Previous Topic: Federation in Your EnterpriseNext Topic: Federation Use Cases and Solutions


CA SiteMinder® Federation Deployments

This section contains the following topics:

Federation Deployment Models

Federation Specifications

Entities in a Federated Network

Federation Deployment Models

CA CA SiteMinder® Federation has two deployment models:

Both deployments provide user authentication data in the form of a SAML assertion. The entity that consumes the assertion uses the assertion to identify the user. Upon successful authentication, the consuming entity makes the requested resources available. The result is a seamless experience for the user.

Install the CA SiteMinder® Policy Server, the Administrative UI, and the Web Agent Option Pack to use either model.

Note: Federation is separately licensed from CA SiteMinder®.

Federation Specifications

CA SiteMinder® supports the following federation specifications:

Security Assertion Markup Language (SAML)

The Security Assertion Markup Language (SAML) is a standard from the Organization for the Advancement of Structured Information Standards (OASIS). This industry standard defines an XML framework for exchanging authentication and authorization information.

SAML defines assertions as a means to pass security information about users between entities. SAML assertions are XML documents that contain information about a specific subject, such as a user. An assertion can contain several different internal statements about authentication, authorization, and attributes.

SAML defines two browser-based protocols that specify how SAML assertions are passed between partners to facilitate single sign-on.

The profiles are:

Note: For SAML 2.0, the artifact and POST profiles are referred to as HTTP bindings.

For SAML specifications and information about SAML profiles, refer to the Organization for the Advancement of Structured Information Standards (Oasis).

CA SiteMinder® supports the following SAML standards and profiles:

WS-Federation

Active Directory Federation Services (ADFS) is web services-based solution from Microsoft for federated single sign-on (SSO). ADFS runs on a Windows server and accomplishes SSO by letting partners securely share user identity information and access rights across a secure network. ADFS extends SSO functionality to internet applications, letting users have a seamless web SSO interaction when they access web-based applications of the organization.

ADFS uses the WS-Federation specification for communication. For WS specifications and background documentation, and information about ADFS profiles, go to the Microsoft website.

Entities in a Federated Network

In a federated network, one entity generates a SAML assertion or a WS-Federation token containing an assertion. Assertions contain information about a user whose identity is maintained locally at the site that generates them. The other entity uses the assertions to authenticate a user and to establish a session for the user.

Depending on the protocol, these two entities are named differently, but their functions are the same.

Protocol

Generates Assertions

Consumes Assertions

SAML 1.0 and 1.1

Producer

Consumer

SAML 2.0

Identity Provider (IdP)

Service Provider (SP)

WS-Federation (Partnership)

Identity Provider (IP)

Resource Partner (RP)

WS-Federation (Legacy)

Account Partner (AP)

Resource Partner (RP)

A single site can be the asserting party and the relying party.