Previous Topic: Configure CA SiteMinder® as a WS-Federation Account PartnerNext Topic: Select Users for Which Assertions are Generated


Configure General Information for the Resource Partner Object

Select the General page to name the Resource Partner and provide details, such as the Resource Partner and Account Partner IDs. In addition, you can configure IP address and time restrictions for accessing a Service Provider.

To configure the general settings

  1. Navigate to the General settings.
  2. Fill in values for the fields, noting the required fields.

    Note: Click Help for a description of fields, controls, and their respective requirements.

    Note the following information about the Skew Time field.

    Skew Time

    Specifies the number of seconds subtracted from the current system time. This calculation accounts for Resource Partners with clocks that are not synchronized with the Account Partner.

    For single sign-on, the value of the skew time and the single sign-on validity duration determine how long an assertion is valid. Review how the assertion validity is calculated to understand more about the skew time.

  3. For debugging purposes only, you can temporarily disable all signature processing (both signing and verification of signatures) by selecting the Disable Signature Processing checkbox.

    Important! Signature processing is enabled by default because the WS-Federation Passive Requester profile for single sign-on requires it.

Authenticate Users with No CA SiteMinder® Session

When you add a Resource Partner to an affiliate domain, one of the parameters you are required to set is the Authentication URL parameter.

The Authentication URL points to the redirect.jsp file. This file is installed at the Account Partner site where you install the Web Agent Option Pack or the SPS federation gateway. Protect the redirect.jsp file with a CA SiteMinder® policy. The policy triggers an authentication challenge to users who request a protected Resource Partner resource but do not have a CA SiteMinder® session.

A CA SiteMinder® session is required for the following bindings:

After a user is authenticated and successfully accesses the redirect.jsp file, a session is established. The redirect.jsp file redirects the user back to the Account Partner Web Agent or the SPS federation gateway. CA SiteMinder® then processes the request.

The procedure for protecting the Authentication URL is the same regardless of the following deployments:

Configure a Policy to Protect the Authentication URL

To protect the Authentication URL

  1. Log in to the Administrative UI.
  2. Create Web Agents to bind to the realms that you define for the asserting party web server. Assign unique agent names for the web server and the FWS application or use the same agent name for both.
  3. Create a policy domain for the users who are challenged when they try to access a consumer resource.
  4. Select the users that must have access to the resources that are part of the policy domain.
  5. Define a realm for the policy domain with the following values:
    Agent

    Agent for the asserting party web server

    Resource Filter

    Web Agents r6.x QMR 6, r12.0 SP2, r12.0 SP3 and SPS federation gateway enter:

    /siteminderagent/redirectjsp/

    The resource filter /siteminderagent/redirectjsp/ is an alias that the FWS application sets up automatically. The alias references include:

    • Web Agent:

      web_agent_home/affwebservices/redirectjsp

    • SPS federation gateway:

      sps_home/secure-proxy/Tomcat/webapps/affwebservices/redirectjsp

    Persistent Session

    For the SAML artifact profile only, select the Persistent check box in the Session section of the realm dialog. If you do not configure a persistent session, the user cannot access consumer resources.

    For the remaining settings, accept the defaults or modify as needed.

  6. Click OK to save the realm.
  7. Create a rule for the realm. In the Resource field, accept the default value, the asterisk (*), to protect all resources for the realm.
  8. Create a policy for the asserting party web server that includes the rule created in the previous step.
  9. Complete the task Select Users for Which Assertions are Generated.
Assertion Validity for Single Sign-on

For single sign-on, the values of the Skew Time and the Validity Duration determine how CA SiteMinder® calculates the total time that an assertion is valid. CA SiteMinder® applies the skew time to the generation and consumption of assertions.

Note: In this description, the asserting party is the SAML 1.x Producer, SAML 2.0 Identity Provider, or WS-Federation Account Partner. The relying party is the SAML 1.x Consumer, the SAML 2.0 Service Provider, or the WS-Federation Resource Partner.

In the assertion document, the NotBefore and NotOnOrAfter values represent the beginning and end of the validity interval.

At the asserting party, CA SiteMinder® sets the assertion validity. The validity interval is the system time when the assertion is generated. CA SiteMinder® sets the IssueInstant value in the assertion using this time then subtracts the skew time value from the IssueInstant value. The resulting time is the NotBefore value.

NotBefore=IssueInstant - Skew Time

To determine the end of the validity interval, CA SiteMinder® adds the Validity Duration value and the skew time to the IssueInstant value. The resulting time becomes the NotOnOrAfter value.

NotOnOrAfter=Validity Duration + Skew Time + IssueInstant

Times are relative to GMT.

For example, an assertion is generated at the asserting party at 1:00 GMT. The skew time is 30 seconds and the validity duration is 60 seconds, making the assertion validity interval between 12:59:30 GMT and 1:01:30 GMT. This interval begins 30 seconds before the time the assertion was generated and ends 90 seconds afterward.

At the relying party, CA SiteMinder® performs the same calculations as it does at the asserting party to determine if the assertion it receives is valid.

Calculating Assertion Validity with CA SiteMinder® at Both Sides of the Partnership

If CA SiteMinder® is at both sides of a partnership, the assertion validity is the sum of the validity duration plus two times the skew time. The equation is:

Assertion Validity = 2 x Skew Time (asserting party) + Validity Duration+ 2 x Skew Time (relying party)

The initial part of the equation (2 x Skew Time + Validity Duration) represents the beginning and end of the validity window at the asserting party. The second part of the equation (2 x Skew Time) represents the skew time of the system clock at the relying party. You multiply by 2 because you are accounting for the NotBefore and the NotOnOrAfter ends of the validity window.

Note: For legacy federation, the Validity Duration is only set at the asserting party.

Example

Asserting Party

The values at the asserting party are as follows:

IssueInstant=5:00PM

Validity Duration=60 seconds

Skew Time = 60 seconds

NotBefore = 4:59PM

NotOnOrAfter=5:02PM

Relying Party

The relying party uses the NotBefore and NotOnOrAfter values from the assertion and applies its skew time to those values. This formula is how the relying party calculates new NotBefore and NotOnOrAfter values.

Skew Time = 180 seconds (3 minutes)

NotBefore = 4:56PM

NotOnOrAfter=5:05PM

Based on these values, the calculation for the total assertion validity window is:

120 seconds (2x60) + 60 seconds + 360 seconds (2x180) = 540 seconds (9 minutes).

Configure Time Restrictions for Resource Partner Availability (optional)

You can specify time restrictions for Resource Partner resource availability. When you specify a time restriction, access to the Resource Partner resources is only during the period specified. If a user tries accessing a resource outside of the designated period, the Account Partner does not generate a SAML assertion.

Note: Time restrictions are based on the system clock of the server on which the Policy Server is installed.

To specify a time restriction

  1. Begin at the General settings.

    In the Restrictions section of the page, click Set in the Time section.

    The Time Restriction page displays.

  2. Complete the schedule. This schedule grid is identical to the Time Restriction grid for rule objects. For more information, see the Policy Server Configuration Guide.
  3. Click OK.

The time restriction schedule is set.

Configure IP Address Restrictions for Resource Partners (optional)

You can specify an IP address, range addresses, or a subnet mask of the web server to access a Resource Partner. If IP addresses are specified for a Resource Partner, the Resource Partner only accepts users from the appropriate IP addresses.

To specify IP addresses

  1. Begin at the General settings.

    In the Restrictions section of the page, click Add in the IP Address area.

    The IP Restrictions page appears.

  2. Select the option for the type of IP address you are adding, then complete the associated fields for that address type.

    Note: If the IP address is unknown but you have a domain name for the address, click the DNS Lookup button. This button opens the DNS Lookup page. Enter a fully qualified host name in the Host Name field and click OK.

  3. Click OK to save your configuration.