Previous Topic: How To Protect a Target Resource with a WS-Federation Authentication SchemeNext Topic: Authorize Users with Attributes from an Assertion Query


Configure SAML 2.0 Affiliations

This section contains the following topics:

Affiliation Overview

Configure SAML 2.0 Affiliations

Affiliation Overview

A SAML affiliation is a group of SAML entities that share a name identifier for a single principal.

Service Providers and Identity Providers can belong to an affiliation. However, a single entity can belong to only one affiliation. Service Providers share the Name ID definition across the affiliation. Identity Providers share the user disambiguation properties across the affiliation.

Affiliations reduce the configuration that is required at each Service Provider. Additionally, using one name ID for a principal saves storage space at the Identity Provider.

CA SiteMinder® uses affiliations for the following functions:

Note: Configuring affiliations is optional.

Affiliations for Single Sign-On

In a single sign-on use case, the Service Provider sends a request for an assertion to an Identity Provider. The AuthnRequest contains an attribute that specifies an affiliation identifier.

When the Identity Provider receives the request, it takes the following actions:

Upon receiving the assertion, authentication takes place at the Service Provider.

Affiliations for Single Logout

When a Service Provider generates a logout request, it verifies whether the Identity Provider is a member of an affiliation. The Service Provider includes an attribute in the request, which it sets to the affiliation ID. The Identity Provider receives the request and verifies that the Service Provider belongs to the affiliation identified in the attribute.

The Identity Provider obtains the affiliation Name ID from the session store of the session store. When the Identity Provider issues logout request messages to all session participants, it includes the affiliation Name ID for the members of the affiliation.

Configure SAML 2.0 Affiliations

A SAML affiliation lets you add a SAML entity to a group so it can share a name identifier for a single principal. You can configure affiliations at either partner in a federated network.

For CA SiteMinder® acting as an Identity Provider, assign a name ID associated with an affiliation. The shared Name ID properties apply to all the Service Providers that belong to the affiliation.

For CA SiteMinder® acting as the Service Provider, the affiliation provides the user disambiguation process for authentication. When the Service Provider receives an assertion, it extracts the user identity information from the assertion. Based on the user disambiguation settings, the Service Provider compares the identity information against a local user directory to find the proper user record.

To create a SAML affiliation

  1. Navigate to Federation, Legacy Federation, SAML Affiliations.

    The Create SAML Affiliation page appears.

  2. Complete the necessary fields. Note the following information:

    Note: Click Help for a description of fields, controls, and their respective requirements.

  3. Click Submit.

A list of Service Providers that are members of the affiliation are displayed in the SAML Service Providers Associations section of the affiliate dialog. This list of Service Providers is a read-only list. To edit this list, modify the Service Provider object.

A list of SAML 2.0 authentication schemes that use an affiliation for user disambiguation is displayed in the SAML Authentication Scheme Associations section. This list of authentication schemes is a read-only list. To edit this list, modify the particular scheme.

Assign Affiliations at the Identity Provider

For the Identity Provider, the affiliation provides the Name ID in an assertion. Additionally, the Identity Provider includes an affiliation ID in the assertion. Select an affiliation when you configure a Service Provider object.

At runtime, the Identity Provider uses the NameID for the affiliation and disregards the Name ID configuration that is defined for the Service Provider object.

Follow these steps:

  1. Navigate to the Service Provider object you want to modify.
  2. Go to the Name IDs page.
  3. Select a SAML affiliation from the pull-down list.

    The affiliation must already be configured to be in the list.

Assign Affiliations at the Service Provider

For the Service Provider, an affiliation determines user information. Select an affiliation when you configure an authentication scheme at the Service Provider.

At runtime, the Service Provider relies on the user configuration from the affiliation. It disregards the user configuration in the authentication scheme.

Follow these steps:

  1. Navigate to the SAML 2.0 authentication scheme you want to modify.
  2. Go to the General page.
  3. In the User Disambiguation section, select a SAML affiliation from the pull-down list.

    The affiliation must already be configured to be in the list.