Single Sign-On Service › SSO Getting Started Guide › How to Connect a CA CloudMinder Tenant to an Office 365 Tenant › Overview › The CSP Admin Tasks to Connect a CA CloudMinder Tenant to an Office 365 Tenant › Create Federation Partnership

Create Federation Partnership

This section describes how a CSP Administrator creates the necessary federation partnership.

This step requires the following information:

• [appId]
• [baseUrl]
• [certificateAlias]
• [directoryPassword]
• [directoryPort]
• [tenantId]

This step provides the following information:

• [disambiguationId]
• [entityIdLocal]
• [entityIdRemote]
• [partnershipId]

User Directory

Create another User Directory for the Tenant that performs a lookup by UPN.

Follow these steps:

1. Log in to the CSP Console as CSP Administrator.
2. Navigate to Infrastructure, Directory, User Directories.
3. Create a new User Directory, with the following values:
   • Name: [tenantId] Tenant Directory (UPN)
   • Description: Alternate User Lookup
   • Namespace: LDAP:
   • Server: localhost:[directoryPort]
   • Use authenticated user’s security context: unchecked
   • Secure Connection: unchecked
   • Require Credentials: checked
   • Username: cn=dsaadmin,ou=[tenantId],ou=cam,o=ca
   • Password: [directoryPassword]
   • LDAP Search:
     • Root: ou=[tenantId], ou=cam, o=ca
     • Scope: Sub-Tree
     • Max Time: 30
     • Max Results: 0
   • LDAP User DN Lookup
     • Start: (&(camOffice365_UPN=
     • End: )(objectclass=top)(objectclass=camUser))
   • User Attributes:
     • Universal ID: uid
     • Disabled Flag: camEnabledState
     • Password: userPassword
     • Password Data: camPasswordData

Federation

Configure federation using this procedure.

Follow these steps:

1. Log in to the CSP Console as CSP Administrator.
2. Navigate to Federation, Partnership Federation, Entities, Create Entity.
3. Enter the following values:
   • Location: Local
   • Type: WSFED Identity Provider
   • SAML Token Type: SAML 1.1
   • Entity ID: [entityIdLocal]
   • Entity Name: [entityIdLocal]
   • Base URL: [baseUrl]
   • Disambiguation ID: [disambiguationId]
   • Sign-Out Confirm URL: [baseUrl]/affwebservices/public/signoutconfirmurl.jsp
   • Signing Private Key Alias: [certificateAlias]
   • Supported NameID Formats: Unspecified
   • Supported Assertion Attributes, Add Row:
     • UPN

       Attribute: UPN

       Namespace: http://schemas.xmlsoap.org/claims

     • ImmutableID

       Attribute: ImmutableID

       Namespace: http://schemas.microsoft.com/LiveID/Federation/2008/05

4. Confirm and Finish.
5. Navigate to Federation, Partnership Federation, Entities, Create Entity.
6. Enter the following values:
   • Location: Remote
   • Type: WSFED Resource Partner
   • SAML Token Type: SAML 1.1
   • Entity ID: urn:federation:MicrosoftOnline
   • Entity Name: [entityIdRemote]
   • Remote Security Token Consumer Service URL: https://login.microsoftonline.com
   • Remote Sign-Out URL: https://login.microsoftonline.com
   • Verification Certificate Alias: <blank>
   • Supported NameID Formats: Unspecified
7. Confirm and Finish.
8. Navigate to Federation, Partnership Federation, Partnerships, Create Partnership, WSFED IP -> RP.
9. Enter the following values:
   • Configure Partnership:
     • Partnership Name: [partnershipId]
     • Local Identity Provider: Select [entityIdLocal]
     • Remote Partner: Select [entityIdRemote]
     • Enable Metadata Exchange: checked
     • STS for WSFED Active Profile: checked
     • Legacy Name: <blank>
     • User Directories:

       [tenantId] Tenant Directory (UPN)

       [tenantId] Tenant Directory

   • Federation Users:
     • [tenantId] Tenant Directory: All Users in Directory
     • [tenantId] Tenant Directory (UPN): All Users in Directory
   • Assertion Configuration:
     • Name ID Format: Unspecified
     • Name ID Type: User Attribute
     • Value: camOffice365_UPN
     • Assertion Attributes

       UPN
       User Attribute
       camOffice365_UPN

       ImmutableID
       User Attribute

       camOffice365_ImmutableID

   • Single Sign-On and Sign-Out:
     • Authentication Mode: Delegated
     • Delegated Authentication Type: Cloud
     • Delegated Authentication URL: [baseUrl]/chs/login/[tenantId]/[appId]/
     • Audience: urn:federation:MicrosoftOnline
     • Security Token Consumer Service URL: https://login.microsoftonline.com
     • Enable Sign-Out: checked
     • Sign-Out Confirm URL: https://login.microsoftonline.com/login.srf?wa=wsignoutcleanup1.0&wreply=https%3A%2F%2Flogin.microsoftonline.com
     • Sign-Out URL: [baseUrl]/affwebservices/public/wsfeddispatcher
   • Signature
     • Signing Private Key Alias: [certificateAlias]
10. Confirm and Finish.
11. Activate the Partnership.

Persistent Session

Each realm where the user logs in must be enabled for persistent sessions.

Follow these steps:

1. Log in to the CSP Console as CSP Administrator.
2. Navigate to Policies, Domain, Realms.
3. Modify all realms where users login:
4. For example, for the basic Authentication the Realm: [tenant_chsforms_realm_es]
   • Session
     • Persistent Session: Persistent

Security Token Service

This step requires:

• [partnershipId]

A Security Token Service must be created on the Secure Proxy Server.

Follow these steps:

1. Login to the Secure Proxy Server Admin UI
2. Navigate to Web Services, Security Token Service, Add.
3. Enter the following values:
   • STS Name: [partnershipId]
   • STS Context: /[partnershipId]
   • Click OK and Save
4. Restart the Secure Proxy Server.