To specify how assertions are delivered to a relying party, configure single sign-on at the asserting party.
The procedure that follows offers the basic steps to enable single sign-on. Details about all the configurable features in the sign-on dialog are described in subsequent topics and in the Administrative UI help.
Follow these steps:
Single Sign-On
SSO and SLO
Single Sign-on and Sign-Out
Any values that are defined during the creation or import of the remote relying party are filled in.
Note: Click Help for a description of fields, controls, and their respective requirements.
http://webserver1.example.com/siteminderagent/redirectjsp/redirect.jsp
In this example, webserver1 identifies the web server with the Web Agent Option Pack. The redirect.jsp file is included with the Web Agent Option Pack installed at the Identity Provider site.
Important! Protect the Authentication URL with an access control policy. For the policy, configure an authentication scheme, realm, and rule. To add session store attributes to the assertion, enable the Persist Authentication Session Variables check box, which is a setting in the authentication scheme.
The SSO Validity Duration and the Skew Time determine when the assertion is valid. To understand how these settings work together, read the information about assertion validity.
For SAML 2.0, you can configure these features:
Note: Click Help for a description of fields, controls, and their respective requirements.
Your partner must supply this URL to you.
Partnership federation lets you define the authentication mode for federated single sign-on.
Local authentication primarily happens at the local federation system. For local authentication, you can select Basic or Forms as the authentication schemes. These options are the only two methods available locally.
You can also select local for the authentication mode when an external third party authenticates a user. When the third party passes back the user information, the user information gets stored in the session store for later use in assertions.
Delegated authentication forwards the authentication task to a third-part web access management (WAM) system. The method by which the third party authenticates a user depends on the authentication schemes the third party supports. After the third-party WAM authenticates the user, it sends the federated user identity back to CA SiteMinder®.
For HTTP-Artifact single sign-on, you can select the legacy option for the Artifact Protection Type field. The legacy option indicates that you are using the legacy method of protecting the back channel to the artifact service at the asserting party.
To implement the legacy method of protection:
Follow these steps: to add a web agent to an agent group
The Agent Groups dialog opens.
Follow these steps: to enforce the policy that protects the retrieval service
A list of available domain policies displays.
FederationWSAssertionRetrievalServicePolicy
SAML2FWSArtifactResolutionServicePolicy
Note: The supplied policies are default policies. You can use any policy that you created to protect the artifact service.
The federation custom user stores display in the User Directories section.
FederationWSCustomUserStore
SAML2FederationCustomUserStore
Examples:
The partnership for HTTP-Artifact single sign-on now allows the access to the artifact service so the relying party can retrieve the assertion.
Copyright © 2013 CA.
All rights reserved.
|
|