Previous Topic: User Directory Configuration for FederationNext Topic: Grant Access to Federation Web Services


Creating Affiliate Domains

This section contains the following topics:

Affiliate Domain Overview

Configure an Affiliate Domain

Add Entities to an Affiliate Domain

Affiliate Domain Overview

An affiliate domain is a logical grouping of federated entities that are associated with one or more user directories.

The affiliate domain not only contains federated entities but it also defines which user directories are associated with the domain. To generate an assertion, CA SiteMinder® as an Identity Provider must have access to the user directory where a user record is defined. The Policy Server locates a user record by querying the user directories specified in the search order of the affiliate domain.

The search order is defined when you add user directory connections to an affiliate domain. You have the option of shifting the order of directories.

Affiliate domains require one or more administrator accounts that can modify the objects in the domain. System-level administrators can manage all objects in any domain; they have the permission Manage Affiliates. A system administrator that can grant control over a policy domain to other administrators has the permission Manage System and Domain Objects.

Configure an Affiliate Domain

You can add a domain object, select users who have access to resources at the consumer, Service Provider, or Resource Partner, and add associated entities.

To configure an affiliate domain

  1. In the Administrative UI, click Federation, Legacy Federation.
  2. Select Affiliate Domains.

    The Affiliate Domain page displays.

  3. Click Create Affiliate Domain.
  4. In the General settings, enter a name and a brief description for the affiliate domain.
  5. In the User Directories section, click Add/Remove.

    The Choose user directories dialog opens.

  6. Move the user directories that you want to associate with the domain from Available Members to Selected Members.

    Note: Specify the directories that store the records of users who you want to permit access to the affiliate resources.

  7. Click OK.

    The selected directories appear in the User Directories table.

    Note: If there are no existing directories, create a user directory by clicking Create. When you complete the required information, the directory you created appears in the User Directories table.

  8. Optionally, in the User Directories table, use the arrows on the right to adjust the order of directories the table. Use the arrows on the left of to edit the details of a directory.

    Note: The order that the directories appear is the order in which CA SiteMinder® searches to find user records, starting from the top of the list.

  9. Click Submit.

    The affiliate domain is created.

The next step is to add partners to the affiliate domain and configure CA SiteMinder® as the asserting party in the federated partnership.

Add Entities to an Affiliate Domain

Configure CA SiteMinder® to perform the role of the asserting party in the federated partnership. For CA SiteMinder® to act as the asserting party, add partners to an affiliate domain. When a partner sends an authentication request, CA SiteMinder® can generate an assertion in response.

You can add the following entities to an affiliate domain:

Note: These entities must have permission to access Federation Web Services at the asserting party.

For instructions on adding partners to an affiliate domain, see one of the following sections:

More information:

Configure a SAML 1.x Producer

Configure a SAML 2.0 Identity Provider

Configure a WS-Federation Account Partner