Federation Guides › Legacy Federation Guide › Configure a SAML 2.0 Identity Provider

Configure a SAML 2.0 Identity Provider

Prerequisites for an Asserting Partner(legacy)

To configure an asserting partner, verify the following conditions:

• The Policy Server is installed.
• One of the following options is installed:
  • The Web Agent and the Web Agent Option Pack. The Web Agent authenticates users and establishes a CA SiteMinder® session. The Option Pack provides the Federation Web Services application. Be sure to deploy the FWS application on the appropriate system in your network.
  • The SPS federation gateway has an embedded Web Agent and the Federation Web Services application on the embedded Tomcat web server.

  For more information, see the Web Agent Option Pack Guide.

• Private keys and certificates are imported for functions that require signing and decrypting messages.
• A relying partner is set up within the federated network.

How to Configure an Identity Provider

CA SiteMinder®, as an Identity Provider generates assertions for its business partners, the Service Providers. To establish a federated partnership, the Identity Provider needs information about each partner. Create a Service Provider object for each partner and define how the two entities communicate to pass assertions and to satisfy profiles, such as single sign-on.

To configure an Identity Provider

1. Create a Service Provider object.
2. Add the Service Provider to an affiliate domain.
3. Specify the general identifying information for the Service Provider.
4. Select users from a user store. The Identity Provider generates assertions for these users.
5. Specify the Name ID.
6. Configure a single sign-on (SSO) profile.

   You can save a Service Provider entity without configuring a complete SSO profile. However, you cannot pass an assertion to the Service Provider without completing the SSO configuration.

7. Configure signing and encryption for requests and responses.
8. Complete optional configuration tasks.

Tips:

• Certain parameter values at the Identity Provider and Service Provider must match for the configuration to work. A list of those parameters can be found in Configuration Settings that Must Use the Same Values.
• Use the correct URLs for the Federation Web Services servlets. A list of URLs can be found in Federation Web Services URLs Used in SiteMinder Configuration

Optional Configuration Tasks for Identifying a Service Provider

The following optional tasks are for identifying a Service Provider:

• Configure IP address restrictions to limit the addresses that are used to access Service Providers.
• Configure time restrictions for Service Provider operations.
• Enable enhanced client or proxy profile.
• Configure attributes for inclusion in assertions.
• Configure single logout (SLO).
• Configure the Identity Provider Discovery profile.
• Encrypt the Name ID in the assertion and/or the entire assertion.
• Sign the assertion and/or the entire assertion response.
• Sign the artifact resolve message and/or the artifact response.
• Customize a SAML assertion response using the Assertion Generator plug-in.

Navigating Legacy Federation Dialogs

The Administrative UI provides two ways to navigate to the legacy federation configuration dialogs.

You can navigate in one of two ways:

• Following a wizard to configure a new legacy federation object.

  When you create an object, a page displays with a configuration wizard. Follow the steps in the configuration wizard to create the object.

  

• Selecting tabs to modify an existing legacy federation object.

  When you modify an existing object, a page displays with a series of tabs. Modify the configuration from these tabs. These tabs are the same as the steps in the configuration wizard.

  

Add a SAML 2.0 Service Provider to an Affiliate Domain

To identify a Service Provider as an available consumer of CA SiteMinder®-generated assertions, add the Service Provider to an affiliate domain at the Identity Provider. You then define the configuration of the Service Provider so that the Identity Provider can issue assertions for it.

To add a Service Provider to an affiliate domain

1. Log in to the Administrative UI.
2. Click Federation, SAML Service Providers.
3. Click Create SAML Service Provider.

   The Create SAML Service Provider page appears.

4. Select an Affiliate Domain then click Next.

Configure the general settings.