Previous Topic: Set Up the Identity Provider for the Sample NetworkNext Topic: Test SAML 2.0 Single Sign-on

Federation GuidesLegacy Federation GuideUse a Sample Configuration to Learn About Legacy FederationSet up the Service Provider for the Sample Network

Set up the Service Provider for the Sample Network

To deploy legacy federation at the Service Provider, the following sections detail the tasks. The entries in each section reflect the sample data provided for a basic configuration.

Note: These procedures assume you have already installed the required components.

Set Up the SP User Store

At the SP, configure a user store and add user records for users that require assertions. When the assertion is presented during authentication, the Service Provider looks in the user store for the user record.

In this deployment, the Sun ONE LDAP user directory is the user store. Use the Sun ONE Server Console to add users to the directory.

To configure the user store

  1. Add the following users:
  2. Fill in the attributes for user1 and user2 as follows:
    user1

    userpassword: customer

    mail: user1@sp.demo

    user2

    userpassword: customer

    mail: user2@sp.demo

    Important! The email address must be the same in the Identity Provider user store for the same users.

  3. Enable trace logging.
Point the Policy Server to the SP LDAP Policy Store

Establish the connection between the Policy Server and the LDAP policy store.

Follow these steps:

  1. Open the Policy Server Management Console.
  2. Select the Data tab.

    Complete the following fields:

    Databases

    Policy Store

    Storage

    LDAP

    LDAP IP Address

    sp.demo:389

    Root DN

    o=sp.demo

    Admin Username

    cn=Directory Manager

    Password

    federation

    Confirm Password

    federation

  3. Click OK.
  4. Set up the SP user store.
Enable Trace Logging for Federation Components at the SP

At the SP Policy Server, configure the SiteMinder Profiler to log federation components to the trace log, smtracedefault.log and examine trace messages.

To enable logging

  1. Open the Policy Server Management Console.
  2. Click on the Profiler tab and customize the contents of the trace log. Be sure to include the Fed_Server component in the log to see the federation trace messages.

    To configure trace logging at the Policy Server, using the Policy Server Management Console.

  3. Install the SP Web Agent.
Configure the Web Server with the Web Agent Option Pack

The Web Agent Option Pack installed the Federation Web Services (FWS) application. Configure the FWS application for the sample deployment.

For FWS to work, do the following

  1. Install the JDK for Federation Web Services
  2. Install and Configure ServletExec to Work with FWS at the SP
  3. Configure the AffWebServices.properties file
  4. Enable Web Agent Option Pack logging
  5. Test Federation Web Services
Install the JDK for Federation Web Services

The Web Agent Option Pack requires a JDK to run the Federation Web Services application. For the specific version required, go the Technical Support site and search for SiteMinder Platform Support Matrix for the release.

Install and Configure ServletExec to Work with FWS at the SP

For FWS to operate in this deployment, ServletExec is installed on a Sun ONE 6.1 web server.

Note: CA SiteMinder® 12.51 is shipped with a ServletExec license key file named ServletExec_AS_6_license_key.txt. If you do not have this license key, contact CA Technical Support. From this license file, copy the license key and enter it in the ServletExec License dialog of the ServletExec Administration Console. For instructions on licensing ServletExec, see ServletExec documentation, available at the New Atlanta Communication website.

Apply the most current hot fixes for the supported version of ServletExec. The hot fixes are necessary for Federation Web Services to work with ServletExec. To obtain the hot fixes, go to the website for New Atlanta Communications.

To set up ServletExec

  1. Install ServletExec.

    For instructions, refer to New Atlanta Communications documentation.

  2. Open the ServletExec Administration Console.
  3. Under Web Applications, select manage.

    The Manage Web Applications dialog opens.

  4. Click Add a Web Application.
  5. Enter the following information:
    Application Name

    affwebservices

    URL Context Path

    /affwebservices/

    Location

    C:\program files\ca\webagent\affwebservices

    The location of affwebservices in your network can be different. Enter the correct location.

  6. Click Submit.
  7. Exit the ServletExec Console.
  8. Configure the AffWebServices.properties file.
Configure the FWS Properties File

The AffWebServices.properties file contains all the initialization parameters for Federation Web Services. Specify the location of the WebAgent.conf file in this file.

Follow these steps:

  1. On the SP system with the Web Agent Option Pack, go to the directory C:\Program Files\ca\webagent\affwebservices\WEB-INF\classes
  2. Set the AgentConfigLocation parameter to the location of the WebAgent.conf file. Setting a value for this parameter is mandatory.

    For this deployment, the web server hosting the FWS application at the Service Provider is a Sun ONE Web Server. So, the path to the WebAgent.conf file is:

    C:\\Sun\\WebServer6.1\\https-sp.demo\\config\\WebAgent.conf

    Note: Federation Web Services is a Java component, so the Windows paths must contain double backslashes. Specify this entry on one line.

  3. Save and close the file.
  4. Test Federation Web Services.
Test Federation Web Services

After you have set up the Federation Web Services application, verify that it is operating properly.

Follow these steps:

  1. Open a web browser and enter the following link: 
    http://fqhn:port_number/affwebservices/assertionretriever
    fqhn

    Defines the fully qualified host name.

    port_number

    Defines the port number of the server where the Web Agent and Web Agent Option Pack are installed.

    For this deployment, enter:

    http://www.sp.demo:81/affwebservices/assertionretriever

    If Federation Web Services is operating correctly, the following message appears:

    Assertion Retrieval Service has been successfully initialized.
The requested servlet accepts only HTTP POST requests.

    This message indicates that Federation Web Services is listening for data activity. If Federation Web Services is not operating correctly, you get a message that the Assertion Retrieval Service has failed. If Assertion Retrieval Service fails, examine the Federation Web Services log.

  2. Enable Web Agent Option Pack logging.
Enable Web Agent Option Pack Logging at the SP

At the SP, enable logging for the system with the Web Agent Option Pack so you can view the following logs:

To enable error and trace logging

  1. Open up the LoggerConfig.properties file. This file can be found in the directory web_agent_home/affwebservices/WEB-INF/classes.
  2. Set the LoggingOn parameter to Y.
  3. Accept the default name and location for the LogFileName setting, which points to the affwebserv.log file.
  4. Set the TracingOn setting to Y.
  5. Accept the default name and location for the TraceFileName setting, which points to the FWSTrace.log file.

Logging is now enabled.

More Information:

Set up the LoggerConfig.properties File

Specify the User Store for the SP Policy Server

The SP user directory consists of user records for which the Service Provider uses for authentication.

Configure a user directory in the Administrative UI. The directory, named SP LDAP, is the Sun ONE LDAP directory that contains the users user1 and user2.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, Directory, User Directories.
  3. Click Create User Directory.

    The User Directory dialog opens.

  4. Complete the following field:
    Name

    SP LDAP

  5. Complete the following fields in the Directory Setup section:
    Namespace

    LDAP

    Server

    www.sp.demo:32941

  6. Complete the following fields in the LDAP Search section:
    Root

    dc=sp,dc=demo

    Accept the defaults for the other values.

  7. Complete the following fields in the LDAP User DN Lookup section:
    Start

    uid=

    End

    ,ou=People,dc=sp,dc=demo

  8. Click View Contents to verify that you can view the contents of the directory.
  9. Click Submit.
Configure the SAML 2.0 Authentication Scheme at the SP

To authenticate users at the Service Provider, configure the SAML 2.0 authentication scheme. The assertion from the IdP provides the credentials for authentication.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, Authentication Scheme, Authentication Schemes.

    The Authentication Scheme dialog opens where you define the scheme common setup.

  3. Complete the following fields:

    Scheme Common Setup section:

    Name

    Partner IDP.demo Auth Scheme

    Authentication Scheme Type

    SAML 2.0 Template

    Protection Level

    5 (default)

  4. Click SAML 2.0 Configuration.

    The dialog where you specify the general and user disambiguation displays.

  5. Specify the following settings in the General section:
    SP ID

    sp.demo

    IdP ID

    idp.demo

    SAML Version

    2.0 (default)

    Skew Time

    30 (default)

    Note: The SP ID and IdP ID values must match the values at the IdP.

  6. In the User Disambiguation section, configure the following setting:
    LDAP

    Username=%s

  7. Click Next to move to the single sign-on settings.

More information:

Enable Signature Validation at the Service Provider

Configure HTTP-POST for Single Sign-on at the SP

For the authentication scheme, indicate the single sign-on binding to be used so the Service Provider knows how to communicate with the Identity Provider.

Follow these steps:

  1. In the SSO settings, complete the following fields:
    Redirect Mode

    302 Cookie Data (default)

    User is redirected through an HTTP 302 redirect with a session cookie, but no other data.

    SSO Service
    http://www.idp.demo:80/affwebservices/public/saml2sso
    Audience

    sp.demo

    This value must match the value at the Identity Provider.

    Target
    http://www.sp.demo:81/spsample/protected/target.jsp

    If you begin the Target with http, enter the full path to the resource. A CA SiteMinder® policy that uses the SAML 2.0 authentication scheme protects the target.

  2. Select the HTTP-POST in the Bindings section.
  3. Clear the check box labeled Enforce Single Use Policy.

    Disabling this option makes the sample network noncompliant with SAML 2.0. To enable the use of the single use policy feature, set up a session store at the Service Provider.

  4. Click Next until you reach the Encryption & Signing step.
  5. Select Disable Signature Processing.

    Important! Disabling signing is intended only for debugging the initial single sign-on configuration. In a production environment, signature processing is a mandatory security requirement. At the SP, enable signature validation and set up the certificate data store to validate signatures.

  6. Click Next until you reach the last configuration step.
  7. Click Finish.

    The basic authentication scheme configuration is complete.

  8. Keep the Administrative UI open and go to Protect the Target Resource Using SAML 2.0 Authentication.

Protect the Target Resource at the SP

After you configure a SAML 2.0 authentication scheme, use this scheme in a policy that protects the target resource at Service Provider.

Follow these steps:

  1. Navigate to Infrastructure, Agent, Agents and create a Web Agent named sp-webagent. This Agent protects the server with the Web Agent Option Pack installed.
  2. Navigate to Policies, Domain, Domains.
  3. Create a policy domain with the following values:
    Name

    Domain for IdP.demo Visitors

    User Directory section

    Add the user directory that holds user1 and user2.

  4. Go to the Realms page and configure a persistent realm with the following values:
    Name

    SP Target Page Protection Realm

    Agent

    sp-webagent

    Resource Filter

    /spsample/protected.jsp

    Defines the path to the target resource at the Service Provider web server.

    Default Resource Protection

    Protected

    Authentication Scheme

    Partner IdP.demo Auth Scheme

  5. To the realm, add a rule with the following values:
    Name

    SP Target Page Protection Rule

    Realm

    SP Target Page Protection Realm

    Resource

    *

    Action

    Web Agent actions

    Get

    Accept the defaults for all other fields.

  6. Go to the Policies page and create a policy with the following values:

    General page

    Name

    SP Target Page Protection Policy

    Users pagexs

    For the SP LDAP directory, click Add Member. Add user1 so this user has access to the target.

    Rules page

    Add the SP Target Page Protection Rule

  7. Click Submit.

    The protection policy for the target resource is complete.

  8. Exit the Administrative UI.
  9. Use HTML Pages to test the federation set-up.