Previous Topic: TroubleshootingNext Topic: Partnership Federation Guide


Creating a Legacy Federation Configuration in the Partnership Model

No direct migration path from legacy federation to partnership federation exists. Reproducing your legacy federation configuration in the partnership federation model requires recreating the legacy entities and configuring partnerships.

Legacy and partnership objects do not share a one-to-one correspondence. In the legacy federation model, configuring federation involves the following tasks at each partner:

Asserting party

Relying party

In a partnership model, recreating a legacy configuration involves:

The following tables shows the relationship between legacy federation components and partnership federation components.

Legacy Components
(Asserting Party)

Partnership Components
(Asserting Party)

SAML 1.1 Affiliate

SAML 1.1 Producer-to-Consumer partnership

partnership federation does not support SAML 1.0.

SAML 2.0 Service Provider

SAML2 IdP-to-SP partnership

WSFED Resource Partner

WSFED IP-to-RP partnership

Legacy Components
(Relying Party)

Partnership Components
(Relying Party)

Authentication Scheme:
SAML Artifact or POST Template

SAML 1.1 Consumer-to-Producer partnership

Authentication Scheme:
SAML 2.0 Template

SAML2 SP-to-IdP partnership

Authentication Scheme:
WS-Federation Template

WSFED RP-to-IP partnership

If you plan to recreate your legacy federation objects in the partnership model, pay attention to the following settings:

Active

(Affiliate/Service Provider Properties and SAML authentication scheme dialog for legacy federation). If you use the legacy federation configuration, confirm that this check box is selected. If you recreate the legacy configuration in the partnership federation model with similar values for identity settings, such as source ID, clear this check box before activating the partnership federation object.

CA SiteMinder® cannot work with a legacy and partnership configuration that use the same identity values or a name collision occurs.

Artifact Protection Type

(SSO settings for partnership federation). Defines how the back channel is protected for HTTP-Artifact single sign-on.

If you recreate your legacy federation configuration in the partnership federation model, use the legacy method of protecting the back channel. The legacy option lets the configuration use the existing URL for the Assertion Retrieval Service (SAML 1.x) or Artifact Resolution Service (SAML 2.0).

By selecting legacy as the option, CA SiteMinder® accepts the request. You do not have to modify the URL. If the artifact service URL is from the legacy configuration but only the partnership option is selected for this setting, CA SiteMinder® rejects the request.

Important! For the legacy federation option, enforce the policy that protects the artifact service. The artifact service is a component of the Federation Web Services. The software creates policies for Federation Web Services automatically. However, you are required to indicate which partnership is permitted access to the service that retrieves artifacts. For more information, refer to the Partnership Federation Guide.

Options: Legacy, Partnership

Note: CA SiteMinder® 12.52 ships with the Federation Security Services User Interface (FSS UI) and the Administrative UI. If you switch from the FSS UI to the Administrative UI for configuration, do not return to the FSS UI for any modifications to any configuration objects. Once you begin with the Administrative UI, continue to use the Administrative UI exclusively. If you return to the FSS UI after using the Administrative UI, objects in the policy store can impair the function of the Policy Server.