The basic partnership began with HTTP-POST binding for single sign-on. However, your partnership can use the SAML 2.0 Artifact profile.
The configuration for the HTTP-Artifact binding is the same as the configuration for POST binding, until the SSO and SLO steps in the wizard.
This procedure shows you how to configure the HTTP-Artifact profile for SSO.
Follow these steps:
The Partnerships window displays.
Deactivation is required before editing.
The partnership wizard opens.
HTTP-Artifact
Partnership
Leave the remaining settings as is.
HTTP-Artifact
http://sp1.demo.com:9091/affwebservices/public/saml2assertionconsumer
This URL is the same one used for the POST profile.
No Auth
Artifact binding is now configured at Idp1.
This procedure shows you how to configure the HTTP-Artifact profile for SSO.
Follow these steps:
The Partnerships window displays.
Deactivation is required before editing.
The partnership wizard opens.
HTTP-Artifact
Keep the same URL that was configured for HTTP-POST single sign-on.
1
http://idp1.example.com:9090/affwebservices/public/saml2ars
No Auth
The Application Integration step is where you specify the target resource and how CA SiteMinder® redirects the user to the target resource.
Follow these steps:
In this sample partnership, this target is:
http://spapp.demo.com:80/spsample/welcome.html
When each side of the partnership is operating, test single sign-on between the two partners.
When IdP1 receives the request, it generates the artifact. The artifact is then sent to the SP1.
After SP1 receives the artifact, it redirects the request back to IdP1. The IdP retrieves the assertion and returns it to SP1.
For testing purposes, create your own html page with a link that initiates single sign-on. You can initiate single sign-on from the IdP or SP. This example illustrates SP-initiated single sign-on.
Follow these steps:
<a href="http://sp1.demo.com:9091/affwebservices/public/
saml2authnrequest?ProviderID=idp1.example.com:9090&
ProtocolBinding=urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact>
Link for ARTIFACT Single Sign-on</a>
This link instructs the AuthnRequest Service to redirect the user to the specified Identity Provider to retrieve the user authentication context.
For this sample network, the target web server is http://spapp.demo:80.
The last step that is required to test single sign-on is to create a target resource.
Follow these steps:
<p>Welcome to SP1</p>
<p>Single Sign-on is successful</p>
For this sample network, the target web server is http://spapp.demo.com:80.
After you have set up the sample web pages, test single sign-on and verify that the partnership configuration is successful.
Follow these steps:
http://spapp.demo.com:80/spsample/testartifact.html
Note: The target web server is a different server than the one where CA SiteMinder® resides.
When entering the URL, a page is displayed with a link that reads Link to Test ARTIFACT Single Sign-on.
The user is redirected from the SP to the Identity Provider.
After the Identity Provider establishes a session, it directs the user back to the target resource at the Service Provider, which is welcome.html. You see the sample welcome page that you created at the SP. The displayed page lets you know single sign-on was successful.
Copyright © 2015 CA Technologies.
All rights reserved.
|
|