Previous Topic: Overview of a CA SiteMinder® Federation SetupNext Topic: Set Up Relying Party Components


Set Up Asserting Party Components

The following illustration shows a SAML 1.x Producer, SAML 2.0 Identity Provider, or WS-Federation Account Partner setup.

Graphic showing a set of asserting party components

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the Secure Proxy Server Administration Guide.

Install the Asserting Party Policy Server

The setup at the asserting party is as follows:

  1. Install the Policy Server.

    Note: For more information, see the Policy Server Installation Guide.

  2. Set up the session store and its database for artifact single sign-on only.

    Note: For more information, see the Policy Server Administration Guide.

    The session store is required only for artifact single sign-on because the session server stores an assertion before it is retrieved.

  3. Set up a policy store for use by the Policy Server.

    Note: For more information, see the Policy Server Installation Guide.

  4. Set up a user directory.

    Note: For more information, see the Policy Server Configuration Guide.

    This user directory must contain the users for which assertions are generated.

  5. (Optional) Enable error and trace logging for the Policy Server to see the communication between the asserting and relying parties.
Set up Affiliate Domains and Add Sites to these Domains

Before you set up Federation Web Services, you establish affiliate domains and add the sites that consume assertions to the affiliate domains. The affiliate domains identify the partners to the site generating the assertions.

At the asserting party

  1. Access the Administrative UI.
  2. Create an affiliate domain.
  3. Add a user store for users that the asserting party (producer, IdP, AP) generates assertions.
  4. Add an object for each relying party (consumer, SP, RP) to the affiliate domain.

    There must be a one-to-one correspondence between a relying party and each object added to the domain.

  5. After you add sites to an affiliate domain, verify that the Authentication URL is protected. This verification affirms that a user has a session at the asserting party before processing a request for a federated resource.

    To do this task:

    1. Create a policy domain.
    2. Protect the policy domain with the Web Agent. Use the Web Agent that is protecting the server with the Web Agent Option Pack.
    3. To this policy domain, add a realm, rule, and policy that protects the Authentication URL.

More Information:

Authenticate Users with No CA SiteMinder® Session (SAML 1.x)

Install a Web Agent or SPS Federation Gateway at the Asserting Party

The Web Agent is a required component in a CA SiteMinder® federation network. Install a Web Agent on a web server or install an SPS federation gateway, which has an embedded web agent.

At the asserting party, set up the following components:

  1. Install one of the following components:
  2. For artifact single sign-on, SSL-enable the web server with the Web Agent installed or the system with the SPS federation gateway.
Install an Application Server for the Web Agent Option Pack (Asserting Party)

If you are implementing legacy federation with a Web Agent and Web Agent Option Pack, install the Web Agent Option Pack. Install this component on a web or application server.

At the asserting party:

  1. Install one of the following servers to run Federation Web Services, the application that is installed with the Web Agent Option Pack.
  2. Deploy Federation Web Services on these systems.
  3. For artifact single sign-on, SSL-enable the web server where the Web Agent Option Pack is installed.

More Information:

Deploy Federation Web Services as a Web Application

Install the Asserting Party Web Agent Option Pack

The Web Agent Option Pack supplies the Federation Web Services application, which is a required component for CA SiteMinder® legacy federation.

At the asserting party:

  1. Install the Web Agent Option Pack.

    For instructions, see the Web Agent Option Pack Guide.

  2. Verify that you installed a JDK. The Web Agent Option Pack requires a JDK.

    For the supported JDK version, log on to the Technical Support site and search for the CA SiteMinder® Platform Support Matrix for the release.

Note: The SPS federation gateway can replace the Web Agent and Web Agent Option Pack to provide the Federation Web Services application functions. For information about installing and configuring the SPS federation gateway, see the Secure Proxy Server Administration Guide.

Configure Federation Web Services (Asserting Party)

The Federation Web Services application is installed on the server with the Web Agent Option Pack or the SPS federation gateway.

To configure Federation Web Services at the asserting party

  1. Configure one of the supported application servers to use the Web Agent Option Pack. Refer to the Web Agent Option Pack deployment instructions.

    On the SPS federation gateway, Federation Web Services is already deployed.

  2. Verify that the AgentConfigLocation parameter in the AffWebServices.properties file is set to the full path to the WebAgent.conf file. Be sure that the syntax is correct and the path appears on one line in the file.

    The AffWebServices.properties file contains the initialization parameters for Federation Web Services. This file is located in the one of the following directories:

    web_agent_home

    Represents the installed location of the Web Agent

    sps_home

    Represents the installed location of the SPS federation gateway

  3. Enable error and trace logging for the Federation Web Services application. Enable logging in the LoggerConfig.properties file. The logs enable you to see the communication between the asserting party and the relying party.
  4. Test Federation Web Services by opening a web browser and entering the following link:

    http://fqhn:port_number/affwebservices/assertionretriever

    fqhn

    Defines the fully qualified host name.

    port_number

    Defines the port number of the server where the Federation Web Services application is installed.

    For example:

    http://myhost.ca.com:81/affwebservices/assertionretriever

    If Federation Web Services is operating correctly, you see the following message:

    Assertion Retrieval Service has been successfully initialized.
    The requested servlet accepts only HTTP POST requests.
    

    This message indicates that Federation Web Services is listening for data activity. If Federation Web Services is not operating correctly, you receive a message that the Assertion Retrieval Service has failed. If the test fails, look at the Federation Web Services log.

Allow Access to Federation Web Services (asserting party)

When you install the Policy Server, CA SiteMinder® creates policies for the Federation Web Services (FWS) application. The FWS application is installed with the Web Agent Option Pack. For a few federation features, the relying party needs permission to access the protected FWS service. Adding a relying partner to a policy is a task you do only at the asserting party.

For example, for HTTP-Artifact binding for single sign-on, a policy protects the service from which CA SiteMinder® retrieves an assertion. For CA SiteMinder® to retrieve the assertion for a specific relying partner, that partner must be added as a user to the policy that protects the service.

Grant access to specific FWS policies that apply to features configured for your federation partnership.

Enable the Signing of SAML Post Responses

Signing SAML POST responses is a SAML specification requirement. To sign SAML POST responses, add a private key and certificate to the certificate data store at the asserting party.

For instructions on importing keys and certificates into the data store, see the Policy Server Configuration Guide.

Create Links to Target Resources (optional)

Go to one of the following:

Initiate SAML 1.x Single Sign-On at the Producer

At the SAML 1.x producer, create pages that contain links which direct the user to the consumer site. Each link represents an intersite transfer URL. The user has to visit the intersite transfer URL, which sends a request to the producer-side Web Agent. The user is then redirected to a consumer site.

The link that the user selects at the producer must contain certain query parameters. These parameters are part of an HTTP GET request to the producer Web Agent.

For the SAML artifact profile, the syntax for the intersite transfer URL is:

http://producer_site/affwebservices/public/intersitetransfer?SMASSERTIONREF=
QUERY&NAME=affiliate_name&TARGET=http://consumer_site/target_url?query_parameter_name%3Dquery_parameter_value%26query_parameter_name%3Dquery_parameter_value&SMCONSUMERURL=http://consumer_site/affwebservices/public/samlcc&AUTHREQUIREMENT=2
producer_site

Specifies the server and port number of the system hosting the Web Agent Option Pack or the SPS federation gateway, depending on which components are installed in your federation network.

consumer_site

Specifies the server and port number of the system hosting the Web Agent Option Pack or the SPS federation gateway, depending on which components are installed in your federation network.

For the SAML POST profile, the syntax for the intersite transfer URL is:

http://producer_site/affwebservices/public/intersitetransfer?SMASSERTIONREF=
QUERY&NAME=affiliate_name&TARGET=http://consumer_site/target_url
producer_site

Specifies the server and port number of the system hosting the Web Agent Option Pack or the SPS federation gateway, depending on which components are installed in your federation network.

consumer_site
Specifies the server and port number of the system hosting the Web Agent Option Pack or the SPS federation gateway, depending on which components are installed in your federation network.

Note: The SAML POST profile does not use SMCONSUMERURL and AUTHREQUIREMENT parameters. However, if you include one of these parameters in the intersite transfer URL, include the other parameter.

More Information:

Creating Links to Consumer Resources for Single Sign-on

Initiate SAML 2.0 Single Sign-On at the Identity Provider

If a user visits the Identity Provider before going to the Service Provider (POST or artifact binding), initiate an unsolicited response at the Identity Provider. To initiate an unsolicited response, the Federation Web Service application and assertion generator accept an HTTP Get request with a query parameter. This query parameter indicates the Service Provider ID for which the IdP generates the response.

For SAML 2.0 artifact or post profile, the syntax for the link is:

http://IdP_server:port/affwebservices/public/saml2sso?SPID=SP_ID

idp_server:port

Identifies the web server and port hosting the Web Agent Option Pack or SPS federation gateway.

SP_ID

Service Provider ID value.

Add the ProtocolBinding query parameter to this link depending on which bindings are enabled.

Note: You do not need to HTTP-encode the query parameters.

You can also initiate single sign-on at the Service Provider.

More information:

Unsolicited Response Query Parameters Used by a SiteMinder IdP

Initiate WS-Federation Single Sign-on at the Account Partner

To initiate WS-Federation single sign-on, a user clicks on a page with a hard-coded HTML link. This HTML link directs the browser of the user to the single sign-on service at the Account Partner. The Account Partner then redirects the user to the Resource Partner.

The link that initiates single sign-on can be included at any site, but it must always first direct the user to the Account Partner.

The syntax for the link is:

https://AP:port/affwebservices/public/wsfedsso?wa=wsignin1.0&wtrealm=RP_ID

ap_server:port

Specifies the server and port number of the system at the Account Partner. The system is hosting the Web Agent Option Pack or the SPS federation gateway, depending on which component is installed in your federation network.

Note: You do not need to HTTP-encode the query parameters.