The configuration process that follows is from the perspective of an administrator at the SP, in this example, SP1. Therefore, SP1 is the local SP.
The following process establishes the SP partner.
The SP user directory consists of user records for which the Service Provider uses for authentication. The following steps specify how to configure a user directory in the Administrative UI. The directory named SP LDAP contains users user1 and user2.
To configure a user directory
The User Directory dialog opens.
SP LDAP
LDAP
www.sp.demo:32941
dc=sp,dc=demo
Accept the defaults for the other values.
uid=
,ou=People,dc=sp,dc=demo
After you establish the user directory connection, identify the local and remote sides of the partnership. In the Administrative UI, each partner is referred to as an entity.
The following procedures tell you what values to provide for the local and remote entities. Typically, each side creates a local entity, exports the local entity to a metadata file, and then exchanges the files. Each side can then define the remote entity.
To create the local SP
Local
SAML2 SP
sp1
This value identifies the entity to the partner.
sp1
This value identifies the entity object internally in the database. The partner is not aware of this value.
http://sp1.demo.com:9091
Note: The entity ID and name must be the same as you specified for the remote SP entity at the Identity Provider.
You return to the Entities window. Configure the remote partner.
To create the remote IdP
Remote
SAML2 IDP
idp1
This value identifies the entity to the partner.
idp1
This value identifies the entity object internally in the database. The partner is not aware of this value.
Note: The entity ID and name must be the same as on the Identity Provider side.
SSO Service URL Group Section
HTTP-Redirect
http://idp1.example.com:9090/affwebservices/public/saml2sso
After the local entity and remote entity are configured, you can create a partnership.
After you have created the partnership entities, follow the partnership wizard to configure the SP-> IdP partnership.
Follow these steps:
You come to the first step in the partnership wizard.
DemoPartnership
sp1
idp1
http://sp1.demo.com:9091
Accept the default
Designate which attribute from the assertion identifies a user. CA SiteMinder® uses the identity attribute value to locate the user record in the user directory at the SP.
To specify the user identification attribute
uid=%s
This entry instructs CA SiteMinder® to replace the variable (%s) with the value of the Name ID attribute from the assertion. CA SiteMinder® then matches the value with the Name column in the sample users database. If a match is found, the user is disambiguated and allowed to access the target resource.
To establish single sign-on between partners, configure the SSO settings.
Follow these steps:
HTTP-Redirect
http://idp1.example.com:9090/affwebservices/public/saml2sso
Skip the Configure AuthnContext step.
For the purposes of this simple partnership, disable signature processing. However, in a production environment, the Identity Provider must sign assertions.
Follow these steps:
The Application Integration step is where you specify the target resource and how CA SiteMinder® redirects the user to the target resource.
Follow these steps:
In this sample partnership, this target is:
http://spapp.demo.com:80/spsample/welcome.html
You have completed the partnership for the local SP side of the federation partnership.
Follow these steps:
The SP side of the partnership is now configured.
Copyright © 2014 CA.
All rights reserved.
|
|