Protect target federation resources by configuring a CA SiteMinder® policy that uses the SAML 2.0 authentication scheme.
To protect a federation resource with a SAML authentication scheme:
Create a realm in one of the following ways:
Important! Each target URL in the realm is also identified in an unsolicited response URL. An unsolicited response is sent from the Identity Provider to the Service Provider, without an initial request from the Service Provider. The unsolicited response contains the target. At the Identity Provider, an administrator must include this response in a link so the Identity Provider can redirect the user to the Service Provider.
The procedure for configuring a unique realm for each SAML or WS-Federation authentication scheme follows the standard instructions for creating realms.
Follow these steps:
The page to create domains displays.
Note:
As part of the rule, select an action (Get, Post, or Put) that allows you to control processing when users authenticate.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
A policy with a unique realm now protects the federated resources.
To simplify configuration of realms for authentication schemes, create a single target realm for multiple sites generating assertions.
To do this task, set up the following components:
This custom scheme forwards requests to the corresponding SAML or WS-Federation authentication schemes that you already configured for each asserting party.
To define a custom authentication scheme for a single target realm, you must:
First, verify that there are configured SAML or WS-Federation authentication schemes. If not, configure these schemes that the custom scheme can reference.
To create the authentication scheme
The Create Authentication Scheme page appears.
A single target realm relies on a specific custom authentication scheme to work properly.
To configure a custom authentication scheme for a single target realm
The Create Authentication Scheme page appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Enter a descriptive name for the custom authentication scheme, such as SAML Custom Auth Scheme.
Custom Template
Accept the default of set a new level.
smauthsinglefed
Leave this field blank.
Leave this field blank.
Specify one of the following parameters:
Specifies the list of SAML authentication scheme names to use. If you configured an artifact scheme named artifact_producer1 and POST profile scheme named samlpost_producer2, you enter these schemes. For example:
SCHEMESET=LIST;artifact_producer1;samlpost_producer2
Specifies all the configured schemes. The custom authentication scheme enumerates all the SAML authentication schemes and finds the one with the correct Provider Source ID for the request.
Specifies all the SAML POST Profile schemes that you have configured. The custom authentication scheme enumerates the POST Profile schemes and finds the one with the correct Provider Source ID for the request.
Specifies all the SAML artifact schemes that you have configured. The custom authentication scheme enumerates the artifact schemes and finds the one with the correct Provider Source ID for the request.
Specifies all the WS-Federation authentication schemes to find the one with the correct Account Partner ID.
Leave unchecked.
The custom authentication scheme is complete.
After you configure the authentication schemes and associate them with a custom scheme, configure a single target realm for federation resources.
To create the single target realm
The Create Realm dialog opens.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
Enter a name for this single target realm.
Select the Web Agent protecting the web server with the target resources.
Specify the location of the target resources. The location is where any user requesting a federated resource gets redirected.
For example, /FederatedResources.
For example, if the custom scheme was named Fed Custom Scheme, you would select this scheme.
The single target realm task is complete.
After you configure the single target realm, configure a rule to protect the resources.
The Create Rule page appears.
Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.
The single target realm configuration includes the new rule.
Create a policy that references the single target realm. Remember that the single target realm uses the custom authentication scheme that directs requests to the appropriate SAML authentication scheme.
Note: This procedure assumes that you have already configured the domain, custom authentication scheme, single target realm and associated rule.
Follow these steps:
The Create Policy page opens.
The remaining tabs are optional.
The policy task is complete. When a request triggers this policy, it relies on the single realm and associated authentication schemes to authenticate the user.
Copyright © 2013 CA.
All rights reserved.
|
|