Previous Topic: Configure the IdP PartnerNext Topic: Activate the Partnership

Federation GuidesPartnership Federation GuideGetting Started with a Simple PartnershipConfigure the SP Partner

Configure the SP Partner

The configuration process that follows is from the perspective of an administrator at the SP, in this example, SP1. Therefore, SP1 is the local SP.

The following process establishes the SP partner.

  1. Log in to the Administrative UI.
  2. Establish a user directory connection.
  3. Identify the IdP and SP entities.
  4. Create a SAML2 SP->IdP partnership.
  5. Follow the partnership wizard and configure the minimum required settings.
Establish a User Directory Connection at the SP

The SP user directory consists of user records for which the Service Provider uses for authentication. The following steps specify how to configure a user directory in the Administrative UI. The directory named SP LDAP contains users user1 and user2.

To configure a user directory

  1. Log in to the Administrative UI.
  2. Select Infrastructure, Directory, User Directories.
  3. Click Create User Directory.

    The User Directory dialog opens.

  4. Complete the following field:
    Name

    SP LDAP

  5. Complete the following fields in the Directory Setup section:
    Namespace

    LDAP

    Server

    www.sp.demo:32941

  6. Complete the following fields in the LDAP Search section:
    Root

    dc=sp,dc=demo

    Accept the defaults for the other values.

  7. Complete the following fields in the LDAP User DN Lookup section:
    Start

    uid=

    End

    ,ou=People,dc=sp,dc=demo

  8. Click View Contents to verify that you can view the contents of the directory.
  9. Click Submit.
Identify the Partnership Entities

After you establish the user directory connection, identify the local and remote sides of the partnership. In the Administrative UI, each partner is referred to as an entity.

The following procedures tell you what values to provide for the local and remote entities. Typically, each side creates a local entity, exports the local entity to a metadata file, and then exchanges the files. Each side can then define the remote entity.

To create the local SP

  1. Select Federation, Partnership Federation, Entities.
  2. Click Create Entity.
  3. Make the following selections in the first step of the entity wizard then click Next.
    Entity Location

    Local

    New Entity Type

    SAML2 SP

  4. Complete the fields in the second step as follows, then click Next.
    Entity ID

    sp1

    This value identifies the entity to the partner.

    Entity Name

    sp1

    This value identifies the entity object internally in the database. The partner is not aware of this value.

    Base URL

    http://sp1.demo.com:9091

    Note: The entity ID and name must be the same as you specified for the remote SP entity at the Identity Provider.

  5. Review the settings and click Finish.

You return to the Entities window. Configure the remote partner.

To create the remote IdP

  1. Begin at the Entities window.
  2. Click Create Entity.
  3. Make the following selections in the first step of the entity wizard then click Next.
    Entity Location

    Remote

    New Entity Type

    SAML2 IDP

  4. Complete the fields in the second step of the wizard as follows:
    Entity ID

    idp1

    This value identifies the entity to the partner.

    Entity Name

    idp1

    This value identifies the entity object internally in the database. The partner is not aware of this value.

    Note: The entity ID and name must be the same as on the Identity Provider side.

    SSO Service URL Group Section

    Binding

    HTTP-Redirect

    URL

    http://idp1.example.com:9090/affwebservices/public/saml2sso

  5. Review the settings and click Finish.

After the local entity and remote entity are configured, you can create a partnership.

Create the SP-to-IdP Partnership

After you have created the partnership entities, follow the partnership wizard to configure the SP-> IdP partnership.

Follow these steps:

  1. Select Federation, Partnership Federation, Partnerships.
  2. Click Create Partnership.
  3. Select SAML2 SP->IdP.

    You come to the first step in the partnership wizard.

  4. Complete the fields with the following values:
    Partnership Name

    DemoPartnership

    Local SP ID

    sp1

    Remote IDP ID

    idp1

    Base URL

    http://sp1.demo.com:9091

    Skew Time (Seconds)

    Accept the default

  5. Move the SP LDAP directory from Available Directories to the Selected Directories.
  6. Click Next to go to the User Identification step.
Specify the User Identification Attribute

Designate which attribute from the assertion identifies a user. CA SiteMinder® uses the identity attribute value to locate the user record in the user directory at the SP.

To specify the user identification attribute

  1. Go to the User Identification step.
  2. In the Choose Identity Attribute from Assertion section, accept the default, Use Name ID.
  3. In the Map Identity Attribute to User Directories section, specify the following entry:
    LDAP Search Specification

    uid=%s

    This entry instructs CA SiteMinder® to replace the variable (%s) with the value of the Name ID attribute from the assertion. CA SiteMinder® then matches the value with the Name column in the sample users database. If a match is found, the user is disambiguated and allowed to access the target resource.

  4. In the Federated Users section, accept the defaults. All users in the user directory are considered federated users.
  5. Click Next to configure single sign-on.
Configure Single Sign-on at the SP

To establish single sign-on between partners, configure the SSO settings.

Follow these steps:

  1. Begin at the SSO and SLO step.
  2. Select HTTP-POST for the SSO Profile.
  3. Specify the following values in the Remote SSO Service URLs section:
    Binding

    HTTP-Redirect

    URL

    http://idp1.example.com:9090/affwebservices/public/saml2sso

  4. Click Next until you reach the Signature and Encryption step.

    Skip the Configure AuthnContext step.

Disable Signature Processing

For the purposes of this simple partnership, disable signature processing. However, in a production environment, the Identity Provider must sign assertions.

Follow these steps:

  1. From the Signature and Encryption step, select Disable Signature Processing.
  2. Click Next to move to the next step.
Specify the Target at the SP

The Application Integration step is where you specify the target resource and how CA SiteMinder® redirects the user to the target resource.

Follow these steps:

  1. Select No Data for the Redirect Mode field.
  2. Specify the target resource at the SP in the Target field.

    In this sample partnership, this target is:

    http://spapp.demo.com:80/spsample/welcome.html

  3. Ignore the remaining sections of the dialog.
  4. Click Next to move to the Confirm step.
Confirm the SP Partner Settings

You have completed the partnership for the local SP side of the federation partnership.

Follow these steps:

  1. In the Confirm dialog, review the settings for the SP partner.
  2. To modify a setting, click Modify in the appropriate section.
  3. Click Finish when you are satisfied with the configuration.

The SP side of the partnership is now configured.