Previous Topic: How To Protect a Resource with a SAML 1.x Authentication SchemeNext Topic: Configure General Information for the Service Provider Object


Configure CA SiteMinder® as a SAML 2.0 Identity Provider

This section contains the following topics:

Prerequisites for a CA SiteMinder® Asserting Partner

How to Configure a CA SiteMinder® Identity Provider

Add a SAML 2.0 Service Provider to an Affiliate Domain

Configure General Information for the Service Provider Object

Select Users for Which Assertions are Generated

Specify a Name ID for a SAML 2.0 Assertion

Customize a SAML Assertion Response (optional)

Configure Single Sign-on for SAML 2.0

Grant Access to the Service for Assertion Retrieval (Artifact SSO)

Configure the Authentication Scheme that Protects the Artifact Service

Initiate Single Sign-on from the IdP or SP

Configure Attributes for Assertions (optional)

Configure Single Logout (optional)

Configure Identity Provider Discovery at the IdP

Validate Signed AuthnRequests and SLO Requests/Responses

Encrypt a NameID and an Assertion

Request Processing with a Proxy Server at the IdP

Prerequisites for a CA SiteMinder® Asserting Partner

For CA SiteMinder® to serve as the asserting partner, verify the following conditions:

How to Configure a CA SiteMinder® Identity Provider

CA SiteMinder®, as an Identity Provider generates assertions for its business partners, the Service Providers. To establish a federated partnership, the Identity Provider needs information about each partner. Create a Service Provider object for each partner and define how the two entities communicate to pass assertions and to satisfy profiles, such as single sign-on.

To configure a CA SiteMinder® Identity Provider

  1. Create a Service Provider object.
  2. Add the Service Provider to an affiliate domain.
  3. Specify the general identifying information for the Service Provider.
  4. Select users from a user store. The Identity Provider generates assertions for these users.
  5. Specify the Name ID.
  6. Configure a single sign-on (SSO) profile.

    You can save a Service Provider entity without configuring a complete SSO profile. However, you cannot pass an assertion to the Service Provider without completing the SSO configuration.

  7. Configure signing and encryption for requests and responses.
  8. Complete optional configuration tasks.

Tips:

Optional Configuration Tasks for Identifying a Service Provider

The following optional tasks are for identifying a Service Provider:

Navigating Legacy Federation Dialogs

The Administrative UI provides two ways to navigate to the legacy federation configuration dialogs.

You can navigate in one of two ways:

Add a SAML 2.0 Service Provider to an Affiliate Domain

To identify a Service Provider as an available consumer of CA SiteMinder®-generated assertions, add the Service Provider to an affiliate domain at the Identity Provider. You then define the configuration of the Service Provider so that the Identity Provider can issue assertions for it.

Follow these steps:

  1. Log in to the Administrative UI.
  2. Click Federation, Legacy Federation, SAML Service Providers.
  3. Click Create SAML Service Provider.
  4. Select an Affiliate Domain then click Next.

Configure the general settings.