Federation Guides › Legacy Federation Guide › Configure CA SiteMinder® as a SAML 1.x Producer › Complete the General Settings for the Affiliate

Complete the General Settings for the Affiliate

Configure the general settings for the affiliate.

To provide general information about the affiliate

1. Begin at the General step in the configuration wizard.
2. Complete the following required fields in the General section.
   • Name
   • Password and Confirm Password
   • Authentication URL

     This URL must point to the redirect.jsp file -- for example:

     http://myserver.mysite.com/siteminderagent/redirectjsp/redirect.jsp

     myserver Identifies the web server with the Web Agent Option Pack or the SPS federation gateway.

     Note: Be sure to create a policy to protect the Authentication URL.

3. Select Enabled to activate the affiliate object.
4. (Optional) Select Use Secure URL.

   The Use Secure URL feature instructs the SSO Service to encrypt the SMPORTALURL query parameter that it appends to the Authentication URL before redirecting the user to establish a CA SiteMinder® session. Encrypting the SMPORTALURL protects it from modification by a malicious user.

   Note: If you select this check box, set the Authentication URL field to the following URL:

   http(s)://idp_server:port/affwebservices/secure/secureredirect.

   Click Help for more details about this field.

5. (Optional) Complete the fields in the Restrictions and Advanced sections.
6. Click Next.

Authenticate Users with No CA SiteMinder® Session (SAML 1.x)

When you add a consumer to an affiliate domain, you are required to set the Authentication URL field. The Authentication URL must point to the redirect.jsp file. The purpose of this URL is to establish a session at the producer.

The redirect.jsp file is installed at the producer where you install the Web Agent Option Pack or the SPS federation gateway. Protect the redirect.jsp file with a CA SiteMinder® policy so that users who request a protected resource are asked to authenticate. The Web Agent presents the challenge because the user does not have a CA SiteMinder® session.

After a user is authenticated and successfully accesses the redirect.jsp file, a session is established. The redirect.jsp file redirects the user back to the producer Web Agent. The Agent can process the request and can generate the SAML assertion.

The procedure for protecting the Authentication URL is the same in all of the following set-ups:

• Web Agent Option Pack that is installed on the same system as the Web Agent.
• Application server with a Web Agent installed on a web server proxy.
• Application server installed with an Application Server Agent.
• SPS federation gateway that is installed at the asserting party.

Configure a Policy to Protect the Authentication URL

To protect the Authentication URL

1. Log in to the Administrative UI.
2. Create Web Agents to bind to the realms that you define for the asserting party web server. Assign unique agent names for the web server and the FWS application or use the same agent name for both.
3. Create a policy domain for the users who are challenged when they try to access a consumer resource.
4. Select the users that must have access to the resources that are part of the policy domain.
5. Define a realm for the policy domain with the following values:

   Agent

   Agent for the asserting party web server

   Resource Filter

   Web Agents r6.x QMR 6, r12.0 SP2, r12.0 SP3 and SPS federation gateway enter:

   /siteminderagent/redirectjsp/

   The resource filter /siteminderagent/redirectjsp/ is an alias that the FWS application sets up automatically. The alias references include:

   • Web Agent:

     web_agent_home/affwebservices/redirectjsp

   • SPS federation gateway:

     sps_home/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp

   Persistent Session

   For the SAML artifact profile only, select the Persistent check box in the Session section of the realm dialog. If you do not configure a persistent session, the user cannot access consumer resources.

   For the remaining settings, accept the defaults or modify as needed.

6. Click OK to save the realm.
7. Create a rule for the realm. In the Resource field, accept the default value, the asterisk (*), to protect all resources for the realm.
8. Create a policy for the asserting party web server that includes the rule created in the previous step.
9. Complete the task Select Users for Which Assertions are Generated.

Configure Time Restrictions for SAML 1.x Consumers (optional)

You can specify time restrictions that restrict when a consumer resource is available. When you specify a time restriction, access to the consumer resources is available only during the period specified. If a user tries accessing a resource outside of the allowed time period, the producer does not generate a SAML assertion.

Note: Time restrictions are based on the system clock of the server on which the Policy Server is installed.

To specify a time restriction

1. Begin at the General settings.

   In the Restrictions section of the page, click Set in the Time.

   The Time Restriction page displays.

2. Complete the schedule. This schedule grid is identical to the Time Restriction grid for rule objects. For more information, see the Policy Server Configuration Guide.

   Note: Click Help for a description of fields, controls, and their respective requirements.

3. Click OK.

The time restriction schedule is set.

Configure IP Address Restrictions for SAML 1.x Consumers (optional)

You can specify an IP address, range addresses, or a subnet mask of the web server where the browser is running to access a consumer. If you specify IP addresses, the consumer only accepts users from the appropriate IP addresses.

To specify IP addresses

1. Begin at the General settings in the Administrative UI.

   In the Restrictions section of the page, click Add in the IP Address area.

   The IP Restrictions page appears.

2. Select the option for the type of IP address you are adding, then complete the associated fields for that address type.

   Note: If you do not know the IP address but you know the domain name, click the DNS Lookup button. This button opens the DNS Lookup page. Enter a fully qualified host name in the Host Name field and click OK.

   The options are:

   • Single Host--specifies a single IP address that hosts the browser. If you specify a single IP address, users can access the consumer only from the specified IP address.
   • Host Name--specifies a web server using its host name. If you specify a host name, the consumer is only accessible to users from the specified host.
   • Subnet Mask--specifies a subnet mask for a web server. If you specify a subnet mask, the Service Provider is only accessible to users from the specified subnet mask. If you select this button, the Add An Address and Subnet Mask dialog opens. Use the Left and Right arrow buttons, or click and drag the slider bar to select a subnet mask.
   • Range--specifies IP address range. If you specify a range of IP addresses, the consumer only permits users from one of the IP addresses in the range of addresses. Enter a starting (FROM) and ending (TO) addresses to determine the range.
3. Click OK to save your configuration.