This section contains the following topics:
Entities in a Federated Network
CA CA SiteMinder® Federation has two deployment models:
Partnership federation is based on configuring partnerships between enterprises based on federation standards. The partnership model does not require configuration of CA SiteMinder®-specific objects, such as domains, realms, and policies. This model is recommended for new configurations using CA SiteMinder® Federation.
Legacy Federation (formerly Federation Security Services).
Legacy federation is based on configuring CA SiteMinder® objects, such as affiliate domains, authentication schemes, and policies to protect federated resources. This model is primarily for backward compatibility with older deployments.
Both deployments provide user authentication data in the form of a SAML assertion. The entity that consumes the assertion uses the assertion to identify the user. Upon successful authentication, the consuming entity makes the requested resources available. The result is a seamless experience for the user.
Install the CA SiteMinder® Policy Server, the Administrative UI, and the Web Agent Option Pack to use either model.
Note: Federation is separately licensed from CA SiteMinder®.
CA SiteMinder® supports the following federation specifications:
Security Assertion Markup Language (SAML)
The Security Assertion Markup Language (SAML) is a standard from the Organization for the Advancement of Structured Information Standards (OASIS). This industry standard defines an XML framework for exchanging authentication and authorization information.
SAML defines assertions as a means to pass security information about users between entities. SAML assertions are XML documents that contain information about a specific subject, such as a user. An assertion can contain several different internal statements about authentication, authorization, and attributes.
SAML defines two browser-based protocols that specify how SAML assertions are passed between partners to facilitate single sign-on.
The profiles are:
Note: For SAML 2.0, the artifact and POST profiles are referred to as HTTP bindings.
For SAML specifications and information about SAML profiles, refer to the Organization for the Advancement of Structured Information Standards (Oasis).
CA SiteMinder® supports the following SAML standards and profiles:
WS-Federation
Active Directory Federation Services (ADFS) is web services-based solution from Microsoft for federated single sign-on (SSO). ADFS runs on a Windows server and accomplishes SSO by letting partners securely share user identity information and access rights across a secure network. ADFS extends SSO functionality to internet applications, letting users have a seamless web SSO interaction when they access web-based applications of the organization.
ADFS uses the WS-Federation specification for communication. For WS specifications and background documentation, and information about ADFS profiles, go to the Microsoft website.
In a federated network, one entity generates a SAML assertion or a WS-Federation token containing an assertion. Assertions contain information about a user whose identity is maintained locally at the site that generates them. The other entity uses the assertions to authenticate a user and to establish a session for the user.
Depending on the protocol, these two entities are named differently, but their functions are the same.
Protocol |
Generates Assertions |
Consumes Assertions |
SAML 1.0 and 1.1 |
Producer |
Consumer |
SAML 2.0 |
Identity Provider (IdP) |
Service Provider (SP) |
WS-Federation (Partnership) |
Identity Provider (IP) |
Resource Partner (RP) |
WS-Federation (Legacy) |
Account Partner (AP) |
Resource Partner (RP) |
A single site can be the asserting party and the relying party.
Copyright © 2013 CA.
All rights reserved.
|
|