Federation Guides › Legacy Federation Guide › Configure CA SiteMinder® as a SAML 1.x Consumer

Configure CA SiteMinder® as a SAML 1.x Consumer

This section contains the following topics:

Prerequisites for a CA SiteMinder® Relying Partner

How To Configure CA SiteMinder® as a SAML 1.x Consumer

SAML 1.x Authentication Schemes

SAML 1.x Authentication Scheme Prerequisites

Configure SAML 1.x Artifact Authentication

Configure SAML 1.x POST Profile Authentication

Customize Assertion Processing with the Message Consumer Plug-in

Redirect Users After Failed SAML 1.x Authentication Atempts

Supply SAML Attributes as HTTP Headers

Enable Client Certificate Authentication for the Back Channel (optional)

How To Protect a Resource with a SAML 1.x Authentication Scheme

Prerequisites for a CA SiteMinder® Relying Partner

For CA SiteMinder® to serve as the relying partner, complete following tasks:

• Install the Policy Server.
• Install one of the following components:
  • The Web Agent and the Web Agent Option Pack. The Web Agent authenticates users and establishes a CA SiteMinder® session. The Option Pack provides the Federation Web Services application. Be sure to deploy the FWS application on the appropriate system in your network.
  • The SPS federation gateway, which has an embedded Web Agent and has the Federation Web Services application on the embedded Tomcat web server.

  For more information, see the Web Agent Option Pack Guide.

• Private keys and certificates are imported for functions that require verification and encrypting of messages.
• An asserting partner is set up within the federated network.

How To Configure CA SiteMinder® as a SAML 1.x Consumer

Configuring CA SiteMinder® as SAML 1.x consumer requires the following tasks:

1. Complete the SAML 1.x authentication scheme prerequisites.
2. Select the authentication scheme type and assign it a name.
3. Specify the namespace for users being authenticated with the SAML 1.x authentication scheme.
4. Select the single sign-on profile that this consumer supports (artifact or POST).
5. Configure a SAML authentication scheme for each Producer that is a federation partner and generates assertions. Bind each scheme to a realm. The realm must contain the target URLs for federated resources. Protect these resources with a CA SiteMinder® policy.

Tips:

• Certain parameter values at the Producer and Consumer must match for the configuration to work. A list of those parameters is available in Configuration Settings that Must Use the Same Values.
• Verify that you are using the correct URLs for the Federation Web Services servlets. The URLs are listed in Federation Web Services URLs Used in SiteMinder Configuration.

Optional Tasks to Configure a CA SiteMinder® Consumer

The following tasks are optional for configuring CA SiteMinder® as a consumer:

• Customize assertions using the message consumer plug-in.
• Redirect failed authentication attempts.

Navigating Legacy Federation Dialogs

The Administrative UI provides two ways to navigate to the legacy federation configuration dialogs.

You can navigate in one of two ways:

• Following a wizard to configure a new legacy federation object.

  When you create an object, a page displays with a configuration wizard. Follow the steps in the configuration wizard to create the object.

• Selecting tabs to modify an existing legacy federation object.

  When you modify an existing object, a page displays with a series of tabs. Modify the configuration from these tabs. These tabs are the same as the steps in the configuration wizard.