Previous Topic: Configure CA SiteMinder® as a SAML 2.0 Identity ProviderNext Topic: Select Users for Which Assertions are Generated


Configure General Information for the Service Provider Object

Select the General page to name the Service Provider and provide details such as the SP ID and IDP ID. In addition, you can configure IP address and time restrictions for accessing a Service Provider.

To configure the general settings

  1. Navigate to the General settings.
  2. Fill in values for the fields, noting the required fields.

    Note: Click Help for a description of fields, controls, and their respective requirements.

    Note:

    Authentication URL

    This URL points to the redirect.jsp file. Protect the redirect.jsp file with a CA SiteMinder® policy. The policy triggers an authentication challenge to users who request a protected Service Provider resource but do not have a CA SiteMinder® session.

    Skew Time

    Specifies the difference, in seconds, between the system clock at the Identity Provider and the system clock at the Service Provider. Skew Time is used for single sign-on and single logout.

    For single sign-on, the value of the Skew Time and the single sign-on validity duration (Validity Duration field on the SSO tab) determine how long an assertion is valid. Review how the assertion validity is calculated to understand more about the skew time.

    For single logout, the values of the Skew Time and the SLO validity duration (Validity Duration field on the SLO tab) determine the total time that the single logout request is valid. Review how the single logout request validity is calculated to understand more about the skew time.

More Information:

Configure IP Address Restrictions for Service Providers (optional)

Configure Time Restrictions for Service Provider Availability (optional)

Authenticate Users with No CA SiteMinder® Session

When you add a Service Provider to an affiliate domain, one of the parameters you are required to set is the Authentication URL parameter.

The Authentication URL points to the redirect.jsp file. This file is installed at the Identity Provider site where you install the Web Agent Option Pack or the SPS federation gateway. Protect the redirect.jsp file with a CA SiteMinder® policy. The policy triggers an authentication challenge to users who request a protected Service Provider resource but do not have a CA SiteMinder® session.

A CA SiteMinder® session is required for the following bindings:

After a user is authenticated and successfully accesses the redirect.jsp file, a session is established. The redirect.jsp file redirects the user back to the Identity Provider Web Agent or the SPS federation gateway. CA SiteMinder® then processes the request.

The procedure for protecting the Authentication URL is the same regardless of the following deployments:

Configure a Policy to Protect the Authentication URL

To protect the Authentication URL

  1. Log in to the Administrative UI.
  2. Create Web Agents to bind to the realms that you define for the asserting party web server. Assign unique agent names for the web server and the FWS application or use the same agent name for both.
  3. Create a policy domain for the users who are challenged when they try to access a consumer resource.
  4. Select the users that must have access to the resources that are part of the policy domain.
  5. Define a realm for the policy domain with the following values:
    Agent

    Agent for the asserting party web server

    Resource Filter

    Web Agents r6.x QMR 6, r12.0 SP2, r12.0 SP3 and SPS federation gateway enter:

    /siteminderagent/redirectjsp/

    The resource filter /siteminderagent/redirectjsp/ is an alias that the FWS application sets up automatically. The alias references include:

    • Web Agent:

      web_agent_home/affwebservices/redirectjsp

    • SPS federation gateway:

      sps_home/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp

    Persistent Session

    For the SAML artifact profile only, select the Persistent check box in the Session section of the realm dialog. If you do not configure a persistent session, the user cannot access consumer resources.

    For the remaining settings, accept the defaults or modify as needed.

  6. Click OK to save the realm.
  7. Create a rule for the realm. In the Resource field, accept the default value, the asterisk (*), to protect all resources for the realm.
  8. Create a policy for the asserting party web server that includes the rule created in the previous step.
  9. Complete the task Select Users for Which Assertions are Generated.
Configure Time Restrictions for Service Provider Availability (optional)

You can specify time restrictions for when a Service Provider resource is available. When you specify a time restriction, access to the resource is only during the period specified. If a user attempts to access a resource outside of the designated period, the Identity Provider does not generate a SAML assertion.

Note: Time restrictions are based on the system clock of the server on which the Policy Server is installed.

To specify a time restriction

  1. Begin at the General settings.

    In the Restrictions section of the page, click Set in the Time section.

    The Time Restriction page displays.

  2. Complete the schedule. This schedule grid is identical to the Time Restriction grid for rule objects. For more information, see the Policy Server Configuration Guide.
  3. Click OK.

The time restriction schedule is set.

Configure IP Address Restrictions for Service Providers (optional)

You can specify an IP address, range addresses, or a subnet mask of the web server where the browser is running to access a Service Provider. If IP addresses are specified for a Service Provider, the Service Provider only accepts user from the appropriate IP addresses.

To specify IP addresses

  1. Begin at the General settings.

    In the Restrictions section of the page, click Add in the IP Address area.

    The IP Restrictions page appears.

  2. Select the option for the type of IP address you are adding, then complete the associated fields for that address type.

    Note: If you do not know the IP address but you have a domain name for the address, click the DNS Lookup button. This button opens the DNS Lookup page. Enter a fully qualified host name in the Host Name field and click OK.

  3. Click OK to save your configuration.
Identify a Proxy Server (optional)

If your network has a proxy server between the client and the system with Federation Web Services, specify the protocol and authority portions of the URL. The syntax is protocol:authority.

protocol

http: or https:

authority

//host.domain.com or //host.domain.com:port

Example: http://example.ca.com.

To identify a proxy server

  1. Begin at the General step of the configuration wizard.

    In the Advanced section of the page, enter the URL in the Server field.

  2. Click Submit.