Previous Topic: Prerequisites for Partnership FederationNext Topic: Configure the IdP Partner


Getting Started with a Simple Partnership

This section contains the following topics:

Basic SAML 2.0 Partnership

Sample Federation Network

Confirm that Required Components are Installed

Configure the IdP Partner

Configure the SP Partner

Activate the Partnership

Test the Partnership (POST Profile)

Enable Signature Processing

Add Single Logout

Set Up the Artifact Profile for SSO

Test the Partnership (Artifact SSO)

Basic SAML 2.0 Partnership

One way to get started with partnership federation is by configuring a partnership. This chapter describes how to set up a basic SAML 2.0 federation partnership—single sign-on with SAML 2.0 POST profile. By starting with a basic configuration, you can complete the least number of steps to see how partnership federation works.

Note: This partnership focuses on SAML 2.0; however, the overall process is the same for SAML 1.1. The configuration settings at each step of the partnership can differ depending on the SAML protocol.

The chapter also describes the configuration of additional features, such as digital signing and single logout to reflect a real production environment. You can also add the Artifact binding to the configuration.

The sample network used in this chapter presupposes that CA SiteMinder® is installed at both sites in the partnership. However, you can have CA SiteMinder® at one site and a different SAML-compliant product at the other site and still engage in a partnership.

With CA SiteMinder® at both sites, you have to understand the perspective from which you are configuring a partnership. To configure a complete partnership, you begin by defining a partnership definition at each site, one for each direction of communication from a given site. For example, if the local site is the Identity Provider (IdP), you configure the local IdP-to-remote SP partnership. This configuration is one partnership definition. To complete the partnership configuration, you configure the reciprocal local SP-to-remote IdP partnership at the local SP.

The partnership definition always distinguishes the local and remote entities. The local entity is the entity at the site from where you are configuring partnership federation. This environment is not necessarily the same as the one on which CA SiteMinder® is installed, but the same domain. The remote entity is the entity at a partner that resides in a different domain from where you are configuring partnership federation.

The following process shows the steps for creating the basic partnership when CA SiteMinder® is at both sites:

  1. Establish a user directory connection.
  2. Protect the authentication URL to establish a session.
  3. Create the local and remote entities.
  4. Configure the local IdP-to-SP partnership definition at the IdP.
  5. Configure the local SP-to-IdP partnership definition at the SP.
  6. Activate the partnership.
  7. Test the partnership.

Sample Federation Network

The initial partnership that you are creating represents the following sample network. The URLs in the procedures and sample network are examples and do not resolve to any real site.

The Business Partners
SAML Profiles and Features
SSO Service URL at the IdP

http://idp1.example.com:9090/affwebservices/public/saml2sso

Assertion Consumer Service URL at the SP

http://sp1.demo.com:9091/affwebservices/public/saml2assertionconsumer

Note: You need two systems with CA SiteMinder® installed to implement this sample network.

The following figure shows the sample partnership with CA SiteMinder® at both partners.

This diagram shows a Sample SAML 2.0 Partnership Federation Network

Confirm that Required Components are Installed

To use partnership federation, the following components are required:

This simple partnership deployment example assumes that these components are installed and working.