Federation Guides › Legacy Federation Guide › Use a Sample Configuration to Learn About Legacy Federation

Use a Sample Configuration to Learn About Legacy Federation

This section contains the following topics:

Manual CA SiteMinder®-to-CA SiteMinder® Deployment Overview

Confirm that Required Components are Installed

Sample Federation Network

Set Up the Identity Provider for the Sample Network

Set up the Service Provider for the Sample Network

Test SAML 2.0 Single Sign-on

Add Functionality to the Federation Deployment

Manual CA SiteMinder®-to-CA SiteMinder® Deployment Overview

You can accomplish a deployment manually. The manual deployment tasks begin with a simple configuration, single sign-on with POST binding. By starting with a basic configuration, you can complete the least number of steps to see how federation works.

After getting POST single sign-on to work, additional tasks, such as configuring the artifact binding, digital signing, and encryption are described. You can add these features to reflect a real production environment.

Important! The deployment exercise is only for SAML 2.0. These procedures do not apply to a SAML 1.x or WS-Federation configuration.

The manual deployment examples are different from the sample application deployment in the following ways:

The deployment that is described is set up across two systems, with a Policy Server and Web Agent on each system. The two systems represent the IdP and the SP.
Additional features are documented for the manual configuration that the sample application does not set up, including:
- Configuring SSL for the artifact back channel
- Adding an attribute to an assertion
- Digitally signing and verifying an assertion
- Encrypting and decrypting an assertion

The procedures throughout the manual deployment use sample data. To use data from your environment, specify entries for your Identity Provider and Service Provider configuration.

Confirm that Required Components are Installed

Federation requires that the following components are installed:

CA SiteMinder® Policy Server
Administrative UI
Web Agent
Web Agent Option Pack

This sample federation deployment example assumes that these components are installed and working.

Optionally, set up these features:

Enable a web or application server for SSL communication.
SSL is optional for securing communication across the back channel for HTTP-artfact single sign-on.
Set up a database to be enabled as a session store.
The session store is required for storing the assertion at the asserting party when using HTTP-Artifact binding. The session store is also required for single logout at either party.

For instructions on setting up a session store database, see the Policy Server Installation Guide. Enable the session store using the Policy Server Management Console. See the Policy Server Administration Guide for instructions.

Sample Federation Network

The sample websites in the CA SiteMinder® federated network are an Identity Provider named idp.demo, and a Service Provider named sp.demo. A business partnership is established between idp.demo and sp.demo.

The following illustration shows the sample federated network.

Figure shoing how legacy sample application can be deployed

Identity Provider Data for a Basic Configuration

IdP.demo is the Identity Provider. The following table contains sample data for the most basic SAML 2.0 POST single sign-on configuration.

Identity Provider Component	Sample Network
IdP Policy Server	Server: www.idp.demo:80 Server type: IIS Web Server
IdP policy store	IP Address: www.idp.demo:389 Storage: LDAP (Sun One Directory Server) Root DN: o=idp.demo Admin Username: cn=Directory Manager Password: federation
User store	Directory name: IdP LDAP Server: www.idp.demo:42088 Server Type: Sun One Directory Server (LDAP) User store: The LDAP directory contains the following users: user1 user2 userpassword: test mail: <user_name>@idp.demo Root: dc=idp,dc=demo Start: uid= End: ,ou=People,dc=idp,dc=demo
IdP Web Agent with Web Agent Option Pack	Server: www.idp.demo:80 Server Type: IIS Web Server Agent name: idp-webagent
Assertion Consumer Service URL	URL: http://www.sp.demo:81/affwebservices/ public/saml2assertionconsumer
Assertion Retrieval Service URL	URL: http://www.idp.demo:80/affwebservices/assertionretriever
Authentication URL	URL: http://www.idp.demo/siteminderagent/ redirectjsp/redirect.jsp

Identity Provider Data for an Advanced Configuration

The following table contains sample data for more advanced SAML 2.0 features, such as the artifact profile, signing and encrypting assertions.

Identity Provider Component	Sample Network
Session store	Server: www.idp.demo Database type: ODBC Database Source Information: SiteMinder Session Data Source User Name: admin Password: dbpassword
SSL-enabled server	Server: www.idp.demo:443 Server Type: IIS 6.0 Web The web server with the Web Agent Option Pack is SSL-enabled for artifact binding
Certificate of the Certificate Authority (CA)	Certificate of CA: docCA.crt DER-encoded Cert: docCA.der This CA signs the server-side certificate to enable SSL
Private key/certificate pair to sign SAML responses	Certificate: post-cert.crt Private key: post-pkey.der Password: fedsvcs
Certificate (public key) for encryption	Public key: sp-encrypt.crt
Attribute to include in assertion	Attribute: unspecified (default) Attribute Kind: User DN Variable Name: firstname Variable Value: givenname

Service Provider Data for a Basic Configuration

The Service Provider is SP.demo. The following table contains sample data for the most basic SAML 2.0 POST single sign-on configuration.

Service Provider Component	Sample Network
SP Policy Server	Server: www.sp.demo:80 Server type: IIS Web Server
SP policy store	IP Address: www.sp.demo:389 Storage: LDAP (Sun One Directory Server) Root DN: o=ca.com Admin Username: cn=Directory Manager Password: federation
User Store	Directory name: SP LDAP Server: www.sp.demo:32941 Server Type: LDAP (Sun One Directory Server) User store: The LDAP directory contains the following users: user1 user2 userpassword: customer mail: <user_name>@sp.demo Root: dc=sp,dc=demo Start: uid= End: ,ou=People,dc=sp,dc=demo
SP Web Agent and Web Agent Option Pack	Server: www.sp.demo:81 Server type: Sun ONE 6.1 Web Server Agent name: sp-webagent
Single Sign-on Service	SSO Service: http://www.idp.demo:80/affwebservices/public/saml2sso
Target Resource	Target Resource: http://www.sp.demo:81/ spsample/protected/target.jsp

Service Provider Data for an Advanced Configuration

The following table lists sample data for more advanced SAML 2.0 features, such as setting up the artifact profile, signing and encrypting assertions.

Service Provider Component	Sample Network
Artifact Resolution Service	Resolution Service: https://www.idp.demo:443/ affwebservices/saml2artifactresolution
Certificate of Certificate Authority	Certificate of CA: docCA.crt DER-encoded cert: docCA.der This CA signs the server-side certificate to enable SSL
Certificate (public key) Used to verify signature of SAML responses	Certificate: post-cert.crt
Private key/certificate pair Used for decryption and digital signing	Private key: sp-encrypt.der Public key: sp-encrypt.crt Password: fedsvcs Issuer DN: CN=Certificate Manager,OU=IAM,O=CA.COM Serial Number: 008D 8B6A D18C 46D8 5B

Service Provider Component

Sample Network

Artifact Resolution
Service

Resolution Service:

https://www.idp.demo:443/
affwebservices/saml2artifactresolution

Certificate of Certificate Authority

Certificate of CA: docCA.crt

DER-encoded cert: docCA.der

This CA signs the server-side certificate to enable SSL

Certificate (public key)

Used to verify signature of SAML responses

Certificate: post-cert.crt

Private key/certificate pair

Used for decryption and digital signing

Private key: sp-encrypt.der

Public key: sp-encrypt.crt

Password: fedsvcs

Issuer DN: CN=Certificate Manager,OU=IAM,O=CA.COM

Serial Number: 008D 8B6A D18C 46D8 5B