Previous Topic: Getting Started with a Simple PartnershipNext Topic: Configure the SP Partner


Configure the IdP Partner

The configuration process that follows is from the perspective of an administrator at IdP1. Therefore, IdP1 is the local IdP.

The following process establishes the IdP partner:

  1. Log in to the Administrative UI.
  2. Establish a user directory connection.
  3. Identify the IdP and SP entities.
  4. Create a SAML2 IdP->SP partnership.
  5. Follow the partnership wizard and configure the minimum required settings.
Establish a User Directory Connection at the IdP

Before you can establish a partnership, define a connection to a user directory. The IdP user directory consists of user records for which the Identity Provider generates assertions.

The following steps specify how to configure a user directory in the Administrative UI. The directory named IdP LDAP contains user1 and user2.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, Directory, User Directories.
  3. Click Create User Directory.

    The User Directory dialog opens.

  4. Complete the following fields:
    Name

    IdP LDAP

    NameSpace

    LDAP

    Server

    www.idp.demo:42088

  5. Complete the following field in the LDAP Settings section:
    Root

    dc=idp,dc=demo

    Accept the defaults for the other values.

    Complete the following field in the LDAP User DN Lookup:

    Start

    uid=

    End

    ,ou=People,dc=idp,dc=demo

  6. Click View Contents to verify you can view the contents of the directory.
  7. Click Submit.
Protect the Authentication URL to Establish a Session

A user must have a session at the IdP Policy Server for the Policy Server to generate an assertion. To establish the session, protect an authentication URL with a policy so that the user is presented with an authentication challenge. The user then logs in and a session is established.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Select Infrastructure, Agents, Create Agent.

    Ceate a web agent named Agent1.

  3. Select Policies, Domain, Domains, Create Domain.

    Create a policy domain for the authentication URL. Add the user directory that contains the users who get challenged.

  4. Select the users that must have access to the resources that are part of the policy domain.
  5. Select the Realms tab and define a realm for the policy domain with the following values:
    Agent

    Agent1

    Resource Filter

    /affwebservices/redirectjsp

    Default Resource Protection

    Protected

    Authentication Scheme

    Basic

    Persistent Session

    Select the Persistent check box in the Session section of the realm dialog for the HTTP-Artifact profile and to store session information. Session information is required for features such as single logout and for an attribute authority.

  6. In the Rules section of the realm dialog, click Create Rule. Complete the fields with the following values:
    Resource

    /*

    The asterisk means that the rule applies to all resources in the realm.

    Allow/Deny and Enable/Disable

    Allow Access

    Enabled check box is selected.

    Action

    Web Agent actions

    Get, Post, Put

  7. Select the Policies tab and create a policy that includes the following components:

A policy now protects the authentication URL.

Configure the Partnership Entities

After you establish the user directory connection, identify both sides of the partnership. In the Administrative UI, each partner is referred to as an entity.

The following procedures tell you what values to provide for the local and remote entities. In a real network configuration, each side can create a local entity, export the local entity to a metadata file, then exchange files. Each side can then define the remote entity.

To create the local IdP

  1. Select Federation, Partnership Federation, Entities.
  2. Click Create Entity in the Federation Entity List.
  3. Make the following selections in the first step of the entity wizard then click Next.
    Entity Location

    Local

    New Entity Type

    SAML2 IDP

  4. Complete the following fields in the second step of the wizard then click Next.
    Entity ID

    idp1

    This value identifies the entity to the partner.

    Entity Name

    idp1

    This value identifies the entity object internally in the database. The partner is not aware of this value.

    Base URL

    http://idp1.example.com:9090

    Leave the other settings as they are.

    Note: The Entity Name can be the same value as the Entity ID. However, do not share the values with any other entity at the site.

  5. Review the settings in the last step and click Finish.

You return to the Entities window.

To create the SP Entity

  1. Begin at the Entities window.
  2. Click Create Entity in the Federation Entity List.

    The Create Entity dialog displays.

  3. Make the following selections in the first step of the entity wizard then click Next.
    Entity Location

    Remote

    New Entity Type

    SAML2 SP

  4. Complete the fields in the second step of the wizard as follows, then click Next.
    Entity ID

    sp1

    This value identifies the entity to the partner.

    Entity Name

    sp1

    This value identifies the entity object internally in the database. The partner is not aware of this value.

    Assertion Consumer Service URLs
    Index

    0

    Binding

    HTTP-Post

    URL

    http://sp1.demo.com:9091/affwebservices/public/
    saml2assertionconsumer

    Default

    Select the check box for the entry.

    Leave the other settings as they are.

  5. Review the settings in the last step and click Finish.

The remote SP entity is configured.

After the local and remote entity are configured, create a partnership.

Create the IdP-to-SP Partnership

After you create federation entities, follow the partnership wizard to configure the IdP ->SP partnership. The wizard begins with the basic partnership parameters.

Follow these steps:

  1. Select Federation, Partnership Federation, Partnerships.
  2. Click Create Partnership.
  3. Select SAML2 IdP -> SP.

    Selecting this option indicates that you are the local IdP.

    You come to the first step in the partnership wizard.

  4. Complete the fields with the following values:
    Partnership Name

    TestPartnership

    Local IDP ID

    idp1

    (selected from the pull-down list)

    Remote SP ID

    sp1

    (selected from the pull-down list)

    Base URL

    http://idp1.example.com:9090

    Skew Time (Seconds)

    Accept the default

  5. Move the IDP LDAP directory from the Available Directories list to the Selected Directories list.
  6. Click Next to go to the Federation User step.
Specify Federation Users for Assertion Generation

In the Federation Users dialog, select the users for which the IdP generates assertions.

Follow these steps:

  1. Accept the defaults.
  2. Click Next to continue.

By accepting the defaults, you indicate that CA SiteMinder® can generate assertions for all users in the user directory.

Add a Name ID to the Assertion

The Assertion Configuration step lets you specify the format and value of the NameID and the attributes that identify a user. These attributes are included in the assertion.

Note: NameID is always included in the assertion.

In this configuration, specify only the Name ID. Do not add any other attributes.

Follow these steps:

  1. From the Assertion Configuration step, enter values for the following fields:
    Name ID Format

    Unspecified

    Name ID Type

    Static

    Value

    GeorgeC

  2. Click Next to move on and set up single sign-on (SSO).
Set Up Single Sign-on at the IdP

To establish single sign-on between partners, configure the SSO settings.

Follow these steps:

  1. Begin at the SSO and SLO step in the partnership wizard.
  2. In the Authentication section, specify the following entries:
    Authentication Mode

    Local

    Authentication URL

    http://webserver1.example.com/affwebservices/redirectjsp/redirect.jsp

    In this example, webserver1 identifies the web server with the Web Agent Option Pack. The redirect.jsp file is included with the Web Agent Option Pack installed at the Identity Provider site.

    Important! Protect the Authentication URL with an access control policy.

    Configure AuthnContext

    Accept the default

    Authentication Class

    Accept the default

  3. In the SSO section, specify the following entries:
    SSO Binding

    HTTP-POST

    Assertion Consumer URL

    http://sp1.demo.com:9091/affwebservices/public/saml2assertionconsumer

  4. Click Next to move to the Signature and Encryption step.
Disable Signature Processing

For the purposes of this simple partnership, disable signature processing. However, in a production environment, the Identity Provider must sign assertions.

Follow these steps:

  1. From the Signature and Encryption step, select Disable Signature Processing.
  2. Click Next to move to the next step.
Confirm the IdP-to-SP Partnership Settings

You have completed the partnership definition for one side of the federation partnership. Verify the settings.

Follow these steps:

  1. In the Confirm dialog, review the settings for the partnership.
  2. To modify a setting, click Modify in any of the sections.
  3. Click Finish when you are satisfied with the configuration.

The IdP side of the partnership is complete. Define the SP side of the partnership on a different system than the IdP system.