Federation Guides › Legacy Federation Guide › Configure CA SiteMinder® as a SAML 1.x Consumer › How To Protect a Resource with a SAML 1.x Authentication Scheme

How To Protect a Resource with a SAML 1.x Authentication Scheme

Protect target federation resources by configuring a CA SiteMinder® policy that uses the SAML 1.x authentication scheme.

Follow these steps:

1. Create a realm that uses the SAML authentication scheme. The realm is the collection of target resources.

   You can create a realm in the following ways:

   • Create a unique realm for each authentication scheme already configured.
   • Configure a single target realm that uses a custom authentication scheme to dispatch requests to the corresponding SAML authentication schemes. Configuring one realm with a single target for all producers simplifies configuration of realms for SAML authentication.
2. Configure an associated rule and optionally, a response.
3. Group the realm, rule, and response into a policy that protects the target resource.

Important! Each target URL in the realm is also identified in an intersite transfer URL. The intersite transfer URL redirects a user from the producer to the consumer. You specify this URL in the URL TARGET variable. At the producer site, an administrator includes this URL in a link that redirects the user to the consumer.

Configure a Unique Realm for Each Authentication Scheme

The procedure for configuring a unique realm for each SAML or WS-Federation authentication scheme follows the standard instructions for creating realms.

Follow these steps:

1. Navigate to Policy, Domain, Domains.

   The page to create domains displays.

2. Click Create Domain.
3. Enter a domain name.
4. Add the user directory to the domain. This directory is the one that contains the users requesting access to federated resources.
5. Select the Realm tab and create a realm.

   Note:

   • In the Agent field, select the Web Agent protecting the web server where the target resources reside.
   • Select the appropriate authentication scheme in the Authentication Scheme field.
6. Create a rule for the realm.

   As part of the rule, select an action (Get, Post, or Put) that allows you to control processing when users authenticate.

7. Select the Policies tab and configure a policy that protects the target federation resource. Associate the realm that you previously created with this policy.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

A policy with a unique realm now protects the federated resources.

Configure a Single Target Realm for All Authentication Schemes

To simplify configuration of realms for authentication schemes, create a single target realm for multiple sites generating assertions.

To do this task, set up the following components:

• A single custom authentication scheme

  This custom scheme forwards requests to the corresponding SAML or WS-Federation authentication schemes that you already configured for each asserting party.

• A single realm with one target URL

Create Authentication Schemes for the Single Target Realm

To define a custom authentication scheme for a single target realm, you must:

• Configure the authentication schemes.
• Define a parameter in the custom scheme that tells the Policy Server which authentication schemes to apply to resource requests.

First, verify that there are configured SAML or WS-Federation authentication schemes. If not, configure these schemes that the custom scheme can reference.

To create the authentication scheme

1. Navigate to Infrastructure, Authentication, Authentication Schemes.

   The Create Authentication Scheme page appears.

2. Create one or more authentication schemes according to the procedures for the protocol you are using.
3. Click OK to exit.

More information:

SAML 1.x Authentication Schemes

WS-Federation Authentication Scheme Overview

How to Configure a SAML 2.0 Authentication Scheme

Create the Custom Authentication Scheme

A single target realm relies on a specific custom authentication scheme to work properly.

To configure a custom authentication scheme for a single target realm

1. Navigate to Infrastructure, Authentication, Authentication Schemes.

   The Create Authentication Scheme page appears.

2. Complete the fields as follows:

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   Name

   Enter a descriptive name for the custom authentication scheme, such as SAML Custom Auth Scheme.

3. In the Scheme Common Setup section, complete the following fields:

   Authentication Scheme Type

   Custom Template

   Protection Level

   Accept the default of set a new level.

4. In the Scheme Setup section, complete the following fields:

   Library

   smauthsinglefed

   Secret

   Leave this field blank.

   Confirm Secret

   Leave this field blank.

   Parameter

   Specify one of the following parameters:

   • SCHEMESET=LIST; <saml-scheme1>;<saml_scheme2>

     Specifies the list of SAML authentication scheme names to use. If you configured an artifact scheme named artifact_producer1 and POST profile scheme named samlpost_producer2, you enter these schemes. For example:

     SCHEMESET=LIST;artifact_producer1;samlpost_producer2

   • SCHEMESET=SAML_ALL;

     Specifies all the configured schemes. The custom authentication scheme enumerates all the SAML authentication schemes and finds the one with the correct Provider Source ID for the request.

   • SCHEMESET=SAML_POST;

     Specifies all the SAML POST Profile schemes that you have configured. The custom authentication scheme enumerates the POST Profile schemes and finds the one with the correct Provider Source ID for the request.

   • SCHEMESET=SAML_ART;

     Specifies all the SAML artifact schemes that you have configured. The custom authentication scheme enumerates the artifact schemes and finds the one with the correct Provider Source ID for the request.

   • SCHEMESET=WSFED_PASSIVE;

     Specifies all the WS-Federation authentication schemes to find the one with the correct Account Partner ID.

   Enable this scheme for CA SiteMinder® Administrators

   Leave unchecked.

5. Click Submit.

The custom authentication scheme is complete.

Configure the Single Target Realm

After you configure the authentication schemes and associate them with a custom scheme, configure a single target realm for federation resources.

To create the single target realm

1. Navigate to Policies, Domain, Domains.
2. Modify the policy domain for the single target realm.
3. Select the Realms tab and click Create.

   The Create Realm dialog opens.

4. Enter the following values to create the single target realm:

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   Name

   Enter a name for this single target realm.

5. Complete the following field in the Resource option:

   Agent

   Select the Web Agent protecting the web server with the target resources.

   Resource Filter

   Specify the location of the target resources. The location is where any user requesting a federated resource gets redirected.

   For example, /FederatedResources.

6. Select the Protected option in the Default Resource Protection section.
7. Select the previously configured custom authentication scheme in the Authentication Scheme field.

   For example, if the custom scheme was named Fed Custom Scheme, you would select this scheme.

8. Click OK.

The single target realm task is complete.

Configure the Rule for the Single Target Realm

After you configure the single target realm, configure a rule to protect the resources.

1. Navigate to the Modify page for the single target Realm.
2. Click Create in the Rules section.

   The Create Rule page appears.

3. Enter values for the fields on the rules page.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

4. Click OK.

The single target realm configuration includes the new rule.

Create a Policy Using the Single Target Realm

Create a policy that references the single target realm. Remember that the single target realm uses the custom authentication scheme that directs requests to the appropriate SAML authentication scheme.

Note: This procedure assumes that you have already configured the domain, custom authentication scheme, single target realm and associated rule.

Follow these steps:

1. Navigate to the previously configured domain.
2. Select the Policies tab and click create.

   The Create Policy page opens.

3. Enter a name and a description of the policy in the General section.
4. Add users to the policy from the Users section.
5. Add the rule that you created for the single target realm from the Rules tab.

   The remaining tabs are optional.

6. Click OK.
7. Click Submit.

The policy task is complete. When a request triggers this policy, it relies on the single realm and associated authentication schemes to authenticate the user.