Federation Guides › Legacy Federation Guide › Configure CA SiteMinder® as a SAML 2.0 Service Provider › How to Configure a SAML 2.0 Authentication Scheme

How to Configure a SAML 2.0 Authentication Scheme

Configuring CA SiteMinder® as a Service Provider requires the following tasks:

1. Complete the SAML 2.0 authentication scheme prerequisites.
2. Select the authentication scheme type.
3. Configure disambiguation to authenticate users.
4. Configure single sign-on.

Configure a SAML authentication scheme for each Identity Provider that is a federation partner and generates assertions. Bind each scheme to a realm. The realm consists of all the URLs of the target resources requested by users. Protect these resources with a CA SiteMinder® policy.

Tips:

• Certain parameter values at the Identity Provider and Service Provider must match for the configuration to work. A list of those parameters is available in Configuration Settings that Must Use the Same Values.
• Verify that you are using the correct URLs for the Federation Web Services servlets. The URLs are listed in Federation Web Services URLs Used in SiteMinder Configuration.

Optional Configuration Tasks for a Service Provider

The optional tasks for configuring CA SiteMinder® as a Service Provider are:

• Enable single logout.
• Enable encryption for Name IDs and/or assertions.
• Sign artifact resolve message.
• Require signed artifact response.
• Customize assertions using the Message Consumer Plug-in.

Navigating Legacy Federation Dialogs

The Administrative UI provides two ways to navigate to the legacy federation configuration dialogs.

You can navigate in one of two ways:

• Following a wizard to configure a new legacy federation object.

  When you create an object, a page displays with a configuration wizard. Follow the steps in the configuration wizard to create the object.

• Selecting tabs to modify an existing legacy federation object.

  When you modify an existing object, a page displays with a series of tabs. Modify the configuration from these tabs. These tabs are the same as the steps in the configuration wizard.

Select the Authentication Scheme Type

The Service Provider uses the identity information in the assertion to authorize access to protected federated resources. CA SiteMinder® employs a SAML authentication scheme for this process.

Before you can assign a SAML 2.0 authentication scheme to protect resources, configure the scheme.

Follow these steps:

1. Review the SAML 2.0 Authentication Scheme Prerequisites.
2. Log in to the Administrative UI.

   Navigate to Infrastructure, Authentication, Authentication Schemes.

   The Authentication Scheme page opens at the General settings.

3. Name the authentication scheme.
4. In the Authentication Scheme Type drop-down list, select SAML 2.0 Template. You can also select a protection level for this scheme.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   The contents of the Authentication Scheme dialog change to support the SAML 2.0 scheme.

5. In the Scheme Setup section, click SAML 2.0 Configuration to define the details of the authentication scheme.

   If you are configuring the scheme for the fist time, follow the configuration wizard to set up the authentication scheme.

Specify the General Information for the SAML 2.0 Auth Scheme

Identity the Service Provider and Identity Provider in the General settings for the SAML 2.0 authentication schemes.

Follow these steps:

1. From the main authentication scheme page, click SAML 2.0 Configuration.

   If you are modifying an existing scheme, click Modify then click SAML 2.0 Configuration.

   The detailed settings for the scheme display.

2. In the General settings, complete the required fields.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

3. Move on to the User Disambiguation section.