Previous Topic: Deploy Legacy Federation Using the Sample ApplicationNext Topic: Add Functionality to the Federation Deployment


Deploy Legacy Federation Using a Manual Configuration

This section contains the following topics:

Manual CA SiteMinder®-to-CA SiteMinder® Deployment Overview

Confirm that Required Components are Installed

Sample Federation Network

Set Up the Identity Provider for the Sample Network

Set up the Service Provider for the Sample Network

Test SAML 2.0 Single Sign-on

Add Functionality to the Federation Deployment

Manual CA SiteMinder®-to-CA SiteMinder® Deployment Overview

You can accomplish a deployment manually. The manual deployment tasks begin with a simple configuration, single sign-on with POST binding. By starting with a basic configuration, you can complete the least number of steps to see how CA SiteMinder® federation works.

After getting POST single sign-on to work, additional tasks, such as configuring the artifact binding, digital signing, and encryption are described. You can add these features to reflect a real production environment.

Important! The deployment exercise is only for SAML 2.0. These procedures do not apply to a SAML 1.x or WS-Federation configuration.

The manual deployment examples are different from the sample application deployment in the following ways:

Important! The procedures throughout the manual deployment use sample data. To use data from your environment, specify entries for your Identity Provider and Service Provider configuration.

Confirm that Required Components are Installed

Federation requires that the following components are installed:

This sample federation deployment example assumes that these components are installed and working.

Optionally, set up these features:

Sample Federation Network

The sample websites in the CA SiteMinder® federated network are an Identity Provider named idp.demo, and a Service Provider named sp.demo. A business partnership is established between idp.demo and sp.demo.

The following illustration shows the sample federated network.

Figure shoing how legacy sample application can be deployed

Identity Provider Data for a Basic Configuration

IdP.demo is the Identity Provider. The following table contains sample data for the most basic SAML 2.0 POST single sign-on configuration.

Identity Provider Component

Sample Network

IdP Policy Server

 

Server: www.idp.demo:80

Server type: IIS Web Server

IdP policy store

IP Address: www.idp.demo:389

Storage: LDAP
(Sun One Directory Server)

Root DN: o=idp.demo

Admin Username: cn=Directory Manager

Password: federation

User store

Directory name: IdP LDAP

Server: www.idp.demo:42088

Server Type: Sun One Directory Server (LDAP)

User store: The LDAP directory contains the following users:

  •    user1
  •    user2

userpassword: test

mail: <user_name>@idp.demo

Root: dc=idp,dc=demo

Start: uid=

End: ,ou=People,dc=idp,dc=demo

IdP Web Agent with Web Agent Option Pack

Server: www.idp.demo:80

Server Type: IIS Web Server

Agent name: idp-webagent

Assertion Consumer Service URL

URL:

http://www.sp.demo:81/affwebservices/

public/saml2assertionconsumer

Assertion Retrieval Service URL

URL:

http://www.idp.demo:80/affwebservices/assertionretriever

Authentication URL

URL:

http://www.idp.demo/siteminderagent/
redirectjsp/redirect.jsp

Identity Provider Data for an Advanced Configuration

The following table contains sample data for more advanced SAML 2.0 features, such as the artifact profile, signing and encrypting assertions.

Identity Provider Component

Sample Network

Session store

Server: www.idp.demo

Database type: ODBC

Database Source Information: SiteMinder Session Data Source

User Name: admin

Password: dbpassword

SSL-enabled server

Server: www.idp.demo:443

Server Type: IIS 6.0 Web

The web server with the Web Agent Option Pack is SSL-enabled for artifact binding

Certificate of the Certificate Authority (CA)

Certificate of CA: docCA.crt

DER-encoded Cert: docCA.der

This CA signs the server-side certificate to enable SSL

Private key/certificate pair to sign SAML responses

Certificate: post-cert.crt

Private key: post-pkey.der

Password: fedsvcs

Certificate (public key) for encryption

Public key: sp-encrypt.crt

Attribute to include in assertion

Attribute: unspecified (default)

Attribute Kind: User DN

Variable Name: firstname

Variable Value: givenname

 

Service Provider Data for a Basic Configuration

The Service Provider is SP.demo. The following table contains sample data for the most basic SAML 2.0 POST single sign-on configuration.

Service Provider Component

Sample Network

SP Policy Server

Server: www.sp.demo:80

Server type: IIS Web Server

SP policy store

IP Address: www.sp.demo:389

Storage: LDAP (Sun One Directory Server)

Root DN: o=ca.com

Admin Username: cn=Directory Manager

Password: federation

User Store

Directory name: SP LDAP

Server: www.sp.demo:32941

Server Type: LDAP (Sun One Directory Server)

User store: The LDAP directory contains the following users:

  •    user1
  •    user2

userpassword: customer

mail: <user_name>@sp.demo

Root: dc=sp,dc=demo

Start: uid=

End: ,ou=People,dc=sp,dc=demo

SP Web Agent and Web Agent Option Pack

Server: www.sp.demo:81

Server type: Sun ONE 6.1 Web Server

Agent name: sp-webagent

Single Sign-on Service

SSO Service:

http://www.idp.demo:80/affwebservices/public/saml2sso

Target Resource

Target Resource:

http://www.sp.demo:81/
spsample/protected/target.jsp

Service Provider Data for an Advanced Configuration

The following table lists sample data for more advanced SAML 2.0 features, such as setting up the artifact profile, signing and encrypting assertions.

Service Provider Component

Sample Network

Artifact Resolution
Service

Resolution Service:

https://www.idp.demo:443/
affwebservices/saml2artifactresolution

Certificate of Certificate Authority

Certificate of CA: docCA.crt

DER-encoded cert: docCA.der

This CA signs the server-side certificate to enable SSL

Certificate (public key)

Used to verify signature of SAML responses

Certificate: post-cert.crt

 

Private key/certificate pair

Used for decryption and digital signing

Private key: sp-encrypt.der

Public key: sp-encrypt.crt

Password: fedsvcs

Issuer DN: CN=Certificate Manager,OU=IAM,O=CA.COM

Serial Number: 008D 8B6A D18C 46D8 5B

Set Up the Identity Provider for the Sample Network

To deploy legacy federation at the Identity Provider, the following sections detail the tasks. The entries in each section reflect the sample data that is provided for a basic configuration.

Note: These procedures assume that you have already installed the required components.

Set Up the IdP User Store

At the Identity Provider, a user store with users defined is required. The Identity Provider can create assertions for these users. In this deployment, the user store is a Sun ONE LDAP user directory. The Sun ONE Server Console is used to add users to this user store.

To configure the user store

  1. Add the following users:
  2. Fill in the attributes for user1 and user2 as follows:
    user1

    userpassword: test

    mail: user1@idp.demo 

    user2

    userpassword: test

    mail: user2@idp.demo

    Important! The email address must be the same in the Service Provider user store for the same users.

  3. Enable trace logging.
Point the Policy Server to the IdP LDAP Policy Store

In this deployment, an LDAP policy store is used. Verify that the Policy Server is pointing to the LDAP policy store.

Note: The guide assumes that you know how to add users to the user store in your deployment.

Follow these steps:

  1. Open the Policy Server Management Console.
  2. Select the Data tab.
  3. Complete the following fields:
    Databases

    Policy Store

    Storage

    LDAP

    IP Address (LDAP directory)

    www.idp.demo:389

    Root DN

    o=idp.demo

    Admin Username

    cn=Directory Manager

    Password

    password

    Confirm Password

    password

  4. Click OK to save your changes and exit the console.
  5. Go to Set Up the IdP User Store.
Enable Policy Server Trace Logging at the IdP

At the Identity Provider, enable logging for the Policy Server. You can view the log file smtracedefault.log to examine trace messages about single sign-on and single log out. This log file is in the directory policy_server_home/siteminder/log.

Follow these steps:

  1. Open the Policy Server Management Console.
  2. Click on the Profiler tab and customize the contents of the trace log.

    Note: Include the Fed_Server component in the log to see the federation trace messages.

    You configure trace logging at the Policy Server using the Policy Server Management Console.

  3. Install the IdP Web Agent.
Configure the Web Server with the Web Agent Option Pack

Configure the Federation Web Services (FWS) application for the sample deployment.

To set up FWS:

Install the JDK for Federation Web Services

The Web Agent Option Pack requires a JDK to run the Federation Web Services application.

For the correct JDK version, go to the Technical Support site and search for the CA SiteMinder® Platform Support Matrix for the release.

Install and Configure ServletExec to work with FWS at the IdP

For FWS to operate, you can install ServletExec or any supported application server. This sample network uses ServletExec on an IIS 6.0 Web Server.

Note: CA SiteMinder® 12.52 is shipped with a ServletExec license key file named ServletExec_AS_6_license_key.txt. If you do not have this license key, contact CA Technical Support. From this license file, copy the license key and enter it in the ServletExec License dialog of the ServletExec Administration Console. For instructions on licensing ServletExec, see ServletExec documentation, available at the New Atlanta Communication website.

Be sure to apply the most current hot fixes for the supported version of ServletExec you are using. The hot fixes are necessary for Federation Web Services to work with ServletExec. To obtain hot fixes, go to the website for New Atlanta Communication.

To set up ServletExec

  1. Install ServletExec. For more information, see the New Atlanta documentation.
  2. Open the ServletExec Administration Console.
  3. Under Web Applications, select manage.

    The Manage Web Applications dialog opens.

  4. Click Add a Web Application.
  5. Enter the following information:
    Application Name

    affwebservices

    URL Context Path

    /affwebservices/

    Location

    C:\program files\ca\webagent\affwebservices

    Note: The location of affwebservices in your setup can be different. Enter the correct location.

  6. Click Submit.
  7. Exit the ServletExec Console.
  8. Modify the directory security settings for the IIS default user account.

Important! The IIS user account must have proper rights for IIS to allow any plug-in to write to a file system. Therefore, for Federation Web Services to work with ServletExec, modify the directory security settings for the IIS default user account.

More Information:

Enable ServletExec to Write to the IIS File System

Configure the FWS Properties File at the IdP

Enable ServletExec to Write to the IIS File System

The IIS server user account must have proper rights for IIS to allow a plug-in to write to its file system. For ServletExec to write to the federation log files, the anonymous user account that is associated with ServletExec must have permissions to write to the file system.

Follow these steps:

  1. Open the IIS Internet Information Services Manager on the system where ServletExec is installed.
  2. Navigate to Web Sites, Default Web Site.

    The set of applications is displayed in the right pane.

  3. Select ServletExec and right-click Properties.
  4. Select the Directory Security tab in the Properties dialog.
  5. Click Edit in the Authentication and access control section.

    The Authentication Methods dialog opens.

  6. Set the controls as follows.
    1. Select Enable Anonymous Access.

      For anonymous access, enter a name and password of a user account that has the permissions to right to the Windows file system. To grant this right to a user account, see Windows documentation. For example, you can use the IUSR Internet Guest account for anonymous access.

    2. Clear Basic authentication.
    3. Clear Integrated Windows authentication.
  7. If prompted, apply the security changes to all child components of the web server.
  8. Restart the web server.

The user account that is associated with ServletExec can now write to the IIS file system.

Follow these steps:

  1. Open Control Panel, Administrative Tools, Local Security Policy, Local Policies, User Rights Assignment.

    The Local Security Settings dialog displays.

  2. Double-click Act as part of the operating system.

    The Act as part of the operating system Properties dialog opens.

  3. Add the anonymous user account to the Local Security Setting dialog.
  4. Click OK.
  5. Exit from the control panel.
  6. Optionally, we strongly recommend that you look at the Agent Configuration Object for the Web Agent protecting the IIS Web Server. This object verifies that the SetRemoteUser parameter is set to yes to preventing any anonymous user from writing to the file system.
Configure the FWS Properties File at the IdP

The affwebservices.properties file contains all the initialization parameters for Federation Web Services. Modify at least one of the settings in this file.

To modify the affwebservices.properties file

  1. On the IdP system with the Web Agent Option Pack, go to the directory C:\Program Files\ca\webagent\affwebservices\WEB-INF\classes
  2. Set the AgentConfigLocation parameter to the location of the WebAgent.conf file. This parameter must have a value.

    For this deployment, an IIS web server hosts the FWS application. So, the path to the WebAgent.conf file is:

    C:\\Program Files\\ca\\webagent\\bin\\IIS\\WebAgent.conf
    

    Note: Federation Web Services is a Java component, so the Windows paths must contain double backslashes. This format applies only to Windows.

    Verify that this path is entered on one line.

  3. Save and close the file.
  4. Test Federation Web Services at the IdP.
Test Federation Web Services at the IdP

After you set up Federation Web Services, verify that the application is operating correctly.

Follow these steps:

  1. Open a web browser and enter the following link:

    http://<fqhn>:<port_number>/affwebservices/assertionretriever

    fqhn

    Defines the fully qualified host name.

    port_number

    Defines the port number of the server where the Web Agent and Web Agent Option Pack are installed.

    For this deployment, enter:

    http://www.idp.demo:80/affwebservices/assertionretriever

    If Federation Web Services is operating correctly, the following message appears:

    Assertion Retrieval Service has been successfully initialized.
    
    The requested servlet accepts only HTTP POST requests.
    

    This message indicates that Federation Web Services is listening for data activity. If Federation Web Services is not operating correctly, you get a message that the Assertion Retrieval Service has failed. If Assertion Retrieval Service fails, examine the Federation Web Services log.

  2. Enable Web Agent Option Pack Logging at the IdP.
Enable Web Agent Option Pack Logging at the IdP

At the IdP, enable logging for the system with the Web Agent Option Pack. You want to be able to view the following logs:

Follow these steps:

  1. Configure the affwebservices.log by setting up the LoggerConfig.properties file.
  2. Configure FWS trace logging.
  3. Specify the User Store for the IdP Policy Server.

More Information:

Set up the LoggerConfig.properties File

Specify the User Store for the IdP Policy Server

The IdP user directory consists of user records for which the Identity Provider generates assertions.

The following steps specify how to configure a user directory in the Administrative UI. The directory IdP LDAP, is the Sun ONE LDAP directory that contains user1 and user2.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Click Infrastructure, Directory, User Directories.
  3. Click Create User Directory.
  4. Complete the following fields:
    Name

    IdP LDAP

    NameSpace

    LDAP

    Server

    www.idp.demo:42088

  5. Complete the following field in the LDAP Settings section:
    Root

    dc=idp,dc=demo

    Accept the defaults for the other values.

    Complete the following field in the LDAP User DN Lookup:

    Start

    uid=

    End

    ,ou=People,dc=idp,dc=demo

  6. Click View Contents to verify you can view the contents of the directory.
  7. Click Submit.
  8. Set up an Affiliate Domain at the IdP.
Set up an Affiliate Domain at the IdP

To identify the Service Provider to the Identity Provider, create an affiliate domain and add a service provider object for sp.demo.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Click Federation, Legacy Federation, Affiliate Domains.
  3. Click Create Affiliate Domain.
  4. Complete the following fields:
    Name

    Federation Sample Partners

    Description

    Domain for sp.demo

  5. Leave this dialog open and add the user directory to the affiliate domain at the IdP.
Add the User Directory to the Affiliate Domain at the IdP

Associate a user directory with the affiliate domain.

Follow these steps:

  1. Complete the User Directory section in the Affiliate Domain dialog.
  2. Add the IdP LDAP directory.

    For your network, select the user store you set up at the IdP.

  3. Click OK.
  4. Go to Add the Service Provider to the Affiliate Domain at the IdP.
Add the Service Provider to the Affiliate Domain at the IdP

Add the Service Provider named sp.demo to the affiliate domain.

Follow these steps:

  1. In the Administrative UI, navigate to Federation, Legacy Federation, SAML Service Providers.
  2. Select Create SAML Service Provider.
  3. Follow the configuration wizard.
  4. Select Federation Sample Partners as the domain then click Next.
  5. Complete the following fields in the General step:
    Name

    sp.demo

    Description

    Service Provider

    SP ID

    sp.demo

    IdP ID

    idp.demo

    Skew Time (seconds)

    Accept the default

    Authentication URL

    http://www.idp.demo/siteminderagent/redirectjsp/redirect.jsp

    This redirect.jsp is included with the Web Agent Option Pack that is installed at the Identity Provider site. In this deployment, that server is www.idp.demo. If the user does not have a CA SiteMinder® session, the SSO service at the IdP redirects the user to the authentication URL to log in.

    After successful authentication, the redirect.jsp application redirects the user back to the SSO service for assertion generation. A CA SiteMinder® policy must protect this URL.

    Enabled

    Verify that this option is selected. By default, this option is selected.

  6. Keep the UI open and go to Select Users for which the IdP Generates Assertions.
Protect the Authentication URL (SAML 2.0)

You must protect the Authentication URL with a SiteMinder policy. Protecting the Authentication URL ensures that a user requesting a protected federated resource is presented with an authentication challenge if they do not have a SiteMinder session at the IdP.

Follow these steps:

  1. From Domains, create a policy domain called Authentication URL Protection Domain.
  2. Add the IdP LDAP user directory in the User Directories page.
  3. From the Authentication URL Protection domain, create a persistent realm with the following field entries:
    Name

    Authentication URL Protection Realm

    Agent

    Using the lookup button, select FSS web agent

    This is the Web Agent protecting the server with the Web Agent Option Pack.

    Resource Filter

    /siteminderagent/redirectjsp/redirect.jsp

    Accept the defaults for the other settings.

    Session tab

    Select Persistent Session

  4. From the IDP Authentication URL Protection Realm, create a rule under the realm with the following field entries:
    Name

    Authentication URL Protection Rule

    Realm

    Authentication URL Protection Realm

    Resource

    *

    Web Agent actions

    Get

    Accept the defaults for the other settings.

  5. From the Authentication URL Protection domain, create a policy with the following entries:
    Name

    Authentication URL Protection Policy

    Users tab

    Add user1 from the IdP LDAP user directory

    Rules tab

    add Authentication URL Protection Rule

    You now have a policy that protects the Authentication URL at the Identity Provider.

Select Users for which the IdP Generates Assertions

When you specify a Service Provider in an affiliate domain, include a list of users and groups for which the Assertion Generator generates SAML assertions. Add only users and groups from directories that are in an affiliate domain.

To select users for assertion generation

  1. Navigate to the Users step.
  2. In the User Directories section, select Add Members for the LDAP user directory previously configured.

    The Users/Groups dialog opens.

  3. Search for user1 and user2 by completing the following fields:
    Search type

    Attribute-value

    Attribute

    uid

    Value

    *

    These employees are listed in the IdP LDAP.

  4. Click OK.
  5. Go to the next step in the wizard to configure a Name ID for the assertion.
Configure a Name ID for the Assertion

The Name ID is a unique way of identifying a user in an assertion. The NameID that you enter in the Administrative UI is included in the assertion.

To configure name IDs

  1. Navigate to the Name IDs step.

    The Name IDs dialog displays.

  2. Complete the following fields:
    Name ID Format

    Email Address

    The email address format value means that the Name ID must use an email address in the user directory to identify the user.

    Name ID Type section

    User Attribute

    Name ID Fields—Attribute Name

    mail

  3. Keep the ui open go to the next step in the wizard.
Configure POST Single Sign-on at the IdP

Specify the HTTP-POST as the SAML 2.0 binding for single sign-on.

Follow these steps:

  1. Navigate to the SAML Profiles step.
  2. Complete the following fields:
    Audience

    sp.demo

    AuthnContext Class Ref

    urn:oasis:names:tc:SAML:2.0:ac:classes:Password (default)

    Assertion Consumer Service
    http://www.sp.demo:81/affwebservices/public/
    saml2assertionconsumer
    

    Specifies the URL of the Assertion Consumer Service. For your network, the server you specify is the SP web server where the Web Agent Option Pack is installed.

    Authentication Level

    5 (default)

    Validity Duration Second(s)

    60 (default)

    In a test environment, if the following message appears in the Policy Server trace log, increase the Validity Duration value above 60.

    Assertion rejected(_b6717b8c00a5c32838208078738c05ce6237) -current time
    (Fri Sep 09 17:28:33 EDT 2005) is after SessionNotOnOrAfter time (Fri Sep 09 17:28:20 EDT 2005)
    
    HTTP-POST

    Select this check box

  3. Disregard the remaining fields.
  4. Go to the next step in the wizard.
Disable Signature Processing for the Basic Sample Deployment

In a production environment, signature processing to sign assertions is required. However, for the basic sample deployment, disable signature processing.

Important! Never disable signature processing in a SAML 2.0 production environment.

Follow these steps:

  1. Navigate to the Encryption&Signing step.
  2. In the Signature section of the page, select Disable Signature Processing.
  3. Click Next to move to the Attributes step in the wizard.
Complete the Service Provider Object Configuration

Attributes is the final step in Service Provider configuration. For a basic configuration, do not configure attributes. Instead, click Finish to complete the Service Provider configuration. The configuration is submitted. You have identified a Service Provider object for the Identity Provider.

Configure the Service Provider

After completing the configuration at the Identity Provider, you must Set Up the Service Provider.

Set up the Service Provider for the Sample Network

To deploy legacy federation at the Service Provider, the following sections detail the tasks. The entries in each section reflect the sample data provided for a basic configuration.

Note: These procedures assume you have already installed the required components.

Set Up the SP User Store

At the SP, configure a user store and add user records for users that require assertions. When the assertion is presented during authentication, the Service Provider looks in the user store for the user record.

In this deployment, the Sun ONE LDAP user directory is the user store. Use the Sun ONE Server Console to add users to the directory.

To configure the user store

  1. Add the following users:
  2. Fill in the attributes for user1 and user2 as follows:
    user1

    userpassword: customer

    mail: user1@sp.demo

    user2

    userpassword: customer

    mail: user2@sp.demo

    Important! The email address must be the same in the Identity Provider user store for the same users.

  3. Enable trace logging.
Point the Policy Server to the SP LDAP Policy Store

Establish the connection between the Policy Server and the LDAP policy store.

Follow these steps:

  1. Open the Policy Server Management Console.
  2. Select the Data tab.

    Complete the following fields:

    Databases

    Policy Store

    Storage

    LDAP

    LDAP IP Address

    sp.demo:389

    Root DN

    o=sp.demo

    Admin Username

    cn=Directory Manager

    Password

    federation

    Confirm Password

    federation

  3. Click OK.
  4. Set up the SP user store.
Enable Trace Logging for Federation Components at the SP

At the SP Policy Server, configure the SiteMinder Profiler to log federation components to the trace log, smtracedefault.log and examine trace messages.

To enable logging

  1. Open the Policy Server Management Console.
  2. Click on the Profiler tab and customize the contents of the trace log. Be sure to include the Fed_Server component in the log to see the federation trace messages.

    To configure trace logging at the Policy Server, using the Policy Server Management Console.

  3. Install the SP Web Agent.
Configure the Web Server with the Web Agent Option Pack

The Web Agent Option Pack installed the Federation Web Services (FWS) application. Configure the FWS application for the sample deployment.

For FWS to work, do the following

  1. Install the JDK for Federation Web Services
  2. Install and Configure ServletExec to Work with FWS at the SP
  3. Configure the AffWebServices.properties file
  4. Enable Web Agent Option Pack logging
  5. Test Federation Web Services
Install the JDK for Federation Web Services

The Web Agent Option Pack requires a JDK to run the Federation Web Services application. For the specific version required, go the Technical Support site and search for SiteMinder Platform Support Matrix for the release.

Install and Configure ServletExec to Work with FWS at the SP

For FWS to operate in this deployment, ServletExec is installed on a Sun ONE 6.1 web server.

Note: CA SiteMinder® 12.52 is shipped with a ServletExec license key file named ServletExec_AS_6_license_key.txt. If you do not have this license key, contact CA Technical Support. From this license file, copy the license key and enter it in the ServletExec License dialog of the ServletExec Administration Console. For instructions on licensing ServletExec, see ServletExec documentation, available at the New Atlanta Communication website.

Apply the most current hot fixes for the supported version of ServletExec. The hot fixes are necessary for Federation Web Services to work with ServletExec. To obtain the hot fixes, go to the website for New Atlanta Communications.

To set up ServletExec

  1. Install ServletExec.

    For instructions, refer to New Atlanta Communications documentation.

  2. Open the ServletExec Administration Console.
  3. Under Web Applications, select manage.

    The Manage Web Applications dialog opens.

  4. Click Add a Web Application.
  5. Enter the following information:
    Application Name

    affwebservices

    URL Context Path

    /affwebservices/

    Location

    C:\program files\ca\webagent\affwebservices

    The location of affwebservices in your network can be different. Enter the correct location.

  6. Click Submit.
  7. Exit the ServletExec Console.
  8. Configure the AffWebServices.properties file.
Configure the FWS Properties File

The AffWebServices.properties file contains all the initialization parameters for Federation Web Services. Specify the location of the WebAgent.conf file in this file.

Follow these steps:

  1. On the SP system with the Web Agent Option Pack, go to the directory C:\Program Files\ca\webagent\affwebservices\WEB-INF\classes
  2. Set the AgentConfigLocation parameter to the location of the WebAgent.conf file. Setting a value for this parameter is mandatory.

    For this deployment, the web server hosting the FWS application at the Service Provider is a Sun ONE Web Server. So, the path to the WebAgent.conf file is:

    C:\\Sun\\WebServer6.1\\https-sp.demo\\config\\WebAgent.conf
    

    Note: Federation Web Services is a Java component, so the Windows paths must contain double backslashes. Specify this entry on one line.

  3. Save and close the file.
  4. Test Federation Web Services.
Test Federation Web Services

After you have set up the Federation Web Services application, verify that it is operating properly.

Follow these steps:

  1. Open a web browser and enter the following link:
    http://fqhn:port_number/affwebservices/assertionretriever
    
    fqhn

    Defines the fully qualified host name.

    port_number

    Defines the port number of the server where the Web Agent and Web Agent Option Pack are installed.

    For this deployment, enter:

    http://www.sp.demo:81/affwebservices/assertionretriever
    

    If Federation Web Services is operating correctly, the following message appears:

    Assertion Retrieval Service has been successfully initialized.
    The requested servlet accepts only HTTP POST requests.
    

    This message indicates that Federation Web Services is listening for data activity. If Federation Web Services is not operating correctly, you get a message that the Assertion Retrieval Service has failed. If Assertion Retrieval Service fails, examine the Federation Web Services log.

  2. Enable Web Agent Option Pack logging.
Enable Web Agent Option Pack Logging at the SP

At the SP, enable logging for the system with the Web Agent Option Pack so you can view the following logs:

To enable error and trace logging

  1. Open up the LoggerConfig.properties file. This file can be found in the directory web_agent_home/affwebservices/WEB-INF/classes.
  2. Set the LoggingOn parameter to Y.
  3. Accept the default name and location for the LogFileName setting, which points to the affwebserv.log file.
  4. Set the TracingOn setting to Y.
  5. Accept the default name and location for the TraceFileName setting, which points to the FWSTrace.log file.

Logging is now enabled.

More Information:

Set up the LoggerConfig.properties File

Specify the User Store for the SP Policy Server

The SP user directory consists of user records for which the Service Provider uses for authentication.

Configure a user directory in the Administrative UI. The directory, named SP LDAP, is the Sun ONE LDAP directory that contains the users user1 and user2.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Click Infrastructure, Directory, User Directories.
  3. Click Create User Directory.
  4. Complete the following field:
    Name

    SP LDAP

  5. Complete the following fields in the Directory Setup section:
    Namespace

    LDAP

    Server

    www.sp.demo:32941

  6. Complete the following fields in the LDAP Search section:
    Root

    dc=sp,dc=demo

    Accept the defaults for the other values.

  7. Complete the following fields in the LDAP User DN Lookup section:
    Start

    uid=

    End

    ,ou=People,dc=sp,dc=demo

  8. Click View Contents to verify that you can view the contents of the directory.
  9. Click Submit.
Configure the SAML 2.0 Authentication Scheme at the SP

To authenticate users at the Service Provider, configure the SAML 2.0 authentication scheme. The assertion from the IdP provides the credentials for authentication.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Click Infrastructure, Authentication, Authentication Schemes.
  3. Complete the following fields:

    Scheme Common Setup section:

    Name

    Partner IDP.demo Auth Scheme

    Authentication Scheme Type

    SAML 2.0 Template

    Protection Level

    5 (default)

  4. Click SAML 2.0 Configuration.

    The dialog where you specify the general and user disambiguation displays.

  5. Specify the following settings in the General section:
    SP ID

    sp.demo

    IdP ID

    idp.demo

    SAML Version

    2.0 (default)

    Skew Time

    30 (default)

    Note: The SP ID and IdP ID values must match the values at the IdP.

  6. In the User Disambiguation section, configure the following setting:
    LDAP

    Username=%s

  7. Click Next to move to the single sign-on settings.

More information:

Enable Signature Validation at the Service Provider

Configure HTTP-POST for Single Sign-on at the SP

For the authentication scheme, indicate the single sign-on binding to be used so the Service Provider knows how to communicate with the Identity Provider.

Follow these steps:

  1. In the SSO settings, complete the following fields:
    Redirect Mode

    302 Cookie Data (default)

    User is redirected through an HTTP 302 redirect with a session cookie, but no other data.

    SSO Service
    http://www.idp.demo:80/affwebservices/public/saml2sso
    
    Audience

    sp.demo

    This value must match the value at the Identity Provider.

    Target
    http://www.sp.demo:81/spsample/protected/target.jsp
    

    If you begin the Target with http, enter the full path to the resource. A CA SiteMinder® policy that uses the SAML 2.0 authentication scheme protects the target.

  2. Select the HTTP-POST in the Bindings section.
  3. Clear the check box labeled Enforce Single Use Policy.

    Disabling this option makes the sample network noncompliant with SAML 2.0. To enable the use of the single use policy feature, set up a session store at the Service Provider.

  4. Click Next until you reach the Encryption & Signing step.
  5. Select Disable Signature Processing.

    Important! Disabling signing is intended only for debugging the initial single sign-on configuration. In a production environment, signature processing is a mandatory security requirement. At the SP, enable signature validation and set up the certificate data store to validate signatures.

  6. Click Next until you reach the last configuration step.
  7. Click Finish.

    The basic authentication scheme configuration is complete.

  8. Keep the Administrative UI open and go to Protect the Target Resource Using SAML 2.0 Authentication.

Protect the Target Resource at the SP

After you configure a SAML 2.0 authentication scheme, use this scheme in a policy that protects the target resource at Service Provider.

Follow these steps:

  1. Navigate to Infrastructure, Agent, Agents and create a Web Agent named sp-webagent. This Agent protects the server with the Web Agent Option Pack installed.
  2. Navigate to Policies, Domain, Domains.
  3. Create a policy domain with the following values:
    Name

    Domain for IdP.demo Visitors

    User Directory section

    Add the user directory that holds user1 and user2.

  4. Go to the Realms page and configure a persistent realm with the following values:
    Name

    SP Target Page Protection Realm

    Agent

    sp-webagent

    Resource Filter

    /spsample/protected.jsp

    Defines the path to the target resource at the Service Provider web server.

    Default Resource Protection

    Protected

    Authentication Scheme

    Partner IdP.demo Auth Scheme

  5. To the realm, add a rule with the following values:
    Name

    SP Target Page Protection Rule

    Realm

    SP Target Page Protection Realm

    Resource

    *

    Action

    Web Agent actions

    Get

    Accept the defaults for all other fields.

  6. Go to the Policies page and create a policy with the following values:

    General page

    Name

    SP Target Page Protection Policy

    Users pagexs

    For the SP LDAP directory, click Add Member. Add user1 so this user has access to the target.

    Rules page

    Add the SP Target Page Protection Rule

  7. Click Submit.

    The protection policy for the target resource is complete.

  8. Exit the Administrative UI.
  9. Use HTML Pages to test the federation set-up.

Test SAML 2.0 Single Sign-on

To test single sign-on in a CA SiteMinder®-to-CA SiteMinder® network, use the web pages included with the sample application. You must have previously run the sample application script to access the web pages. If you do not run the sample application, use your own web pages to test single sign-on.

The sample application web pages are located in the following two folders.

policy_server_home/samples/federation/content/idpsample
policy_server_home/samples/federation/content/spsample
policy_server_home

Specifies the installed location of the CA SiteMinder® Policy Server.

Important! If you have run the sample application, the idpsample and spsample folders are automatically copied into the document root directory of your web server.

If you use your own HTML page to test SP-initiated single sign-on, the HTML page must contain a hard-coded link to the AuthnRequest service. For this deployment, the sample link for POST binding is:

http://www.sp.demo:81/affwebservices/public/saml2authnrequest?ProviderID=idp.demo

The AuthnRequest Service redirects the user to the Identity Provider specified in the link to retrieve the authentication context of the user. After the Identity Provider authenticates the user and establishes a session, it directs the user back to the target resource at the Service Provider.

Note: The ProviderID in the Authnrequest link must match the IdP ID field value specified in the SAML authentication scheme at the SP. The IdP ID field is on the Scheme Setup tab of the Authentication Scheme Properties dialog.

After you run the sample application, test single sign-on.

To test federated single sign-on

  1. Open up a browser.
  2. Enter the URL for the web page that has links to trigger single sign-on.

    The following figure is the IdP.demo home page:

    Graphic showing an Idp Demo Page

    The following illustration is the SP.demo home page:

    Graphic showing a Demo site

  3. Click on the SAML2 POST profile link.

    The following login challenge appears:

    Graphic showing a logon prompt page

  4. Using the login of an existing user in your user store, enter the user credentials. For example, if user1 is a user in the user store, enter the credentials for this user.

    If single sign-on is successful, the following welcome page appears:

    Graphic showing the Welcome Page for a demo site

  5. After you test single sign-on, you can Add Functionality to the Federation Deployment.