoft Entra to provide MFA for IDIR and guest accounts via SAML federation.

Note: BCeID does not currently support MFA.

Authentication flow

1. Web Agent intercepts request for a protected resource
2. SiteMinder redirects user to Microsoft Entra for authentication
3. If no Entra token exists, user logs in and completes MFA
4. Entra sends a SAML assertion to SiteMinder Federation Service
5. SiteMinder authorizes user and generates HTTP headers
6. User is redirected back to the original application

Ministries using SiteMinder

How to order

SiteMinder Services can be ordered through My Service Centre.

• For SiteMinder services, use the Plan Web Access Management form
• For Entra integrations, use the Identity Management Professional Services form