Federation Guides › Legacy Federation Guide › Configure CA SiteMinder® as a WS-Federation Resource Partner › Configure WS-Federation Single Sign-on at the Resource Partner

Configure WS-Federation Single Sign-on at the Resource Partner

You configure the WS-Federation single sign-on binding for authentication in the SSO section of the SAML Profiles page. You can also enforce single use assertion policy to prevent the replaying of a valid assertion in this section.

Part of the single sign-on configuration is defining the Redirect Mode setting. The Redirect Mode specifies how the Policy Server sends assertion attributes, if available, to the target application. You can send assertion attributes as HTTP Headers or HTTP cookies.

The HTTP headers and HTTP cookies have size restrictions that assertion attributes cannot exceed. The size restrictions are as follows:

• For HTTP headers, CA SiteMinder® can send an attribute in a header up to the web server size limit for a header. Only one assertion attribute per header is allowed. See the documentation for your web server to determine the header size limit.
• For HTTP cookies, CA SiteMinder® can send a cookie up to the size limit for a cookie. Each assertion attribute is sent as its own cookie. The cookie size limit is browser-specific, and that limit is for all attributes being passed to the application, not for each attribute. See the documentation for your web browser to determine the cookie size limit.

To configure WS-Federation single sign-on

1. Navigate to the authentication scheme for the Resource Partner you are configuring.
2. Select WS-Federation Configuration, SAML Profiles. Click Modify first if you are modifying an existing scheme.

   The SAML Profiles dialog opens.

3. Complete the fields in the SSO section.

   Click Help for the field descriptions.

4. Click Submit.

Implement WS-Federation Signout

Sign-out is the simultaneous termination of all user sessions for the browser that initiated the sign-out. Closing all user sessions prevents unauthorized users from gaining access to resources at the Resource Partner.

Sign-out does not necessarily end all sessions for a user. For example, a user with two browsers open can have two independent sessions. Only the session for the browser that initiates the sign-out is terminated at all federated sites for that session. The session in the other browser is still active.

The Policy Server performs sign-out using a signoutconfirmurl.jsp. This page resides on the Identity Provider system. An Identity Provider initiates a sign-out request on behalf of a user. The JSP sends the sign-out request to each site where the user signed on during a given browser session. The user is then signed out.

A user can initiate a sign-out request only at an Identity Provider. The request is triggered by clicking a link that points to the appropriate servlet. The sign-out confirmation page must be an unprotected resource at the Identity Provider site.

Note: The Policy Server only supports the WS-Federation Passive Request profile for sign-out.

Enable Signout

To configure WS-Federation signout

1. Navigate to the authentication scheme you want to modify.
2. Select WS-Federation Configuration, SAML Profiles. Click Modify first if you are modifying an existing scheme.

   The SAML Profiles dialog opens.

3. In the Signout section, select the Enable Signout check box.
4. Enter a value for the Signout URL. The URL must begin with https:// or http://.
5. Click OK.

More Information:

Storing User Session, Assertion, and Expiry Data