Previous Topic: Supply SAML Attributes as HTTP HeadersNext Topic: Configure SAML 2.0 Affiliations


How To Protect a Target Resource with a WS-Federation Authentication Scheme

Protect target federation resources by configuring a CA SiteMinder® policy that uses the WS-Federation authentication scheme.

Follow these steps:

  1. Create a realm that uses the WS-Federation authentication scheme. The realm is the collection of target resources.

    You can create a realm in the following ways:

  2. Configure an associated rule and optionally, a response.
  3. Group the realm, rule, and response into a policy that protects the target resource.

Important! Each target URL in the realm is also identified in an unsolicited response URL. An unsolicited response is sent from the Account Partner to the Resource Partner, without an initial request from the Resource Partner. In this response is the target. At the Account Partner, an administrator includes this response in a link. The link redirects the user to the Resource Partner.

Configure a Unique Realm for Each Authentication Scheme

The procedure for configuring a unique realm for each SAML or WS-Federation authentication scheme follows the standard instructions for creating realms.

Follow these steps:

  1. Navigate to Policy, Domain, Domains.

    The page to create domains displays.

  2. Click Create Domain.
  3. Enter a domain name.
  4. Add the user directory to the domain. This directory is the one that contains the users requesting access to federated resources.
  5. Select the Realm tab and create a realm.

    Note:

  6. Create a rule for the realm.

    As part of the rule, select an action (Get, Post, or Put) that allows you to control processing when users authenticate.

  7. Select the Policies tab and configure a policy that protects the target federation resource. Associate the realm that you previously created with this policy.

Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

A policy with a unique realm now protects the federated resources.

Configure a Single Target Realm for All Authentication Schemes

To simplify configuration of realms for authentication schemes, create a single target realm for multiple sites generating assertions.

To do this task, set up the following components:

Create Authentication Schemes for the Single Target Realm

To define a custom authentication scheme for a single target realm, you must:

First, verify that there are configured SAML or WS-Federation authentication schemes. If not, configure these schemes that the custom scheme can reference.

To create the authentication scheme

  1. Navigate to Infrastructure, Authentication, Authentication Schemes.

    The Create Authentication Scheme page appears.

  2. Create one or more authentication schemes according to the procedures for the protocol you are using.
  3. Click OK to exit.

More information:

SAML 1.x Authentication Schemes

WS-Federation Authentication Scheme Overview

How to Configure a SAML 2.0 Authentication Scheme

Create the Custom Authentication Scheme

A single target realm relies on a specific custom authentication scheme to work properly.

To configure a custom authentication scheme for a single target realm

  1. Navigate to Infrastructure, Authentication, Authentication Schemes.

    The Create Authentication Scheme page appears.

  2. Complete the fields as follows:

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

    Name

    Enter a descriptive name for the custom authentication scheme, such as SAML Custom Auth Scheme.

  3. In the Scheme Common Setup section, complete the following fields:
    Authentication Scheme Type

    Custom Template

    Protection Level

    Accept the default of set a new level.

  4. In the Scheme Setup section, complete the following fields:
    Library

    smauthsinglefed

    Secret

    Leave this field blank.

    Confirm Secret

    Leave this field blank.

    Parameter

    Specify one of the following parameters:

    • SCHEMESET=LIST; <saml-scheme1>;<saml_scheme2>

      Specifies the list of SAML authentication scheme names to use. If you configured an artifact scheme named artifact_producer1 and POST profile scheme named samlpost_producer2, you enter these schemes. For example:

      SCHEMESET=LIST;artifact_producer1;samlpost_producer2

    • SCHEMESET=SAML_ALL;

      Specifies all the configured schemes. The custom authentication scheme enumerates all the SAML authentication schemes and finds the one with the correct Provider Source ID for the request.

    • SCHEMESET=SAML_POST;

      Specifies all the SAML POST Profile schemes that you have configured. The custom authentication scheme enumerates the POST Profile schemes and finds the one with the correct Provider Source ID for the request.

    • SCHEMESET=SAML_ART;

      Specifies all the SAML artifact schemes that you have configured. The custom authentication scheme enumerates the artifact schemes and finds the one with the correct Provider Source ID for the request.

    • SCHEMESET=WSFED_PASSIVE;

      Specifies all the WS-Federation authentication schemes to find the one with the correct Account Partner ID.

    Enable this scheme for CA SiteMinder® Administrators

    Leave unchecked.

  5. Click Submit.

The custom authentication scheme is complete.

Configure the Single Target Realm

After you configure the authentication schemes and associate them with a custom scheme, configure a single target realm for federation resources.

To create the single target realm

  1. Navigate to Policies, Domain, Domains.
  2. Modify the policy domain for the single target realm.
  3. Select the Realms tab and click Create.

    The Create Realm dialog opens.

  4. Enter the following values to create the single target realm:

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

    Name

    Enter a name for this single target realm.

  5. Complete the following field in the Resource option:
    Agent

    Select the Web Agent protecting the web server with the target resources.

    Resource Filter

    Specify the location of the target resources. The location is where any user requesting a federated resource gets redirected.

    For example, /FederatedResources.

  6. Select the Protected option in the Default Resource Protection section.
  7. Select the previously configured custom authentication scheme in the Authentication Scheme field.

    For example, if the custom scheme was named Fed Custom Scheme, you would select this scheme.

  8. Click OK.

The single target realm task is complete.

Configure the Rule for the Single Target Realm

After you configure the single target realm, configure a rule to protect the resources.

  1. Navigate to the Modify page for the single target Realm.
  2. Click Create in the Rules section.

    The Create Rule page appears.

  3. Enter values for the fields on the rules page.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  4. Click OK.

The single target realm configuration includes the new rule.

Create a Policy Using the Single Target Realm

Create a policy that references the single target realm. Remember that the single target realm uses the custom authentication scheme that directs requests to the appropriate SAML authentication scheme.

Note: This procedure assumes that you have already configured the domain, custom authentication scheme, single target realm and associated rule.

Follow these steps:

  1. Navigate to the previously configured domain.
  2. Select the Policies tab and click create.

    The Create Policy page opens.

  3. Enter a name and a description of the policy in the General section.
  4. Add users to the policy from the Users section.
  5. Add the rule that you created for the single target realm from the Rules tab.

    The remaining tabs are optional.

  6. Click OK.
  7. Click Submit.

The policy task is complete. When a request triggers this policy, it relies on the single realm and associated authentication schemes to authenticate the user.