Federation Manager GuideGetting Started with a Simple Partnership › Basic SAML 2.0 Partnership

Previous Topic: Getting Started with a Simple Partnership

Next Topic: Sample Federation Network

Basic SAML 2.0 Partnership

One way to get started with Federation Manager is by configuring a partnership. This chapter describes how to set up a basic SAML 2.0 federation partnership—single sign-on with SAML 2.0 POST profile. By starting with a basic configuration, you can complete the least number of steps to see how Federation Manager works.

Note: This partnership focuses on SAML 2.0; however, the overall process is the same for SAML 1.1. The configuration settings at each step of the partnership can differ depending on the SAML protocol.

The chapter also describes the configuration of additional features, such as digital signing and single logout to reflect a real production environment. You can also add the Artifact binding to the configuration.

The sample network used in this chapter presupposes that Federation Manager is installed at both sites in the partnership. However, you can have Federation Manager at one site and a different SAML-compliant product at the other site and still engage in a partnership.

With Federation Manager at both sites, you have to understand the perspective from which you are configuring a partnership. To configure a complete partnership, you begin by defining a partnership definition at each site, one for each direction of communication from a given site. For example, if the local site is the Identity Provider (IdP), you configure the local IdP-to-remote SP partnership. This configuration is one partnership definition. To complete the partnership configuration, you configure the reciprocal local SP-to-remote IdP partnership at the SP, at the local SP.

The partnership definition always distinguishes the local and remote entities. The local entity is the entity at the site from where you are configuring Federation Manager. It is not necessarily the same system on which Federation Manager is installed, but the same domain. The remote entity is the entity at a partner that resides in a different domain from where you are configuring Federation Manager.

The following process shows the steps for creating the basic Federation Manager partnership when Federation Manager is at both sites:

  1. Establish a user directory connection.
  2. Create the local and remote entities.
  3. Configure the local IdP-to-SP partnership definition at the IdP site.
  4. Configure the local SP-to-IdP partnership definition at the SP site.
  5. Activate the partnership.
  6. Test the partnership.

Copyright © 2010 CA. All rights reserved. Email CA about this topic