Previous Topic: Partnership Federation GuideNext Topic: Prerequisites for Partnership Federation


Partnership Federation Introduction

This section contains the following topics:

Overview

Programmerless Federation

Intended Audience

Terminology Used in this Guide

Navigating the Partnership Federation Dialogs

Overview

Federated partnerships enable identity information to be flexible and portable. Partnership federation offers secure single sign-on and single logout across a network of trusted business partners.

CA SiteMinder® partnership federation lets customers establish federated partnerships in a flexible way, together with or independent of a web access management system. Partnership federation offers an easy-to-deploy solution for standards-based federation. Using partnership federation, an organization can act as the asserting party or the relying party. The asserting party provides user authentication and assertion of identity. The relying party consumes a user identity to allow access to web resources and services.

Partnership federation supports the following profiles:

The following flow chart highlights the general process for configuring partnership federation.

Flow chart of partnership federation configuration tasks

Programmerless Federation

Programmerless federation is an HTTP-based approach for allowing the secure authentication, user disambiguation, inspection, and modification of SAML assertions. The advantage of programmerless federation is that applications can accomplish these tasks without having to use a language-specific SDK or other bindings.

Programmerless federation relies on HTTP/HTTPS requests and responses. These requests and responses are accessible through URLs and HTML-based protocols using web services that are an implementation of Representational State Transfer (REST) system architecture.

Any application can issue HTTP requests, read HTTP responses, and can parse XML to take advantage of the programmerless functionality.

An essential part of programmerless federation is its ability to secure the exchange of data. To secure data, CA SiteMinder® uses an open-format cookie. The open-format cookie is a well-defined cookie format that supports strong encryption algorithms. The encrypted cookie secures the response between CA SiteMinder® and the local or remote applications. This cookie can be written in any programming language that supports the same encryption and decryption algorithms that are supported by the open-format cookie, such as Perl or Ruby.

The following partnership federation features implement programmerless federation:

Delegated Authentication

Delegated authentication lets CA SiteMinder® use a third-party web access management (WAM) system to perform the authentication of any user who requests a protected federated resource. The third-party WAM performs the authentication and then sends the federated user identity to CA SiteMinder®.

HTTP/HTTPS requests and responses facilitate communication for provisioning.

Provisioning at the Relying Party

Provisioning is the process of creating client accounts with the necessary account rights and access privileges for accessing data and applications. Partnership federation provisioning can establish a new account for a user, or can populate an existing user account with information sent in a SAML assertion.

Remote provisioning is one of the CA SiteMinder® provisioning methods. Remote provisioning uses an independent provisioning application to establish a user record. To pass assertion data, CA SiteMinder® creates an encrypted cookie containing the data. This cookie is sent to the remote provisioning application, which is responsible for creating the user account.

HTTP/HTTPS requests and responses facilitate communication for provisioning.

Intended Audience

This guide assumes that you understand the following concepts:

Terminology Used in this Guide

In addition to standard federated SAML and WS-Federation binding and profile terminology, the following terms are used in this guide:

Partner Entity Terms

This guide uses the terms asserting party and relying party to identify sides of a federated relationship.

The party that generates assertions is referred to as the asserting party. The asserting party can be:

The party that consumes assertions for authentication purposes is referred to as the relying party. The relying party can be:

A site can be act as an asserting party (producer/IdP/IP) and a relying party (consumer/SP/RP).

Open Format Cookie

A cookie that contains user identity information. The open-format cookie can be encrypted using FIPS or non-FIPS compatible algorithms, depending on how you generate it. You can create an open-format cookie using a CA SiteMinder® Federation SDK or you can create it manually using any programming language that supports UTF-8 encoding.

If you require a FIPS-encrypted open-format cookie, use an SDK to create the cookie and to read the cookie. The CA SiteMinder® Federation Java SDK can encrypt the cookie using a FIPS-compliant (AES) algorithm or a non-FIPS (PBE) algorithm. The CA SiteMinder® Federation .NET SDK can encrypt the cookie using only a FIPS-compatible algorithm.

Unified Expression Language

The Unified Expression Language (UEL) is a special Java expression syntax primarily for Java web applications. You can use the UEL for embedding expressions into web pages. For partnership federation, the UEL is the language you must use to define mappings between assertion attributes and application attributes at the relying party.

Navigating the Partnership Federation Dialogs

The Administrative UI provides configuration wizards to create and modify partnership federation objects. Follow the steps in the configuration wizard to navigate through the configuration steps for an object.