none
Integrating CA Siteminder with Reporting Services 2008 R2

    Question

  • Hello there,

    For the past few days I have been searching for a way to integrate Reporting Services 2008 R2 with CA Siteminder. The results were not promising as SSRS 2008 doesn't use IIS anymore and CA Siteminder needs IIS for its ISAPI filters.

    I have found two possible scenarios in which it might work but not a lot of details about them:

    1. Integrate Reporting Services with Sharepoint and manage the CA Siteminder authentication through Siteminder. 

    2. Write a custom extension for Reporting Services and manage the Siteminder authentication through it.

    My question is, has any of you managed to integrate Siteminder with Reporting Services 2008? If so, can you give me some details about the process? 

    Thank you very much,

    Razvan


    Tuesday, March 20, 2012 10:50 AM

Answers

  • Razvan,

    I have integrated both SSRS 2005 and 2008 with CA SiteMinder. Both times I used option #2 that you listed. The custom security extension was easy to setup, just use the sample provided on CodePlex: http://msftrsprodsamples.codeplex.com/ and follow the help provided in this MSDN section: http://msdn.microsoft.com/en-us/library/ms155029.aspx. 

    The way that I made it all work together was to use the SiteMinder header variables as the "SSRS Roles" that are assigned to a given user. This variable was a multi-value variable that the code in the custom security extension would receive/parse and then pass as a new SSRS authentication cookie into SSRS. From there you can use the regular security built into SSRS on each report object so that users will only see the folders/reports that they are authorized to see. 

    I don't know if this solution will work in 2012 or not, but I do know that I had to re-code this solution when we upgraded from 2005 to 2008R2 because of the changes to SSRS. Not sure if there are enough change in 2012 that the same will need to be done there as well.

    I would love to provide you the code for this solution, but unfortunately I no longer work at the company I developed this solution at.



    Convert DTS to SSIS | Document SSIS | 30+ SSIS Tasks | Real-time SSIS Monitoring | Quick Starts | BI Blitz

    Wednesday, March 21, 2012 6:25 PM

All replies

  • Razvan,

    I have integrated both SSRS 2005 and 2008 with CA SiteMinder. Both times I used option #2 that you listed. The custom security extension was easy to setup, just use the sample provided on CodePlex: http://msftrsprodsamples.codeplex.com/ and follow the help provided in this MSDN section: http://msdn.microsoft.com/en-us/library/ms155029.aspx. 

    The way that I made it all work together was to use the SiteMinder header variables as the "SSRS Roles" that are assigned to a given user. This variable was a multi-value variable that the code in the custom security extension would receive/parse and then pass as a new SSRS authentication cookie into SSRS. From there you can use the regular security built into SSRS on each report object so that users will only see the folders/reports that they are authorized to see. 

    I don't know if this solution will work in 2012 or not, but I do know that I had to re-code this solution when we upgraded from 2005 to 2008R2 because of the changes to SSRS. Not sure if there are enough change in 2012 that the same will need to be done there as well.

    I would love to provide you the code for this solution, but unfortunately I no longer work at the company I developed this solution at.



    Convert DTS to SSIS | Document SSIS | 30+ SSIS Tasks | Real-time SSIS Monitoring | Quick Starts | BI Blitz

    Wednesday, March 21, 2012 6:25 PM
  • Hello Steve!

    Thank you for your quick reply. After giving me the above details, I must say that the second option does sound much easier and less time consuming than adding another layer to the solution (that is Sharepoint). If I do have one or two more questions, may I come back to you?

    Again, many thanks, marked as answer and upvoted!

    Wednesday, March 21, 2012 6:44 PM
  • Razvan,

    Glad to help, feel free to post any new questions and I will answer them the best that I can. 

    Steve



    Convert DTS to SSIS | Document SSIS | 30+ SSIS Tasks | Real-time SSIS Monitoring | Quick Starts | BI Blitz

    Wednesday, March 21, 2012 6:59 PM
  • Hi Razvan,

    Were you ever successful with implementing Siteminder on top of SSRS 2008?  I am being tasked with a similar project and would love some insight.

    Regards,

    Josh

    Wednesday, September 12, 2012 6:52 PM
  • Steve,

    I realize this post is a bit dated, but still very relevant with many of us...  With regards to SiteMinder integration with SSRS 2008R2, beyond simply checking for a valid SMSESSION token, how did you extract the "username"?  The SMSESSION token is encrypted, yet I understand that a SM_USER or similar value is embedded.

    To provide some background, I have a very common IIS box setup with SiteMinder.  There is an ASP.NET page that contains several SSRS report links.  I understand that I must implement the custom extension to recognize the SMSESSION token on SSRS--however, I don't have a clue on how to extract the UserName.  I suppose, I could whip up some encrypted value and hang it on the querystring on the report link and parse it with another extension...  but it would be subject to tampering.

    I'm probably thinking too hard and it's clouding common sense--but any tips or guidance would be appreciated Steve (or others)!!

    v/r

    BK

    Thursday, March 28, 2013 2:20 AM
  • BK,

    The way that we had it setup the SM_USER was passed in via the header, not embedded in the token. When it is in the header it will be in clear text, not sure if that is an issue for your setup or not, but since it was just the login we didn't care that it was passed in that way. We would also send in any of the roles that we had setup on the user via the headers as well, and then I could pass those through to SSRS and apply the same role names to the SSRS folders/reports to limit what each each user was able to see in SSRS. It turned out to be a pretty easy solution once we worked all of this out, it does require some custom work on both the SiteMinder and SSRS side to make it all work.

    Hope this helps!

    Steve



    Convert DTS to SSIS | Document SSIS | 30+ SSIS Tasks | Real-time SSIS Monitoring | Quick Starts | BI Blitz

    Thursday, March 28, 2013 1:24 PM
  • It does...  So, to summarize, upon access denied (if user direct links to a SSRS report), I go create an httpwebrequest to a protected area (let SiteMinder do its thing) on the primary site and grab theSMSESSION and SM_USER from the header.  If so, I'll work that angle.

    Thanks!
    BK

    Thursday, March 28, 2013 7:29 PM
  • Not totally sure about that particular setup, since I didn't have to worry about any re-directs or anything like that since SiteMinder was protecting the entire web region. Just passing on how I had it setup in the company I used to work for and I know that it worked there that way.

    Good luck

    Steve



    Convert DTS to SSIS | Document SSIS | 30+ SSIS Tasks | Real-time SSIS Monitoring | Quick Starts | BI Blitz

    Thursday, March 28, 2013 11:42 PM