Previous Topic: Preparing the Security Properties FileNext Topic: Configure the IdP

Setting Up SAML 2.0 SupportHow to Set Up SAML AuthenticationConfigure SAML 2.0 Support in Single Sign-On

Configure SAML 2.0 Support in Single Sign-On

The CA Performance Center administrator must set parameters for SAML authentication using the Single Sign-On Configuration Tool. Take these steps on all servers where a data source is installed whose users will authenticate using SAML 2.0.

Note: Multiple authentication schemes can be in use simultaneously. For example, users of a CA Network Flow Analysis data source can use LDAP to log in, while users of CA Infrastructure Management are using SAML 2.0.

Follow these steps:

  1. Log in to the server where CA Performance Center or a CA data source product is installed.

    Log in as root or with the 'sudo' command.

  2. Launch the Single Sign-On Configuration Tool by running the './SsoConfig' command in the following directory: 
    [InstallationDirectory]/CA/PerformanceCenter

    You are prompted to select an option. The available options correspond to CA applications running on the local server.

  3. Use the following commands as needed while you are selecting settings:
  4. Enter the value that corresponds to the data source that you want to configure. For example, enter 1 to configure CA Performance Center.

    You are prompted to select an option.

  5. Enter 2 for SAML Authentication.

    You are prompted to specify the priority.

    The Priority parameter only applies to CA Performance Center.

  6. Enter one of the following options:
    1. Remote Value

    Refers to settings that only administrators can change. Such settings are propagated to all other CA products registered to this instance of CA Performance Center. Remote Value settings are only used if a corresponding Local Override value is not present.

    2. Local Override

    Refers to settings that can be changed for all products. If a Local Override value is present, it takes precedence over both the Remote Value and default settings.

    You are prompted to select a property to configure.

    To supply values for the SAML2 properties, enter u to update the value and then enter a new value.

  7. Enter 1 to select the 'Enable SAML2 Authentication' parameter.

    You are prompted to select an option.

  8. Enter u to change the value, and enter 1 to enable SAML 2.0 authentication.
  9. Enter 2 to set the 'Clone Default User Accounts' parameter.
    2. Clone Default User Accounts

    Defines the user account to which authorized SAML users are mapped. The role and product privileges that are associated with the user account you specify are applied to all users who successfully authenticate.

    Default: Blank.

    Example: Enter 'user' if you want all users to log in with user-level privileges.

    Note: An existing user account is required.

    The user accounts configured on the IdP are sent to CA Performance Center when the agreement is established. They appear in the User List on the Manage Users Admin page, where they can be edited.

  10. Enter 3 to enable security parameters.
    3. SAML2 Signature and Encryption Enabled

    Enables security and encryption for communications between CA Performance Center and the IdP.

    Default: Disabled

    You are prompted to choose an option.

  11. Enter u to change the value, and enter 1 to enable it.

    Note: This setting must match the setting on the IdP.

  12. Enter 4 to enable automatic reauthentication.
    4. SAML2 Auto-Reauthentication

    Specifies whether users are required to reauthenticate after a timeout period expires. Enable this parameter to allow the IdP to perform a passive reauthentication ('auto-reauthentication'), with no user interaction.

    The next parameter lets you set the duration of the timeout period.

    Default: Disabled.

  13. Enter u to change the value, and enter 1 to enable it.
  14. Enter 5 to set the reauthentication timeout period.
    5. Auto-Reauthentication Time Period

    Sets the length of time that passes before a passive reauthentication is performed. If the 'SAML2 Auto-Reauthentication' parameter is disabled, this parameter is ignored.

    Value: Must be less than the value for the 'IdP Session Timeout' parameter.

    Default: None.

  15. Enter u to change the value, and enter a new value.
  16. Enter 6 to set a timeout period for the session to the Identity Provider.
    6. IdP Session Timeout

    Sets the length of time that passes before the session established between CA Performance Center and the Identity Provider is closed automatically. For example, enter '10' to set a 10-minute timeout.

    The value must be greater than the value specified for the 'Auto-Reauthentication Duration' parameter. Otherwise, no session exists to perform the reauthentication. And the value must match the value set in the security properties file for the 'saml.idp.sessionTimeout' parameter. For more information, see Preparing the Security Properties File.

    Default: None.

  17. Enter u to change the value, and enter a new value.
  18. Enter b twice to go back to the initial prompt.
  19. Enter 6 to export the metadata file that establishes the agreement with the IdP.

    The metadata file supplies the identity provider with the parameters to use when authenticating users.

    You are asked to supply a directory path and filename.

  20. Enter the filename. For example, enter the following: 
    /tmp/CAPCMetadata.xml

    The file is generated automatically, based on the settings you selected in the Configuration Tool.

    You see a printout of the XML if the export operation succeeds. If the operation fails, you see an error message.

  21. Enter q to quit.

    The Configuration Tool closes.