To deploy legacy federation at the Service Provider, the following sections detail the tasks. The entries in each section reflect the sample data provided for a basic configuration.
Note: These procedures assume you have already installed the required components.
At the SP, configure a user store and add user records for users that require assertions. When the assertion is presented during authentication, the Service Provider looks in the user store for the user record.
In this deployment, the Sun ONE LDAP user directory is the user store. Use the Sun ONE Server Console to add users to the directory.
To configure the user store
userpassword: customer
mail: user1@sp.demo
userpassword: customer
mail: user2@sp.demo
Important! The email address must be the same in the Identity Provider user store for the same users.
Establish the connection between the Policy Server and the LDAP policy store.
Follow these steps:
Complete the following fields:
Policy Store
LDAP
sp.demo:389
o=sp.demo
cn=Directory Manager
federation
federation
At the SP Policy Server, configure the SiteMinder Profiler to log federation components to the trace log, smtracedefault.log and examine trace messages.
To enable logging
To configure trace logging at the Policy Server, using the Policy Server Management Console.
The Web Agent Option Pack installed the Federation Web Services (FWS) application. Configure the FWS application for the sample deployment.
For FWS to work, do the following
The Web Agent Option Pack requires a JDK to run the Federation Web Services application. For the specific version required, go the Technical Support site and search for SiteMinder Platform Support Matrix for the release.
For FWS to operate in this deployment, ServletExec is installed on a Sun ONE 6.1 web server.
Note: CA SiteMinder® 12.52 SP1 is shipped with a ServletExec license key file named ServletExec_AS_6_license_key.txt. If you do not have this license key, contact CA Technical Support. From this license file, copy the license key and enter it in the ServletExec License dialog of the ServletExec Administration Console. For instructions on licensing ServletExec, see ServletExec documentation, available at the New Atlanta Communication website.
Apply the most current hot fixes for the supported version of ServletExec. The hot fixes are necessary for Federation Web Services to work with ServletExec. To obtain the hot fixes, go to the website for New Atlanta Communications.
To set up ServletExec
For instructions, refer to New Atlanta Communications documentation.
The Manage Web Applications dialog opens.
affwebservices
/affwebservices/
C:\program files\ca\webagent\affwebservices
The location of affwebservices in your network can be different. Enter the correct location.
The AffWebServices.properties file contains all the initialization parameters for Federation Web Services. Specify the location of the WebAgent.conf file in this file.
Follow these steps:
For this deployment, the web server hosting the FWS application at the Service Provider is a Sun ONE Web Server. So, the path to the WebAgent.conf file is:
C:\\Sun\\WebServer6.1\\https-sp.demo\\config\\WebAgent.conf
Note: Federation Web Services is a Java component, so the Windows paths must contain double backslashes. Specify this entry on one line.
After you have set up the Federation Web Services application, verify that it is operating properly.
Follow these steps:
http://fqhn:port_number/affwebservices/assertionretriever
Defines the fully qualified host name.
Defines the port number of the server where the Web Agent and Web Agent Option Pack are installed.
For this deployment, enter:
http://www.sp.demo:81/affwebservices/assertionretriever
If Federation Web Services is operating correctly, the following message appears:
Assertion Retrieval Service has been successfully initialized. The requested servlet accepts only HTTP POST requests.
This message indicates that Federation Web Services is listening for data activity. If Federation Web Services is not operating correctly, you get a message that the Assertion Retrieval Service has failed. If Assertion Retrieval Service fails, examine the Federation Web Services log.
At the SP, enable logging for the system with the Web Agent Option Pack so you can view the following logs:
Contains error logging messages.
To enable error and trace logging
Logging is now enabled.
The SP user directory consists of user records for which the Service Provider uses for authentication.
Configure a user directory in the Administrative UI. The directory, named SP LDAP, is the Sun ONE LDAP directory that contains the users user1 and user2.
Follow these steps:
SP LDAP
LDAP
www.sp.demo:32941
dc=sp,dc=demo
Accept the defaults for the other values.
uid=
,ou=People,dc=sp,dc=demo
To authenticate users at the Service Provider, configure the SAML 2.0 authentication scheme. The assertion from the IdP provides the credentials for authentication.
Follow these steps:
Scheme Common Setup section:
Partner IDP.demo Auth Scheme
SAML 2.0 Template
5 (default)
The dialog where you specify the general and user disambiguation displays.
sp.demo
idp.demo
2.0 (default)
30 (default)
Note: The SP ID and IdP ID values must match the values at the IdP.
Username=%s
For the authentication scheme, indicate the single sign-on binding to be used so the Service Provider knows how to communicate with the Identity Provider.
Follow these steps:
302 Cookie Data (default)
User is redirected through an HTTP 302 redirect with a session cookie, but no other data.
http://www.idp.demo:80/affwebservices/public/saml2sso
sp.demo
This value must match the value at the Identity Provider.
http://www.sp.demo:81/spsample/protected/target.jsp
If you begin the Target with http, enter the full path to the resource. A CA SiteMinder® policy that uses the SAML 2.0 authentication scheme protects the target.
Disabling this option makes the sample network noncompliant with SAML 2.0. To enable the use of the single use policy feature, set up a session store at the Service Provider.
Important! Disabling signing is intended only for debugging the initial single sign-on configuration. In a production environment, signature processing is a mandatory security requirement. At the SP, enable signature validation and set up the certificate data store to validate signatures.
The basic authentication scheme configuration is complete.
After you configure a SAML 2.0 authentication scheme, use this scheme in a policy that protects the target resource at Service Provider.
Follow these steps:
Domain for IdP.demo Visitors
Add the user directory that holds user1 and user2.
SP Target Page Protection Realm
sp-webagent
/spsample/protected.jsp
Defines the path to the target resource at the Service Provider web server.
Protected
Partner IdP.demo Auth Scheme
SP Target Page Protection Rule
SP Target Page Protection Realm
*
Web Agent actions
Get
Accept the defaults for all other fields.
General page
SP Target Page Protection Policy
Users pagexs
For the SP LDAP directory, click Add Member. Add user1 so this user has access to the target.
Add the SP Target Page Protection Rule
The protection policy for the target resource is complete.
Copyright © 2014 CA.
All rights reserved.
|
|