Federation Guides › Partnership Federation Guide › Single Sign-on Configuration › Single Sign-on to Office 365 › Enable the Assertion Generator Plug-in › Verify the STS Setup Requirements

Verify the STS Setup Requirements

Before you deploy STS on CA SiteMinder® SPS, complete the following requirements:

• Install and configure CA SiteMinder® SPS.

  Note: Two or more secure proxy server systems behind a load balancer are recommended, but it is not required.

• Obtain the partnership name from the administrator of the CA SiteMinder® Federation system. Specify this name in the STS Context setting when you deploy STS.
• Enable SSL on CA SiteMinder® SPS.
• Verify that traffic originating from Office 365 can reach the on-premise CA SiteMinder® SPS with STS.
• The secure proxy server system with STS must be reachable by internal traffic and by external traffic from outside the enterprise firewall. Forwarding external traffic can require that you install a proxy in the DMZ. Configure the proxy so it can forward traffic from outside the firewall to the STS.

Configure the JVM to Use the JSafeJCE Security Provider

To enable encryption, configure the JVM that is running the CA SiteMinder® SPS so it uses the JSafeJCE Security Provider.

Follow these steps:

1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files package for the Java version you are using from the Oracle website.
2. Navigate to the following location:

   Windows

   JVM_HOME\lib\security
   

   UNIX

   JVM_HOME/lib/security
   

   JVM_HOME

   Defines the location where Java Runtime Environment (JRE) is installed in JDK of your installation.

3. Patch the following files with the files from the JCE Unlimited Strength Jurisdiction Policy Files package:
   • local_policy.jar
   • US_export_policy.jar
4. Open the java.security file.
5. Add the following line in the List of Providers section JSafeJCE is added as the second security provider:

   security.provider.2=com.rsa.jsafe.provider.JsafeJCE
   

6. Increment the order of preference of the other security providers by 1.
7. Add the following line at the end of the existing security providers list. This line sets the initial FIPS mode of JSafeJCE:

   com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE
   

8. Save the changes.

The following example shows the List of Providers section of the java.security file after you configure the JVM:

security.provider.1=sun.security.provider.Sun
security.provider.2=com.rsa.jsafe.provider.JsafeJCE
security.provider.3=sun.security.rsa.SunRsaSign
security.provider.4=com.sun.net.ssl.internal.ssl.Provider
security.provider.5=com.sun.crypto.provider.SunJCE
security.provider.6=sun.security.jgss.SunProvider
security.provider.7=com.sun.security.sasl.Provider
security.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRI
security.provider.9=sun.security.smartcardio.SunPCSC
security.provider.10=sun.security.mscapi.SunMSCAPI
com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE

Deploy STS

To support the WS-Federation Active Requester Profile, deploy STS on CA SiteMinder® SPS.

Follow these steps:

1. Open the SPS Administrative UI.
2. Navigate to Web Services, Security Token Service.
3. Click Add.
4. Complete the following fields:

   STS Name

   Defines the name of the STS web service. Enter the partnership name that is defined in the Administrative UI.

   STS Context

   Defines the STS context path. Specify the name of the WS-Federation partnership that is defined in the Administrative UI. Enter the value using the syntax /partnership_name.

   Example: /Office365Cloud

5. Click OK and click Save.
6. Restart the system.
7. Test single sign-on to Office 365.

Test and Troubleshoot SSO to Office 365 (Active Requestor Profile)

Test SSO

Verify the WS-Federation configuration and the STS deployment by signing in to Lync or Outlook.

Follow these steps:

1. Log in to Lync or Outlook on the system in your enterprise.
2. Confirm that you get logged in and that you can use the application as if it were installed locally.

Troubleshooting SSO Issues

For WS-Federation partnerships and connectivity issues, use the following methods of investigation:

• Use the WS-Fed Passive Requester profile and verify single sign-on with Microsoft online.

  From a web browser, go to http://portal.microsoftonline.com or Microsoft exchange online. Try logging in with enterprise credentials. If you can successfully log in from the browser but not from the enterprise client, check the setup of the on-premise STS.

• Review what Office 365 knows about CA SiteMinder® as a federation partner and what it knows about federation users. To examine the state of partnerships and users, run the following Microsoft Powershell commands:

  Get-MsolDomainFederationSettings

  Shows the information Microsoft has about your domain, that is, your enterprise. Review the settings and confirm whether they are accurate. Incorrect information can be a cause of federated communications problems.

  Get-MsolUser

  Shows the information Microsoft has about a particular user. Review the user settings and confirm whether they are accurate. Incorrect information can be a cause of federated communications problems.

• Validate the connectivity between your enterprise and Microsoft using Microsoft Remote Connectivity Analyzer. This tool lets you identify connectivity problems with Outlook, Lync, and Office 365. Locate this tool at https://www.testexchangeconnectivity.com/.

For any problems with the STS component, use the following logs and files:

• Review STS logs to verify that STS is operating, and whether there are authentication failures. Check the logs at secure-proxy_install_dir/proxy-engine/logs/partnership_name.log.

  Look for a message that says the STS initialization is complete. This message indicates that STS is running.

• Configure the log settings in the agent-log4j.xml configuration file. Set the log level for all categories to DEBUG so the system records the most detailed information in the partnership_name.log. The agent-log4j.xml file resides in the following directory:

  secure-proxy_install_dir/proxy-engine/conf/sts-config/partnership_name/config/

  Also, set the Checkpoint logger setting, <category name="com.ca.CheckPointLogger," to a priority value of "INFO." This setting writes checkpoint log messages for authentication activities and assertion generation. Checkpoint log messages are descriptive messages with codes that reflect the operation of the STS component.

  The section Federation Trace Logging describes checkpoint messages.

• Examine the WSDL file and confirm that the on-premise STS is responsive. Open a browser and go to http://sts.company.com/partnership_name?wsdl. The string sts.company.com is a place holder for the STS URL. You can find the STS URL in the WS-Federation partnership that is configured in the Administrative UI.