Federated partnerships enable identity information to be flexible and portable. Partnership federation offers secure single sign-on and single logout across a network of trusted business partners.
SiteMinder partnership federation lets customers establish federated partnerships in a flexible way, together with or independent of a web access management system. Partnership federation offers an easy-to-deploy solution for standards-based federation. Using partnership federation, an organization can act as the asserting party or the relying party. The asserting party provides user authentication and assertion of identity. The relying party consumes a user identity to allow access to web resources and services.
Partnership federation supports the SAML 1.1 and SAML 2.0 protocols.
The following flow chart highlights the general process for configuring partnership federation.
Programmerless federation is an HTTP-based approach for allowing the secure authentication, user disambiguation, inspection, and modification of SAML assertions. The advantage of programmerless federation is that applications can accomplish these tasks without having to use a language-specific SDK or other bindings.
Programmerless federation relies on HTTP/HTTPS requests and responses. These requests and responses are accessible through URLs and HTML-based protocols using web services that are an implementation of Representational State Transfer (REST) system architecture.
Any application can issue HTTP requests, read HTTP responses, and can parse XML to take advantage of the programmerless functionality.
An essential part of programmerless federation is its ability to secure the exchange of data. To secure data, SiteMinder uses an open-format cookie. The open-format cookie is a well-defined cookie format that supports strong encryption algorithms. The encrypted cookie secures the response between SiteMinder and the local or remote applications. This cookie can be written in any programming language that supports the same encryption and decryption algorithms that are supported by the open-format cookie, such as Perl or Ruby.
The following partnership federation features implement programmerless federation:
Delegated authentication lets SiteMinder use a third-party web access management (WAM) system to perform the authentication of any user who requests a protected federated resource. The third-party WAM performs the authentication and then sends the federated user identity to SiteMinder.
HTTP/HTTPS requests and responses facilitate communication for provisioning.
Provisioning is the process of creating client accounts with the necessary account rights and access privileges for accessing data and applications. Partnership federation provisioning can establish a new account for a user, or can populate an existing user account with information sent in a SAML assertion.
Remote provisioning is one of the SiteMinder provisioning methods. Remote provisioning uses an independent provisioning application to establish a user record. To pass assertion data, SiteMinder creates an encrypted cookie containing the data. This cookie is sent to the remote provisioning application, which is responsible for creating the user account.
HTTP/HTTPS requests and responses facilitate communication for provisioning.
|
Copyright © 2012 CA Technologies.
All rights reserved.
|
|