Previous Topic: Federation Profile for Single Sign-onNext Topic: Comparing Federation and Web Access Management for Single Sign-on


Federating with Each CA SiteMinder® Federation Model

The legacy federation or partnership federation model can establish a federated partnership between Financepro and BankLtd. Using federation, users move between each company as if they are one company.

Partnership Federation Model

Configure the partnership model in the Administrative UI, guided by a partnership wizard. The partnership objects focus on creating partnerships and identifying each side of the partnership to accomplish single sign-on.

These steps in the partnership wizard include:

  1. Configuring a Partnership

    Names the partnership and identifies the two entities that make up the partnership.

  2. Establishing the Federation Users/User Identification

    Identifies the users for which the asserting party generates assertions/tokens and the relying party authenticates.

  3. NameID and Attributes

    Determines how a federated identity is established and lets you add attributes to identify and customize the content of the assertion.

    Using the NameID and attributes, you can verify that the appropriate information is available to the application at the relying party. The NameID and Attributes step is where you configure account linking and identity mapping.

  4. SSO and SLO or Sign-out

    Defines the Single Sign-on binding, including the location of the service consuming assertions at the relying party. For SAML 2.0, you can configure more features, such as single logout (SLO), authentication context, Enhanced Client or Proxy (ECP) profile, and Identity Provider Discovery profile. For WS-Federation, you can configure sign-out.

  5. AuthnContext (SAML 2.0 only)

    Enables the Service Provider to obtain information about the authentication process to establish a level of confidence. This feature also enables the Identity Provider to include the authentication context in an assertion.

  6. Signature and Encryption

    Defines the signature and encryption options for secure exchange of data, including:

  7. Application Integration

    Enables you to configure redirection to the target application, lets you set up provisioning of user records, and define relying-party side attribute mapping. You can also set up redirects for failed user authentication.

Legacy Federation Model

The legacy federation model focuses on the domain, realm, rule, authentication schemes, and policy objects.

If CA SiteMinder® is the asserting party, the configuration steps include:

  1. Configuring an entity in an affiliate domain

    Names the partner for which the asserting party generates assertions.

  2. Establishing federation users

    Specifies the user directories for which the asserting party generates assertions and the relying party authenticates.

  3. Selecting profiles (SAML or WS-Federation) for transactions

    Determines how a federated identity is established. In the profiles configuration, you add attributes to identify and customize the content of the assertion.

    Using NameID and attributes, you can verify that the appropriate information is available to the application at the relying party. The profiles configuration is where you specify account linking and identity mapping.

    As part of the profiles, configure single sign-on. For SAML 2.0, you can configure more features, such as single logout (SLO), Enhanced Client or Proxy (ECP) profile, and Identity Provider Discovery profile. For WS-Federation, you can configure sign-out.

  4. Signature processing and encryption (SAML 2.0)

    Defines the signature options for secure exchange of assertions, authentication requests, and single logout requests and responses.

If CA SiteMinder® is the relying party, the configuration steps include:

  1. Setting up SAML and WS-Federation authentication schemes

    Enables you to configure redirection to the target application, lets you set up provisioning of user records, and define relying-party side attribute mapping.

  2. Configuring federation-specific settings included with the authentication scheme, such as single sign-on, single logout, sign-out, encryption, and decryption.
Federation Flow Diagram

Configure the components to establish successful federated partnerships. Most of these components are configurable using the Administrative UI.

The following flow chart highlights the general process for legacy federation and partnership federation.

Flow chart of federation configuration

See the following guides for detailed instructions on required components and configuration procedures:

Partnership federation

Partnership Federation Guide

Partnership Federation refers to partnership model of federation.

Legacy federation

Legacy Federation Guide

Legacy federation refers to the product known as Federation Security Services