No direct migration path from legacy federation to partnership federation exists. Reproducing your legacy federation configuration in the partnership federation model requires recreating the legacy entities and configuring partnerships.
Legacy and partnership objects do not share a one-to-one correspondence. In the legacy federation model, configuring federation involves the following tasks at each partner:
Asserting party
Relying party
In a partnership model, recreating a legacy configuration involves:
The following tables shows the relationship between legacy federation components and partnership federation components.
Legacy Components |
Partnership Components |
---|---|
SAML 1.1 Affiliate |
SAML 1.1 Producer-to-Consumer partnership partnership federation does not support SAML 1.0. |
SAML 2.0 Service Provider |
SAML2 IdP-to-SP partnership |
WSFED Resource Partner |
WSFED IP-to-RP partnership |
Legacy Components |
Partnership Components |
Authentication Scheme: |
SAML 1.1 Consumer-to-Producer partnership |
Authentication Scheme: |
SAML2 SP-to-IdP partnership |
Authentication Scheme: |
WSFED RP-to-IP partnership |
If you plan to recreate your legacy federation objects in the partnership model, pay attention to the following settings:
(Affiliate/Service Provider Properties and SAML authentication scheme dialog for legacy federation). If you use the legacy federation configuration, confirm that this check box is selected. If you recreate the legacy configuration in the partnership federation model with similar values for identity settings, such as source ID, clear this check box before activating the partnership federation object.
CA SiteMinder® cannot work with a legacy and partnership configuration that use the same identity values or a name collision occurs.
(SSO settings for partnership federation). Defines how the back channel is protected for HTTP-Artifact single sign-on.
If you recreate your legacy federation configuration in the partnership federation model, use the legacy method of protecting the back channel. The legacy option lets the configuration use the existing URL for the Assertion Retrieval Service (SAML 1.x) or Artifact Resolution Service (SAML 2.0).
By selecting legacy as the option, CA SiteMinder® accepts the request. You do not have to modify the URL. If the artifact service URL is from the legacy configuration but only the partnership option is selected for this setting, CA SiteMinder® rejects the request.
Important! For the legacy federation option, enforce the policy that protects the artifact service. The artifact service is a component of the Federation Web Services. The software creates policies for Federation Web Services automatically. However, you are required to indicate which partnership is permitted access to the service that retrieves artifacts. For more information, refer to the Partnership Federation Guide.
Options: Legacy, Partnership
Note: CA SiteMinder® 12.52 ships with the Federation Security Services User Interface (FSS UI) and the Administrative UI. If you switch from the FSS UI to the Administrative UI for configuration, do not return to the FSS UI for any modifications to any configuration objects. Once you begin with the Administrative UI, continue to use the Administrative UI exclusively. If you return to the FSS UI after using the Administrative UI, objects in the policy store can impair the function of the Policy Server.
Copyright © 2013 CA.
All rights reserved.
|
|