Federation Guides › Legacy Federation Guide › Configure CA SiteMinder® as a WS-Federation Account Partner

Configure CA SiteMinder® as a WS-Federation Account Partner

This section contains the following topics:

Prerequisites for a CA SiteMinder® Asserting Partner

How To Configure a CA SiteMinder® Account Partner

Add a Resource Partner to an Affiliate Domain

Configure General Information for the Resource Partner Object

Select Users for Which Assertions are Generated

Configure a Name ID for a WS-Federation Assertion

Configure Single Sign-on for WS-Federation

Customize a SAML Assertion Response (optional)

Configure Signout for WS-Federation

Configure Attributes for WS-Federation Assertions (optional)

Prerequisites for a CA SiteMinder® Asserting Partner

For CA SiteMinder® to serve as the asserting partner, verify the following conditions:

• The Policy Server is installed.
• One of the following options is installed:
  • The Web Agent and the Web Agent Option Pack. The Web Agent authenticates users and establishes a CA SiteMinder® session. The Option Pack provides the Federation Web Services application. Be sure to deploy the FWS application on the appropriate system in your network.
  • The SPS federation gateway has an embedded Web Agent and the Federation Web Services application on the embedded Tomcat web server.

  For more information, see the Web Agent Option Pack Guide.

• Private keys and certificates are imported for functions that require signing and decrypting messages.
• A relying partner is set up within the federated network.

How To Configure a CA SiteMinder® Account Partner

CA SiteMinder®, as an Account Partner generates assertions for its business partners, the Resource Partners. To establish a federated partnership, the Account Partner needs information about each Resource Partner. Create a Resource Partner object for each partner. Define how the two entities communicate to pass assertions and to satisfy profiles, such as single sign-on.

To configure CA SiteMinder® to act as an Account Partner

1. Create a Resource Partner object.
2. Add the Resource Partner to the affiliate domain.
3. Specify the general identifying information for the Resource Partner.
4. Select users from a user store. The Account Partner generates assertions for the users you select.
5. Specify the Name ID to include in the assertion.
6. Configure the single sign-on profile.

   You can save a Resource Partner entity without configuring a complete SSO profile. However, you cannot pass an assertion to the Resource Partner without configuring SSO.

7. Complete optional configuration tasks.

Tips:

• Certain parameter values at the Account Partner and the Resource Partner must match for the configuration to work. A list of those parameters can be found in Configuration Settings that Must Use the Same Values.
• Use the correct URLs for the Federation Web Services servlets. A list of URLs can be found in Federation Web Services URLs Used in SiteMinder Configuration

Optional Configuration Tasks for a CA SiteMinder® Account Partner

The optional tasks for configuring a Resource Partner include:

• Configure single sign-on restrictions:
  • Configure time restrictions for Resource Partners.
  • Set IP address restrictions to limit the addresses that are used to access Resource Partners.
• Configure attributes for inclusion in assertions.
• Configure sign out.
• Customize a SAML response using the Assertion Generator plug-in.

Navigating Legacy Federation Dialogs

The Administrative UI provides two ways to navigate to the legacy federation configuration dialogs.

You can navigate in one of two ways:

• Following a wizard to configure a new legacy federation object.

  When you create an object, a page displays with a configuration wizard. Follow the steps in the configuration wizard to create the object.

• Selecting tabs to modify an existing legacy federation object.

  When you modify an existing object, a page displays with a series of tabs. Modify the configuration from these tabs. These tabs are the same as the steps in the configuration wizard.

Add a Resource Partner to an Affiliate Domain

To identify a Resource Partner as an available consumer of assertions, add the Resource Partner to an affiliate domain at the Account Partner. You then configure the Resource Partner so that the Account Partner can issue security token response messages containing assertions.

To add a Resource Partner to an affiliate domain

1. Navigate to Federation, Legacy Federation, Resource Partners.
2. Click Create Resource Partner.

   The Create Resource Partner page appears.

3. Select an affiliate domain, then click Next.

   The General page appears.

4. Fill in the fields at the top of the dialog.

   Note: Click Help for a description of fields, controls, and their respective requirements.

5. Select Enabled so the Account Partner can recognize the configured Resource Partner.