The configuration process that follows is from the perspective of an administrator at IdP1. Therefore, IdP1 is the local IdP.
The following process establishes the IdP partner:
Before you can establish a partnership, define a connection to a user directory. The IdP user directory consists of user records for which the Identity Provider generates assertions.
The following steps specify how to configure a user directory in the Administrative UI. The directory named IdP LDAP contains user1 and user2.
Follow these steps:
The User Directory dialog opens.
IdP LDAP
LDAP
www.idp.demo:42088
dc=idp,dc=demo
Accept the defaults for the other values.
Complete the following field in the LDAP User DN Lookup:
uid=
,ou=People,dc=idp,dc=demo
A user must have a session at the IdP Policy Server for the Policy Server to generate an assertion. To establish the session, protect an authentication URL with a policy so that the user is presented with an authentication challenge. The user then logs in and a session is established.
Follow these steps:
Ceate a web agent named Agent1.
Create a policy domain for the authentication URL. Add the user directory that contains the users who get challenged.
Agent1
/affwebservices/redirectjsp
Protected
Basic
Select the Persistent check box in the Session section of the realm dialog for the HTTP-Artifact profile and to store session information. Session information is required for features such as single logout and for an attribute authority.
/*
The asterisk means that the rule applies to all resources in the realm.
Allow Access
Enabled check box is selected.
Web Agent actions
Get, Post, Put
A policy now protects the authentication URL.
After you establish the user directory connection, identify both sides of the partnership. In the Administrative UI, each partner is referred to as an entity.
The following procedures tell you what values to provide for the local and remote entities. In a real network configuration, each side can create a local entity, export the local entity to a metadata file, then exchange files. Each side can then define the remote entity.
To create the local IdP
Local
SAML2 IDP
idp1
This value identifies the entity to the partner.
idp1
This value identifies the entity object internally in the database. The partner is not aware of this value.
http://idp1.example.com:9090
Leave the other settings as they are.
Note: The Entity Name can be the same value as the Entity ID. However, do not share the values with any other entity at the site.
You return to the Entities window.
To create the SP Entity
The Create Entity dialog displays.
Remote
SAML2 SP
sp1
This value identifies the entity to the partner.
sp1
This value identifies the entity object internally in the database. The partner is not aware of this value.
0
HTTP-Post
http://sp1.demo.com:9091/affwebservices/public/
saml2assertionconsumer
Select the check box for the entry.
Leave the other settings as they are.
The remote SP entity is configured.
After the local and remote entity are configured, create a partnership.
After you create federation entities, follow the partnership wizard to configure the IdP ->SP partnership. The wizard begins with the basic partnership parameters.
Follow these steps:
Selecting this option indicates that you are the local IdP.
You come to the first step in the partnership wizard.
TestPartnership
idp1
(selected from the pull-down list)
sp1
(selected from the pull-down list)
http://idp1.example.com:9090
Accept the default
In the Federation Users dialog, select the users for which the IdP generates assertions.
Follow these steps:
By accepting the defaults, you indicate that CA SiteMinder® can generate assertions for all users in the user directory.
The Assertion Configuration step lets you specify the format and value of the NameID and the attributes that identify a user. These attributes are included in the assertion.
Note: NameID is always included in the assertion.
In this configuration, specify only the Name ID. Do not add any other attributes.
Follow these steps:
Unspecified
Static
GeorgeC
To establish single sign-on between partners, configure the SSO settings.
Follow these steps:
Local
http://webserver1.example.com/affwebservices/redirectjsp/redirect.jsp
In this example, webserver1 identifies the web server with the Web Agent Option Pack. The redirect.jsp file is included with the Web Agent Option Pack installed at the Identity Provider site.
Important! Protect the Authentication URL with an access control policy.
Accept the default
Accept the default
HTTP-POST
http://sp1.demo.com:9091/affwebservices/public/saml2assertionconsumer
For the purposes of this simple partnership, disable signature processing. However, in a production environment, the Identity Provider must sign assertions.
Follow these steps:
You have completed the partnership definition for one side of the federation partnership. Verify the settings.
Follow these steps:
The IdP side of the partnership is complete. Define the SP side of the partnership on a different system than the IdP system.
Copyright © 2014 CA.
All rights reserved.
|
|