SiteMinder Services

Last updated on May 18, 2022

Changes to Federated Services for SiteMinder

As part of the OCIO’s continuous improvement to our SiteMinder service offerings, the OCIO is replacing the legacy Federated Services for SiteMinder service offerings with the new highly available SiteMinder Access Gateway (SmAG) service.

The new SmAG service is using the Global Load Balancing service to provide high availability and load balancing between the Calgary and Kamloops data centres.

At this time, clients who manage their own SiteMinder Web Agents will not be impacted by this change.

Clients who utilize the Web Access Management (WAM) Team’s Reverse Proxy Services for SiteMinder will be contacted as part of the Reverse Proxy Service for SiteMinder upgrade project.

Information

Client applications that use the SiteMinder Federated Services (SAML integration) will not require configuration changes to consume the new SiteMinder Access Gateway Federated Service, however they will be responsible for testing their applications post migration.

Clients will be asked to test and validate their applications in 3 stages.

  1. Test and validate application functionality in the current environment
  2. Using a local hosts file on the client computer edit it to point to one of two IP addresses.  The addresses will be for the F5 load balancers that manage the traffic for the site in each data centre.
  3. Test and validate application functionality post DNS change or go live of the upgraded SmAG production service.

All SiteMinder Clients are strongly encouraged to test their web applications in their current state and will have approximately two weeks to test and validate prior to the DNS change performed by the WAM Team. SiteMinder Clients who manage their application DNS name space will be responsible for making the DNS change on the day of cutover using the local hosts file prior to the DNS change performed by the WAM Team.

The WAM Team will provide a conference bridge during migration change windows to answer questions and assist with unforeseen issues. Technical and conference bridge details will be posted on this site once confirmed.

Please note that the Test and Production environments are migrated separately.  Application migrations have been competed for the Test environment with the Production migrations scheduled for early June 2022.

Clients will be contacted in May to begin testing their Federation integrations with the upgraded SiteMinder Federation service.

Full instructions for editing your local hosts file for testing can be found on the WAM team’s SMInfo site here.

Changes to Reverse Proxy for SiteMinder Services

The Reverse Proxy for SiteMinder Service was built to provide a service to host SiteMinder agents for client sites and web applications.  This allows clients to utilize the OCIO’s SiteMinder service to provide coarse grained authentication and authorization for their web applications without having to manage SiteMinder agents themselves.

As part of the SiteMinder service upgrade, the Reverse Proxy service is being migrated from the current Solaris 10 servers running Apache 2.2 to RedHat servers running Apache 2.4.

The upgraded service will now support SNI as well as load balancing between data centres.

The migration of client sites from the legacy Reverse Proxy service will require that the DNS for each site be updated to use a new GSLB (Global Load Balancer) CNAME record.  Clients will be contacted to test their sites and full instructions will be available for clients to test their sites using their local hosts file as well as instructions for updating DNS for clients who manage their own DNS. 

The WAM team will work with clients to schedule DNS changes after their sites have been tested and verified and will work with clients to resolve issues as they arise.  Where possible, the WAM team will make the DNS changes on behalf of the client for their sites. For clients who manage their own DNS, the WAM team will supply the CNAME entry via email and instructions for updating a DNS entry to a CNAME record can be found here.

Application owners will receive emails from the WAM team with details on the sites that our records indicate they own.  Those emails will include a link to the testing instructions for editing local hosts files and the details on what needs to be tested.

The WAM team performs basic connectivity testing before requesting application owners to test, but we rely on application owners to thoroughly test their applications to ensure full functionality in the upgraded Reverse Proxy environment.