Federation Guides › Legacy Federation Guide › Configure a SAML 2.0 Service Provider › How To Protect Resources with a SAML 2.0 Authentication Scheme

How To Protect Resources with a SAML 2.0 Authentication Scheme

Protect target federation resources by configuring a CA SiteMinder® policy that uses the SAML 2.0 authentication scheme.

To protect a federation resource with a SAML authentication scheme:

1. Create a realm that uses the SAML authentication scheme. The realm is the collection of target resources that users request.

   Create a realm in one of the following ways:

   • Create a unique realm for each authentication scheme already configured.
   • Configure a single target realm that uses a custom authentication scheme to dispatch requests to the corresponding SAML authentication schemes. Configuring one realm with a single target for all Identity Providers simplifies configuration of realms for SAML authentication.
2. After you configure a realm, establish an associated rule and optionally, a response.
3. Group the realm, rule, and response into a policy that protects the target resource.

Important! Each target URL in the realm is also identified in an unsolicited response URL. An unsolicited response is sent from the Identity Provider to the Service Provider, without an initial request from the Service Provider. The unsolicited response contains the target. At the Identity Provider, an administrator must include this response in a link so the Identity Provider can redirect the user to the Service Provider.

Configure a Unique Realm for Each Authentication Scheme

The procedure for configuring a unique realm for each SAML or WS-Federation authentication scheme follows the standard instructions for creating realms.

Follow these steps:

1. Navigate to Policy, Domain, Domains.

   The page to create domains displays.

2. Click Create Domain.
3. Enter a domain name.
4. Add the user directory to the domain. This directory is the one that contains the users requesting access to federated resources.
5. Select the Realm tab and create a realm.
   • In the Agent field, select the Web Agent protecting the web server where the target resources reside.
   • Select the appropriate authentication scheme in the Authentication Scheme field.
6. Create a rule for the realm.

   As part of the rule, select an action (Get, Post, or Put) that allows you to control processing when users authenticate.

7. Select the Policies tab and configure a policy that protects the target federation resource. Associate the realm that you previously created with this policy.

A policy with a unique realm now protects the federated resources.

Configure a Single Target Realm for All Authentication Schemes

To simplify configuration of realms for authentication schemes, create a single target realm for multiple sites generating assertions.

To do this task, set up the following components:

• A single custom authentication scheme

  This custom scheme forwards requests to the corresponding SAML or WS-Federation authentication schemes that you already configured for each asserting party.

• A single realm with one target URL

Create Authentication Schemes for the Single Target Realm

To define a custom authentication scheme for a single target realm, you must:

• Configure the authentication schemes.
• Define a parameter in the custom scheme that tells the Policy Server which authentication schemes to apply to resource requests.

First, verify that there are configured SAML or WS-Federation authentication schemes. If not, configure these schemes that the custom scheme can reference.

To create the authentication scheme

1. Navigate to Infrastructure, Authentication, Authentication Schemes.

   The Create Authentication Scheme page appears.

2. Create one or more authentication schemes according to the procedures for the protocol you are using.
3. Click OK to exit.

More information:

SAML 1.x Authentication Schemes

WS-Federation Authentication Scheme Overview

How to Configure a SAML 2.0 Authentication Scheme

Create the Custom Authentication Scheme

A single target realm relies on a specific custom authentication scheme to work properly.

To configure a custom authentication scheme for a single target realm

1. Navigate to Infrastructure, Authentication, Authentication Schemes.

   The Create Authentication Scheme page appears.

2. Complete the fields as follows:

   Name

   Enter a descriptive name for the custom authentication scheme, such as SAML Custom Auth Scheme.

3. In the Scheme Common Setup section, complete the following fields:

   Authentication Scheme Type

   Custom Template

   Protection Level

   Accept the default of set a new level.

4. In the Scheme Setup section, complete the following fields:

   Library

   smauthsinglefed

   Secret

   Leave this field blank.

   Confirm Secret

   Leave this field blank.

   Parameter

   Specify one of the following parameters:

   • SCHEMESET=LIST; <saml-scheme1>;<saml_scheme2>

     Specifies the list of SAML authentication scheme names to use. If you configured an artifact scheme named artifact_producer1 and POST profile scheme named samlpost_producer2, you enter these schemes. For example:

     SCHEMESET=LIST;artifact_producer1;samlpost_producer2

   • SCHEMESET=SAML_ALL;

     Specifies all the configured schemes. The custom authentication scheme enumerates all the SAML authentication schemes and finds the one with the correct Provider Source ID for the request.

   • SCHEMESET=SAML_POST;

     Specifies all the SAML POST Profile schemes that you have configured. The custom authentication scheme enumerates the POST Profile schemes and finds the one with the correct Provider Source ID for the request.

   • SCHEMESET=SAML_ART;

     Specifies all the SAML artifact schemes that you have configured. The custom authentication scheme enumerates the artifact schemes and finds the one with the correct Provider Source ID for the request.

   • SCHEMESET=WSFED_PASSIVE;

     Specifies all the WS-Federation authentication schemes to find the one with the correct Account Partner ID.

   Enable this scheme for CA SiteMinder® Administrators

   Leave unchecked.

5. Click Submit.

The custom authentication scheme is complete.

Configure the Single Target Realm

After you configure the authentication schemes and associate them with a custom scheme, configure a single target realm for federation resources.

Follow these steps:

1. Navigate to Policies, Domain, Domains.
2. Modify the policy domain for the single target realm.
3. Select the Realms tab and click Create.

   The Create Realm dialog opens.

4. Enter the following values to create the single target realm:

   Name

   Enter a name for this single target realm.

5. Complete the following field in the Resource option:

   Agent

   Select the Web Agent protecting the web server with the target resources.

   Resource Filter

   Specify the location of the target resources. The location is where any user requesting a federated resource gets redirected.

   For example, /FederatedResources.

6. Select the Protected option in the Default Resource Protection section.
7. Select the previously configured custom authentication scheme in the Authentication Scheme field.

   For example, if the custom scheme was named Fed Custom Scheme, you would select this scheme.

8. Click OK.

The single target realm task is complete.

Configure the Rule for the Single Target Realm

After you configure the single target realm, configure a rule to protect the resources.

1. Navigate to the Modify page for the single target Realm.
2. Click Create in the Rules section.

   The Create Rule page appears.

3. Enter values for the fields on the rules page.
4. Click OK.

The single target realm configuration includes the new rule.

Create a Policy Using the Single Target Realm

Create a policy that references the single target realm. Remember that the single target realm uses the custom authentication scheme that directs requests to the appropriate SAML authentication scheme.

Note: This procedure assumes that you have already configured the domain, custom authentication scheme, single target realm and associated rule.

Follow these steps:

1. Navigate to the previously configured domain.
2. Select the Policies tab and click create.

   The Create Policy page opens.

3. Enter a name and a description of the policy in the General section.
4. Add users to the policy from the Users section.
5. Add the rule that you created for the single target realm from the Rules tab.

   The remaining tabs are optional.

6. Click OK.
7. Click Submit.

The policy task is complete. When a request triggers this policy, it relies on the single realm and associated authentication schemes to authenticate the user.