No direct migration path from legacy federation to partnership federation exists. Reproducing your legacy federation configuration in the partnership federation model requires recreating the legacy entities and configuring partnerships.
Legacy and partnership objects do not share a one-to-one correspondence. In the legacy federation model, configuring federation involves the following tasks at each partner:
Asserting Party
Note: ADFS/WS-Federation is only supported with legacy federation. You cannot create WS-Federation objects in the partnership model.
Relying Party
In a partnership model, recreating a legacy configuration involves:
The following table shows the relationship between legacy federation components and partnership federation components.
Legacy Components |
Partnership Components |
---|---|
SAML 1.1 Affiliate |
SAML 1.1 Producer-to-Consumer partnership partnership federation does not support SAML 1.0. |
SAML 2.0 Service Provider |
SAML2 IdP-to-SP partnership |
Legacy Components |
Partnership Components |
---|---|
Authentication Scheme: |
SAML 1.1 Consumer-to-Producer partnership |
Authentication Scheme: |
SAML2 SP-to-IdP partnership |
If you plan to recreate your legacy federation objects in the partnership model, pay attention to the following settings:
(Affiliate/Service Provider Properties and SAML authentication scheme dialog for legacy federation). If SiteMinder is using the legacy federation configuration, confirm this check box is selected. If you recreate the legacy configuration in the partnership federation model with similar values for identity settings, such as source ID, clear this check box before activating the partnership federation object.
SiteMinder cannot work with a legacy and partnership configuration that use the same identity values or a name collision occurs.
(SSO settings for partnership federation). Defines how the back channel is protected for HTTP-Artifact single sign-on. The legacy option indicates that SiteMinder protects the back channel. The partnership option indicates that the federation component within SiteMinder protects the back channel.
If you recreate your legacy federation configuration in the partnership federation model, you can use the legacy method of protecting the back channel. The legacy option lets the configuration use the existing URL for the Assertion Retrieval Service (SAML 1.x) or Artifact Resolution Service (SAML 2.0). By selecting legacy as the option, SiteMinder accepts the request. You do not have to modify the URL. If the artifact service URL is from the legacy configuration but only the partnership option is selected for this setting, SiteMinder rejects the request.
Important! For the legacy federation option, enforce the policy that protects the artifact service. The artifact service is a component of the Federation Web Services. SiteMinder creates policies for Federation Web Services automatically. However, you are required to indicate which partnership is permitted access to the service that retrieves artifacts. For more information, refer to the Federation Manager Guide: Partnership Federation.
Options: Legacy, Partnership
Note: SiteMinder r12.5 ships with the Federation Security Services User Interface (FSS UI) and the Administrative UI. If you switch from the FSS UI to the Administrative UI for SiteMinder configuration, do not return to the FSS UI for any modifications to any configuration objects. Once you begin with the Administrative UI, continue to use the Administrative UI exclusively. If you return to the FSS UI after using the Administrative UI, objects in the policy store can impair the function of the SiteMinder Policy Server.
Copyright © 2012 CA Technologies.
All rights reserved.
|
|