CA SiteMinder Federation has two deployment models:
Partnership federation is based on configuring partnerships between enterprises based on federation standards. The partnership model does not require configuration of SiteMinder-specific objects, such as domains, realms, and policies. This model is recommended for new configurations using SiteMinder Federation.
Legacy Federation (formerly Federation Security Services).
Legacy federation is based on configuring SiteMinder objects, such as affiliate domains, authentication schemes, and policies to protect federated resources. This model is primarily for backward compatibility with older deployments.
Both deployments provide user authentication data in the form of a SAML assertion. The entity that consumes the assertion uses the assertion to identify the user. Upon successful authentication, the consuming entity makes the requested resources available. The result is a seamless experience for the user.
Install the SiteMinder Policy Server, the Administrative UI, and the Web Agent Option Pack to use either model.
Note: Federation is separately licensed from SiteMinder.
Read the following sections before implementing SiteMinder Federation for information about some basic federation security concepts.
Note: Federation is separately licensed from SiteMinder.
SiteMinder supports the following federation specifications:
Security Assertion Markup Language (SAML)
The Security Assertion Markup Language (SAML) is a standard from the Organization for the Advancement of Structured Information Standards (OASIS). This industry standard defines an XML framework for exchanging authentication and authorization information.
SAML defines assertions as a means to pass security information about users between entities. SAML assertions are XML documents that contain information about a specific subject, such as a user. An assertion can contain several different internal statements about authentication, authorization, and attributes.
SAML defines two browser-based protocols that specify how SAML assertions are passed between partners to facilitate single sign-on.
The profiles are:
Note: For SAML 2.0, the artifact and POST profiles are referred to as HTTP bindings.
For SAML specifications and information about SAML profiles, refer to the Organization for the Advancement of Structured Information Standards (Oasis).
SiteMinder supports the following SAML standards and profiles:
WS-Federation (legacy federation only)
Active Directory Federation Services (ADFS) is web services-based solution from Microsoft for federated single sign-on (SSO). ADFS runs on a Windows server and accomplishes SSO by letting partners securely share user identity information and access rights across a secure network. ADFS extends SSO functionality to internet applications, letting users have a seamless web SSO interaction when they access web-based applications of the organization.
ADFS uses the WS-Federation specification for communication. For WS specifications and background documentation, and information about ADFS profiles, go to the Microsoft website.
Note: This profile is only available with SiteMinder Legacy Federation.
In a federated network, one entity generates SAML assertions. Assertions contain information about a user whose identity is maintained locally at the site that generates them. The other entity uses the SAML assertions to authenticate a user and to establish a session for the user.
Depending on the protocol, these two entities are named differently, but the functions they serve are the same.
Protocol |
Generates Assertions |
Consumes Assertions |
SAML 1.0 and 1.1 |
Producer |
Consumer |
SAML 2.0 |
Identity Provider (IdP) |
Service Provider (SP) |
WS-Federation |
Account Partner (AP) |
Resource Partner (RP) |
A site can be the asserting party (producer/IdP/AP) and the relying party (consumer/SP/RP).
Note: The partnership federation model only supports SAML 1.1 and SAML 2.0.
Copyright © 2012 CA Technologies.
All rights reserved.
|
|